Accepting Vulnerability Risk

Financial institutions are in the business of managing risk to an acceptable level. We do it every day when assessing whether to originate a loan or to purchase a certain bond. In many cases, we have built elaborate frameworks to help make and document these decisions. But when it comes to accepting the risk of system vulnerabilities, many institutions are at a loss. As a result, much time is spent remediating vulnerabilities which pose a low risk to the organization when we should be focusing on higher-risk items. This week, we present tips for assessing and accepting system vulnerability risk:

1. Research the vulnerability: Knowing what a vulnerability can impact if exploited is an important first step in assessing vulnerability risk. Vulnerabilities can impact confidentiality of data on the system, integrity of a system and its data, availability of the system, or a combination of the three. Use the information in your vulnerability management system and at websites such as CVE (https://cve.mitre.org) to research industry intelligence on the vulnerability so that you can determine what the risks are.
   
   
2. Know what the system does: Knowing the function of a system is critical in assessing risk of a vulnerability on that system. A vulnerability that discloses data may be acceptable if a test system contains only fictitious test data, and a vulnerability that can make a system unavailable may not be a concern for a training PC.
   
   
3. Know where the system is: The location of a system on the network should be taken into account when considering acceptance of vulnerability risk. If a system is a web server that is accessible from the Internet, its location means a vulnerability is a greater risk to the organization and should not be accepted without knowing the risk is mitigated. If a system is located on a network segment that is not accessible from the Internet or by the rest of the network, the probability of the vulnerability being exploited and the impact if it is exploited are both lower, so the bar for accepting the risk may be lower.
   
   
4. Know how many systems are at risk: Vulnerabilities that are found on many systems can represent a greater risk than those found on a single system, as there is a broader attack surface. Even if a vulnerability is found on only one system, it may spread to other systems if exploited, and understanding this behavior is important when considering accepting the risk of the vulnerability.
   
   
5. Have a documented process: Be sure to document the process for accepting vulnerability risk, and to retain documentation of why decisions were made to accept risk (or to not accept risk). The use of a scoring system like CVSS that allows adjustment for environmental factors should be used to help quantify decisions where possible.

Bedel Security helps institutions make sense of vulnerability management. If this is an area where you struggle, please do not hesitate to shoot us your questions at support@bedelsecurity.com.