Looking at a typical vulnerability scan report from Nessus or Qualys most people are terrified, lost, and basically with more questions than answers. For example, how on earth am I going to deal with all these findings? From what I was taught, a vulnerability management process can be broken down into 4 steps (not mentioning its close relation to patch, change, risk management):
- Identifying vulnerabilities
- Evaluating vulnerabilities
- Treating vulnerabilities
- Reporting vulnerabilities
Vulnerability scanner scoring/risk rating and how does it match your org.
While the scanner provides its own risk ratings and scores such as CVSS, and I guess these are somehow helpful in telling org’s which vulns require immediate attention, but do they really reflect the true risk? I mean a vulnerability can depend on some other factors beyond the mentioned scores and vulnerability scanners do not have the intelligence to tell whether the finding is a true or false positive (to a certain extent, e.g. issues with backported patches), whether there are any security controls that would reduce the likelihood and/or impact of this vulnerability being exploited, how would it impact confidentiality, integrity and availability of the exploited system, data, how would it impact your business, what your org’s risk management strategy is and many others.
So I guess that vulnerability scanners, like any other security-related software, are not perfect, but still, they provide us with a large amount of information (sometimes valid, sometimes not) and here’s where we as human beings take over to produce something more meaningful that will aim to increase an org’s security posture and lower its risk exposure. I guess that’s step 2 in the process, vulnerability evaluations.
While exploring the topic, I hear voices like “your vulnerability management needs to be risk-driven, so that you make informed decisions” or “your vulnerability management needs to be threat-intelligence-driven, to learn and predict how an adversary might strike”.
How to evaluate, prioritize, remediate?
So what I’m looking for is maybe not a recipe but direction or guidance from experienced members on how to:
not waste unnecessary time on findings, because they are false positives anyway (e.g. backports). Should the first step be verification whether it’s a false positive or not?
select the correct ones to address first (I’m looking here for suggestions on whether vulnerabilities should be first grouped based on their nature, e.g. injection vulnerabilities or any other criteria. What I know, that it’s generally recommended to export or filter scanning results by plugin ID instead of IP’s so that we will have only a few hundred vulnerability groups that will have x amount of systems in those groups). I’m aware of the CVSS scoring system, so could or perhaps should I use it to conduct a more accurate assessment based on my org/environment?).
I really would want to avoid a situation where I’m only the guy that bothers others with calls and emails asking whether given vuln’s have been addressed but would rather want to make an impact on the security posture of the organization where I’m currently working. Other than that, I could possibly go through the list of all the findings and provide information in form of advisories on how to verify and patch a given vulnerability, but in some cases my ability is limited I guess, meaning I don’t know all the details about a given system, so just providing a recommendation to upgrade to the latest PHP version where a number of functions were deprecated is not going to help the concerned system owners.
PS. If there are any books one could recommend, I would greatly appreciate it !