Any time threat actors try to compromise an application, server, or another IT system, they search for weaknesses that they can exploit. These weaknesses are low-hanging fruit that makes it easier to achieve malicious goals, whether that means installing malware, encrypting systems with ransomware, or stealing sensitive data from your environment.
Modern IT environments’ fast-paced, ever-changing nature means new vulnerabilities constantly emerge. Businesses face a race against time to find vulnerabilities and deal with them before it’s too late, either through mitigation or remediation. This article clarifies the difference between vulnerability remediation vs. mitigation.
What is a vulnerability?
A vulnerability is a flaw in a system that weakens its security and could be targeted by a cybercriminal exploiting it.
Ever since curious-minded individuals began exploring computer systems, software, and networks, they found vulnerabilities that could allow them to retrieve hidden information, escalate privileges or access unexpected resources.
In 1967, a group of high school students found security vulnerabilities in an IBM network of computers and terminals running the APL programming language. This primitive form of ethical hacking helped to strengthen the security of IBM’s future computer systems.
Unfortunately, having a curious mind and hacking systems is not restricted to altruistic or ethical uses. Malicious actors today constantly probe IT environments for vulnerabilities using an array of tools and techniques. While there are many different types of vulnerabilities, here are some of the most common ones that hackers try to exploit:
- Software applications that haven’t had the latest updates and security patches applied to them.
- Code injection flaws that allow attackers to input code or queries in a web app that tricks the app into executing malicious commands or providing access to sensitive resources.
- Zero-day vulnerabilities in software that both the target company and the software vendor are not aware of yet and thus haven’t had time to work on a patch that fixes the flaw.
- Authentication vulnerabilities that make it easier to get inside a system or to masquerade as a legitimate user.
- Configuration vulnerabilities that create gaps in security systems, such as opening risky ports or leaving cloud storage buckets exposed to anyone with the right address.
What is vulnerability management?
The pervasive challenges in finding and eliminating vulnerabilities call for a dedicated vulnerability management strategy. The extent of these challenges was evidenced in a joint advisory published by CISA (US), NCSC (UK), and ACSC (Australia) highlighting the top most commonly exploited vulnerabilities in 2021 and 2020. One of these vulnerabilities had a patch available since 2017, while several others had patches released in 2018 and 2019.
Vulnerability management is a systematic approach to continuously identify and eliminate vulnerabilities in your IT environment. The typical steps in vulnerability management are as follows:
- Identify and understand all the assets that make up your IT environment because they are all potentially vulnerable to attack. This asset discovery step is critical because a lack of visibility can mean forgotten assets are left vulnerable and running in your environment where they become easy pickings for malicious actors.
- Run regular vulnerability scans to assess particular systems, software, or infrastructure for vulnerabilities. Typically, you’ll use one or more scanning tools at this point.
- Use a combination of factors or some kind of rating scale to prioritize vulnerabilities for fixing or remediation. It’s generally not prudent (or possible) to try and fix everything at once. Prioritize the vulnerabilities that are most likely to be exploited, have the highest severity, and carry the most business risk.
- Decide on effective risk management decisions that will appropriately apply countermeasures to deal with the vulnerability. As you’ll soon see, this does not always mean applying some kind of fix or patch to remediate the weakness.
- Provide a clear and concise report outlining the findings from the previous steps. Reports should include a dashboard, summary, detailed findings, and recommendations for stakeholders, including security operations teams, IT department managers, CISOs, and compliance officers.
Vulnerability management should be an ongoing strategy that reflects how new vulnerabilities regularly emerge in IT environments.
Vulnerability remediation vs mitigation
Discussions about vulnerabilities within cybersecurity are sometimes biased towards remediation as the only method of dealing with them. In most cases, the recommended advice is to patch your vulnerabilities and do it ASAP. But this neglects the fact that mitigation is another potential solution for resolving vulnerabilities.
It’s helpful to view vulnerability management in a way that links the process back to the more overarching strategic goal of cyber risk management. Each vulnerability has a certain severity level and a certain likelihood of being exploited. Whatever scores you use to rank your vulnerabilities, the outcome is often an increased risk of exposure or loss.
The question then is how do you want to reduce that risk? For vulnerabilities, you have two broad options:
- Remediate the vulnerability to either fix or eliminate it from your environment
- Mitigate the vulnerability by decreasing the possibility of it being exploited
Remediation through security patches is presented as the ideal resolution method, but it’s sometimes not possible or even necessary at the time. For example, the software vendor might not have a patch available yet, or an important operational system might be vulnerable for which any downtime is intolerable. Or, there could be out-of-date systems that have a vulnerability but those systems aren’t directly accessible or exploitable by malicious actors.
Approaches to remediation and mitigation
Approaches to remediation involve updating affected software/firmware to the latest version, applying a security patch, changing a configuration, or potentially even removing a vulnerable asset entirely from your environment (e.g. replacing one software solution with another).
Mitigation solutions include isolating a set of vulnerable resources from the rest of the network with segmentation, temporarily disabling an application, or blocking a port that could provide access to a vulnerable resource.
Your choice usually isn’t a straightforward either/or decision between vulnerability remediation and mitigation. In scenarios where remediation approaches aren’t feasible, you can temporarily mitigate before eventually remediating when the situation allows for it.
Identifying vulnerabilities within your attack surface
A study found that 84 percent of tested companies had high-risk vulnerabilities on their internet-facing external attack surface. These vulnerabilities are particularly concerning given that threat actors can trivially discover the assets that make up your external attack surface. It’s important therefore to identify and resolve vulnerabilities in your attack surface arguably before any other class of vulnerabilities.
Dedicated external attack surface management solutions prove useful for this task because they can quickly and automatically discover your complex and expanding external attack surface. These solutions then use the inventory of discovered assets and continuously scan for vulnerabilities.
How to measure and improve vulnerability remediation and mitigation
Collecting important metrics during the cyclical vulnerability management process can improve both remediation and mitigation. Ideally, these metrics will be included in vulnerability management reports. Measurements to consider are vulnerability scan frequency, number of detected vulnerabilities in the current scan, number of open and closed vulnerabilities, and average time to patch high-severity vulnerabilities.
Track these metrics over time and look for trends that indicate potential areas of improvement. Perhaps switch things up by looking for more ways to automate the process of detecting or resolving vulnerabilities.
Bugcrowd’s external attack surface management solution provides essential capabilities for identifying and prioritizing vulnerabilities in your external attack surface. You also get accelerated remediation by being able to connect your workflows and assign vulnerabilities to relevant teams with all the details they require to remediate each vulnerability.
Frequently asked questions
When is vulnerability remediation necessary?
Vulnerability remediation is necessary when organizations aim to completely eliminate identified vulnerabilities from their systems. This approach is typically required for high-risk vulnerabilities or when compliance requirements demand a thorough resolution.
When is vulnerability mitigation appropriate?
Vulnerability mitigation is appropriate in situations where it may not be feasible or practical to completely resolve the vulnerabilities. This approach is often employed when immediate remediation is not possible or when the risks associated with the vulnerabilities can be sufficiently reduced through compensating controls or alternative security measures.
Can vulnerability mitigation be a long-term solution?
Vulnerability mitigation is typically considered a temporary or interim solution. While mitigation measures can reduce the immediate risk associated with vulnerabilities, they may not provide a permanent fix. Organizations should aim to prioritize and plan for complete vulnerability remediation whenever feasible and allocate resources accordingly.
Should vulnerability mitigation replace vulnerability remediation?
Vulnerability mitigation should not replace vulnerability remediation as a general practice. While mitigation can help reduce immediate risk, complete remediation should always be pursued whenever possible. Organizations should prioritize vulnerability remediation to achieve a more robust and secure environment in the long run.