What is common in almost all incidents of criminal hacking ?

It is software vulnerabilities !

It is not rocket science to tell that. We all know it, yet we struggle with challenges in the vulnerability management programs ?

In this article I am covering 10 questions that you need to ask as the CISO to know if your vulns management is working. 



1. Are you getting overwhelmed with the number of vulnerabilities ?

There are 76,206 known vulnerabilities as of today, out of which 2,712 were added in 2016 itself. So  on an average 18 new vulnerabilities got added each day (i.e without breaks during weekends !)

There are many reasons why vulnerabilities are increasing, and will continue to be critical for information security.

  • As new technologies are introduced via mobile computing, virtualization, and cloud, the numbers of vulnerabilities continue to rise and become more widespread.
  • With cloud computing, governance becomes more difficult as the organization shares responsibility with cloud providers.
  • Third party security is another issue to address, as this increases attack surface area. Examples of how third party vulnerability management can affect organizations includes Target’s 2013 breach where Fazio Mechanical, a heating & air company that worked with Target, was breached which led to infiltration into Target’s network. (Source: KrebsonSecurity)


2. Do zero-days sound like "heads I win. tails you loose" kind of games ?

Zero-day threat means no fix.  These attacks are rarely discovered right away - It takes 8 months on an avg to detect a zero-day exploitation (source: FireEye)

Coincidently, It takes organizations 103 days on an avg to remediate vulnerabilities. (source: NopSec)

  • Many organizations don’t have good means of detection in LANs/VLANs, nor do they have ways to protect data from leaving the environment (SSL, data loss prevention, etc.)
  • Traditional defenses rely on malware signatures or URL reputation which identify only known threats.



3. Do you feel CVSS is not helping, because it misses many things ?

Not surprisingly, researchers have found that CVSS scores focus too much on impact without emphasis on risk (such as prevalence of exploitation). This means CVSS could result in inaccurate assessments, focusing too much on very unlikely, high-impact scenarios which means vuln. management teams waste time and money remediating issues that are not high-risk. (source: University of Trento)

  • Applying data analytics to CVSS scores can help organizations determine the least and most vulnerable departments. While CVSS is useful, analytics solutions can pull in data from other sources to better provide context to vulnerabilities. Sources can include threat intelligence feeds and vendors, IDS/IPS, behavioral monitoring, and incident management.



4. Do you need to scan to know if your assets are vulnerable. And still feel there are blind spots ?

62% of respondents to surveys reported that scanners are used for determining risk levels and prioritization of patches. However, only 51% are satisfied with their abilities and the information produced by scanning (source: SkyBox Security)


  • Vulnerability scanning tools often times don’t have access to the entire network (e.g. many network segments may be missing). Any changes to firewall rules could limit the scanning tool.
  • Asset scanning is good, but there are many types of asset scanning tools that run both authenticated and unauthenticated. Asset scanning may also be dependent on IT asset management databases (ITAM) which often times are not complete or updated regularly, creating further blind spots.
  • The output from vuln. scanning can be overwhelming to less mature organizations. It is important to have asset owners clearly identified, and the ability to recognize false positives which can obfuscate the overall results.
  • Vulnerability assessments should go beyond just scanning – they should include thorough asset classification and reviews to prevent blind spots.



5. Do you wish you knew if you had a tendency to fall for specific types of exploits?

Historical data can help organizations create a minimum security baseline configuration standard for systems, devices, and applications. Having this baseline can ensure an organization-wide standard level of security

  • Many organizations simply go through the motions with vulns management, and fail to conduct reporting and reviews of organizational trends.
  • Oftentimes, analytics and metadata analysis can be used to provide insight into whether organizations are more prone to specific types of exploits (e.g. vulnerabilities in network security devices, vulnerabilities in custom applications due to a lack of penetration testing, etc.).
  • Having historical data can enable organizations to move from a reactive stance to a more proactive stance, better preventing future exploitations. (source: BeyondTrust)



6. Do you feel it is a long lengthy process to patch and you often miss the urgency?

According to a survey, 46% of respondents reported their patch management process was only partially implemented, and another 12% reported having no patch management process (source: TrustWave)

  • While many organizations may have asset criticality defined (based on required uptime, information classification, etc.), it may not be taken into account to prioritize patch management. Highly critical assets will require urgent patch processes, based on potential impact of exploitation and severity of the patch. (source: Gartner)
  • Patches can take time to be developed and released; how do you mitigate risks for assets affected by this? Fixes can include improved access management for the system or application (following a “zero trust” model that can prevent outsiders from exploiting vulnerabilities). Compensating controls (a concept from PCI DSS) can accommodate for long, lengthy patches. Other controls include removing network access, hardening configurations, (source: Gartner)


7. Do you wish you could wish-away old vulnerabilities and focus on newer fancier ones ?

As per DBIR 2015 report, 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published.

(read more in our earlier article - Time to Re-think Vulnerability Management ? These 5 Facts Say So...)

  • After a vulnerability is discovered, oftentimes the remediation process can be drawn out and longer than it should be due to the handoff to resolver and operations teams. (source: Forrester)
  • With this delay in remediation, many vulnerabilities can be forgotten about and left unremediated. While attackers do constantly mutate to come up with new attack methods, it is likely old vulnerabilities will be used for easy infiltration and exploitation.


8. Do you struggle to create the right reviews/reports for the right stakeholders

  • Many different scanners are used across organizations, though most lack a way to consolidate all of the information to present a common view of vulnerabilities. This leads to a disconnect on how to prioritize vulnerabilities and asset criticality.
  • Reporting on metrics (number of vulnerabilities, exploitations, remediations, average time to patch, etc.) can provide insight to all parties in the organization, and create a common view of priorities and goals. (source: SecureState)
  • Many companies use a multitude of scanners in parallel to get views into their environment – such as database scanners, web application scanners, SAP scanners, and traditional vulnerability scanners. Using large numbers of scanners creates confusion among the different groups in IT security as they can’t see what specifically is applicable to them, nor do they have a macro view of vulnerability management across the organization. (source: Forrester)
  • 63% of respondents to Skybox survey stated that they use two or more scanners in the environment. Respondents included all types of roles – including CISO, network operations, risk managers, and security operations analysts. Only 44% of respondents were satisfied with analysis activities regarding scanning- including reporting and data visualization. Generally, the higher up a person was (e.g. Director or CISO verses an analyst), the less satisfied they were with tools – possibly because the information presented was too detailed and not tangible for them. (source: Skybox)



9. Are you keeping track of everything that is happening outside w.r.t threat landscape, exploits ?

The #1 improvement organizations reported that they were most interested in was the ability to update vulnerability data quickly following a newly discovered vulnerability or threat announcement. (source: Skybox Security)


  • It is difficult to understand threats of exploitation in the context of your environment by just reading about them online from new articles and intelligence feeds.
  • Breach simulation technologies provide a “what-if” testing framework that provides visibility and context into your IT environment, to understand how applicable specific threats are and what their impact may be. Adding this context to vulnerability management helps with prioritization of assets and understanding of vulnerability prioritization. (source: Forrester)
  • Many companies like Splunk and Aujas offer solutions for vulnerability data analysis, helping organizations visualize data and gain better insight into vulnerabilities and risks. (source: SANS Institute)


10. Do you feel it is re-start everyday and hate the fact that vulns management is cyclical?

management teams often forget that VM is cyclical. Instead they fall back to a simple checklist method which results in them missing the prioritization of assets and vulnerabilities, and focusing their time on low-impact, unlikely threats and vulnerabilities.

Oftentimes, teams miss reporting, remediation and validation steps of VM.