BLOG: Protect Your Organization – The Importance of Implementing a Risk-Based Vulnerability Management Program

Organizations of all sizes need to implement a risk-based vulnerability program because it helps them identify and prioritize their vulnerabilities based on their potential impact on the business. A risk-based vulnerability management program is essential for businesses to mitigate security risks and protect themselves against potential cyber-attacks. 

By taking a risk-based approach, organizations can focus their resources on the vulnerabilities that are most critical, rather than trying to address every single vulnerability, which can be time-consuming, and costly, and implementing such a program can be challenging.

Common Challenges:

• Identifying vulnerabilities: The first step in implementing a risk-based vulnerability management program is identifying vulnerabilities. This is often challenging as there are thousands of vulnerabilities to track, and new ones are discovered every day. It is essential to have a robust and reliable vulnerability scanning system in place to identify vulnerabilities.
• Prioritizing vulnerabilities: Once vulnerabilities are identified, they need to be prioritized based on their risk level. This can be challenging as some vulnerabilities may have a high CVSS score but may not be relevant to the organization’s infrastructure. Prioritization requires a thorough understanding of the organization’s IT infrastructure, business processes, and security objectives.
• Lack of resources: Implementing a risk-based vulnerability management program requires significant resources, including staff, tools, and technology. Small and medium-sized businesses may struggle to allocate resources to this program, leading to inadequate coverage or reduced efficacy.
• Communication: Communication is critical when implementing a risk-based vulnerability management program. The program needs to be well understood by all stakeholders, including executives, IT staff, and end-users. A lack of communication can lead to misunderstandings, resistance to change, and reduced efficacy.
• Compliance: Compliance requirements often dictate the scope and level of vulnerability management programs. However, meeting compliance requirements may not be enough to fully protect the organization. It is essential to go beyond compliance and adopt a risk-based approach that considers the organization’s unique security risks.
• Cost: Implementing a risk-based vulnerability management program can be expensive, and costs can quickly escalate if the program is not managed effectively. Organizations need to ensure they have a clear understanding of the program’s costs and benefits and develop a budget accordingly.

A report published in January of this year found that data shows that businesses are still taking 215 days to patch a reported vulnerability. Even for critical vulnerabilities, it generally takes more than 6 months to patch. A risk-based vulnerability program can also help organizations comply with regulatory requirements and industry standards, as many of these require regular vulnerability assessments and remediation activities.

This month, The US Cybersecurity and Infrastructure Security Agency (CISA) has issued advisories for 49 vulnerabilities in eight industrial control systems (ICS) used by organizations in multiple critical infrastructure sectors, some of which are unpatched. These vulnerabilities are remotely exploitable and allow attackers to take control of affected systems, manipulate and modify settings, escalate privileges, bypass security controls, steal data, and crash systems. 

The CISA advisory coincided with a report from the European Union on threats to the transportation sector that also warned about the potential for ransomware attacks on OT systems used by aviation, maritime, railway, and road transport agencies. The European cybersecurity agency’s report highlighted the continued evolution of ICS-specific malware and growing attacker interest in ICS environments.

A few days ago 130 organizations were breached by the Clop ransomware group due to a vulnerability in the commonly used file transfer service, GoAnywhere. The victims of the attack have been making public disclosures, as GoAnywhere parent company Fortra has remained publicly quiet. However, Fortra recently issued a statement, reassuring customers that it is committed to helping them navigate the crisis. 

The attack has affected many large organizations that use GoAnywhere, and cybersecurity experts have criticized Fortra’s slow communication and lack of guidance to victims. The attack was likely accelerated due to the delayed disclosure of the zero-day vulnerability. This is not the first time Clop ransomware has been used in a mass breach. By prioritizing vulnerabilities and patching them promptly, organizations can prevent such attacks and minimize their impact. This incident serves as a reminder of the importance of implementing a risk-based vulnerability management program to prevent similar attacks in the future.

How Orpheus Cyber can help

At Orpheus Cyber we have developed the Orpheus Vulnerability Severity Score (OVSS) to help organizations filter vulnerabilities on their network by those that are the most serious. This proprietary machine learning tool uses cyber threat intelligence to score each CVE, enabling organizations to prioritize and focus on patching or mitigating the most critical vulnerabilities first.  Find out more here.

This risk-based approach to CVE management is important for organizations of all sizes as it allows them to make effective use of resources and budgets while increasing their maturity in cyber risk management. Additionally, Orpheus Cyber’s machine learning technology can predict which vulnerabilities will be exploited in the future, enabling organizations to patch them before attackers can exploit them.