This post was guest authored by Nikki Robinson.
Vulnerability management is complex. It is, to be blunt, no fun at all. Especially in complex and complicated environments, vulnerability management can feel overwhelming. The sheer volume of vulnerabilities released daily into the National Vulnerability Database (NVD), the scores of vulnerabilities and what they mean, the multiple scoring methods (Common Vulnerability Scoring System (CVSS), Exploit Predictability Scoring Systems (EPSS), etc.) only enhance the complexity. As a result, many organizations are buried under numerous vulnerabilities and need more resources to resolve them or help prioritize risk to focus remediation activities.
Some of the latest statistics from Redscan in 2021 noted over 50 CVEs (or Common Vulnerability and Exposures). With any organization using multiple types of Operating Systems (OS), applications and libraries, cloud environments, and on in the tech stack, vulnerabilities add up incredibly quickly. Redscan (2021) found that there were almost 18,500 vulnerabilities cataloged in 2021 alone which was the highest amount of any prior year. With the increased focus on highly exploitable vulnerabilities, most organizations are concentrating on those exploitable vulnerabilities versus all of them. But Redscan (2021) also noted that 90% of the CVEs found in 2021 were exploitable by attackers with minimal effort.
I introduce the concept of “Vulnerability Cognition,” what it takes to truly understand and act on vulnerabilities. Not to be confused with ‘cognitive vulnerability’ in psychology terminology, Vulnerability Cognition is the deep understanding of security vulnerabilities, including scoring, detection, remediation, and prioritization. This phenomenon is tied to the “Vulnerability Chaining Blindness” concept, where IT and security professionals have difficulty understanding and remediating vulnerabilities.
This new terminology highlights the increased understanding of vulnerability management that technical professionals must have. Many organizations suffer from ‘vulnerability fatigue,’ or the desensitization to vulnerability alerts, regardless of whether they may be classified as “Critical” or “Low” (van de Meer, 2022). IT, developers, and security professionals are navigating increasing vulnerabilities to remediate or resolve without any end in sight. It can be an incredibly exhausting and frustrating process.
To complicate vulnerability management even further, many vulnerabilities still need to be classified or have yet to receive a score. Vulnerability management typically only includes vulnerabilities identified and classified in the NVD. Communicating risk can be challenging from both a technical and a business risk perspective. How can we confidently articulate risk when there are 1,000 Critical vulnerabilities without saying we need to remediate them all? And once discussing vulnerabilities across multiple types of systems, maybe across different cloud environments, only complicate those conversations.
But there’s hope! The first step – is awareness of ‘vulnerability fatigue’ and ‘vulnerability cognition.’ Understanding the complexities of vulnerability management can help an organization take a step back and re-evaluate how they want to handle its vulnerability management program. Knowing that human error and possible ‘vulnerability fatigue’ might be affecting the efficacy of the vulnerability management program. Another factor to consider – is how vulnerability fatigue may affect your teams. Are any developers, IT administrators, or security personnel burnt out or have a low retention rate in any positions that handle vulnerability management? This could be the first sign that complexity in vulnerability management programs is inhibiting the security program.
A second step would be looking at the security tooling in the environment – how many vulnerability scanners are there? How many different tools report vulnerabilities, risk, and vulnerability scores? This could add to the confusion and fatigue regarding how much information security practitioners view to calculate and understand risk. Think about reducing tooling, or ‘the noise,’ to provide a consolidated and single pane of view to address.
A final component would be to teach communication methods for vulnerability management programs. Effective communication would translate cyber risk into business risk and build upon a risk management program. Awareness, tooling, and communication can all be part of the process to combat vulnerability fatigue and confusion.
Redscan (2021). Redscan analysis of NIST NVD reveals record number of vulnerabilities in 2021. Retrieved from https://www.redscan.com/news/nist-nvd-analysis-2021-record-vulnerabilities/#:~:text=There%20have%20been%20more%20security%20vulnerabilities%20disclosed%20in,2020%2C%20issued%20at%20the%20beginning%20of%20this%20year
Van der Meer, Oscar (2022). Industry report: The true costs of false positives in software security. Retrieved from https://mergebase.com/false-positives-software-security/#:~:text=This%20erosion%20of%20morale%20can%20lead%20to%20%E2%80%9Cvulnerability,the%20most%20zealous%20team%E2%80%99s%20motivation%20to%20patch%20vulnerabilities