Why you don’t have to fix every vulnerability

Not every vulnerability results in high risk, here are a few scenarios in which immediate changes are not necessarily needed.

Let that vulnerability sit for a bit
Credit: Thinkstock
Let that vulnerability sit for a bit

The word “vulnerability” typically comes with a “must fix now” response. However, not all vulnerabilities should be treated equally because not all of them pose a risk. It all depends on what the data represents. In fact, some vulnerabilities are OK to deprioritize, depending on associated threats and the value of the asset at risk. For example, a lock on a 20th floor window of a building is not as important as one on the ground level, unless the contents of the room are so valuable that a thief would take the effort to access such an unreachable place. Scans reveal thousands of vulnerabilities across all assets – networks, applications, systems and devices – but they do not show which ones could lead to a damaging compromise if not fixed immediately. It is not about ignoring vulnerabilities; it is about prioritizing how you apply your resources to remediate them. Bay Dynamics provides some examples of vulnerabilities that are OK to put on the back burner.

Vulnerability: Weak firewall
Credit: Thinkstock
Vulnerability: Weak firewall

Why?: The network is air-gapped so there is no threat from the outside. When secured networks are isolated from unsecured networks, outside criminals cannot exploit vulnerabilities on unsecured networks to get inside the secured ones.

However… don’t get a false sense of security because your system is air-gapped. It means that it is inaccessible from the perimeter, but still can be vulnerable in other ways, such as through USB ports (as was demonstrated by StuxNet).

Vulnerability: No endpoint data loss prevention protection
Credit: Thinkstock
Vulnerability: No endpoint data loss prevention protection

Why?: The PC has no CD or communication (USB) ports so it does not need endpoint data exfiltration protection. Without a CD or communication port, individuals inside an organization cannot directly move sensitive corporate information to an exterior device.

However… keep in mind that there are other channels of data exfiltration that can still be exploited, such as Bluetooth file transfer, which are often not blocked.

Vulnerability: Lack of data encryption
Vulnerability: Lack of data encryption

Why?: The application only contains public marketing materials and does not require protection. Information that has already been made public, if compromised, would not cause severe damage to the organization. The value at risk is low so it doesn’t need to be encrypted.

However…you better be sure that only public information is available, and not any proprietary content, such as descriptions of future product capabilities. Again this all depends on what kind of data is being available as to how high the priority should be.

5 insider
Credit: Thinkstock
Vulnerability: A third-party vendor user is accidentally given access to a database that solely contains public marketing materials

Why?: While the user should not have been given access since he doesn’t need the database to do his job, the database does not contain highly valuable information so therefore it’s not a high-priority vulnerability.

However…however, even though it is a low priority, since third parties present a higher risk, their access should be reviewed regularly and removed where not required.

Vulnerability: A Bluetooth flaw allowsanyone toaccess information on a smartphone
Vulnerability: A Bluetooth flaw allows anyone to access information on a smartphone

Why?: The smartphone is a “burner” phone that contains no important information. It is designed to be thrown away after one use anyway.

However… keep in mind that whatever you do on that phone can be potentially exposed, such as contact phone numbers, contact text messages, two-factor authentication text messages, emails, etc.

Vulnerability: Most corporate networks are not encrypted
Vulnerability: Most corporate networks are not encrypted

Why?: The physical access to network equipment is controlled so the network doesn’t need to be encrypted. This is as opposed to Wi-Fi, where all communication is typically encrypted because it is easy for anybody in range to access the signal.

However… remember to tightly manage access to the network by third-party vendors and unapproved devices, since internal access could provide a gateway to sensitive data access by unauthorized users.

8 database
Credit: Thinkstock
Vulnerability: A lack of tight data access controls on a development platform

Why?: Being a development system, all data is masked or generated and therefore is of limited value. This is an example of a low priority vulnerability although it should not be completely ignored because the vulnerability can be exploited to gather intelligence about how best to compromise the production of the product.

However… even though the data is not sensitive per se, access should be limited to relevant users, as access to development environments can provide intelligence that will help bad guys access the production environment where real data is stored.

Don’t get overwhelmed
Credit: Thinkstock
Don’t get overwhelmed

Conclusion: Almost all companies have limited resources to remediate threats and vulnerabilities. To avoid getting overwhelmed and buried by the thousands of vulnerabilities uncovered, organizations must prioritize the ones that actually pose a risk. That means starting with vulnerabilities with an associated threat, and then prioritizing by impact based on information and system value.