InfoGuard Cyber Security and Cyber Defence Blog

Vulnerability Management: the 5 Most Common Mistakes to Avoid

Written by Reinhold Zurfluh | 07 Nov 2023
The demands in the field of vulnerability management are constantly increasing. New vulnerabilities are discovered almost daily and cyber criminals are even exploiting existing vulnerabilities. The average cost of data breaches is rising year on year. It is therefore not surprising that CISOs and other security managers are eager to improve their measures for remedying vulnerabilities. In this article we will show you the most common five mistakes and how you can avoid them. 

5 Mistakes That Frequently Hinder Effective Vulnerability Management

In order to keep up with the ever-changing threat landscape, you need to be continuously checking your own infrastructure for vulnerabilities and optimising it. Time and again at InfoGuard we see companies using multiple vulnerability scanners. These generate a wealth of data, forcing security teams to manually aggregate scan data and match it with asset data to identify the most relevant cyber risks to the business. This is not only time-consuming, but also runs the risk of critical vulnerabilities being remedied too late or even not at all.

It is therefore crucial to distinguish between relevant and irrelevant threats. This will help you to set the right priorities and develop an effective strategy to remedy vulnerabilities. In practice, however, we see the same five stumbling blocks time and again that can hinder effective and efficient vulnerability management. 

Mistake 1: Vulnerability Management Is More Than Just Chasing the Latest News

Security breaches or exploits that are sensationalised in the media often cause a big stir. Management can quite legitimately to ask questions about the extent to which their own company is prepared for such incidents. Nevertheless, this does not mean that your security team should plan vulnerability management solely on the basis of media coverage. Relying solely on this could cause you to overlook lesser-known vulnerabilities that may be much more relevant to your business. The key point is that your vulnerability remediation efforts should always focus first on vulnerabilities that pose an immediate threat to your own network.

Mistake 2: Fear of Automating Vulnerability Management

In the era of standalone networks and data centres, only large companies were in a position to manually manage vulnerability remediation. Changes within the modern corporate environment, the diversity of software and tools in today’s networks and the shortening of software development cycles have led to an explosion in vulnerabilities. In the last two years alone, over 30,000 new security vulnerabilities have been discovered – too many to manage manually.

Automation is the key to remedying vulnerabilities quickly, consistently and correctly. Automation can also ensure that the same vulnerability remediation solution is applied consistently to all instances across the network and in real time. Automated scripts also ensure that complex multi-level measures are implemented correctly. In a nutshell: automation puts an end to the manual processes of remedying vulnerabilities, which in themselves are cumbersome, inefficient, error-prone and not scalable.

Mistake 3: Isolated Teams Hamper End-To-End Vulnerability Management

The third mistake is in not resolving the tensions that often arise between the security, operations and development teams, all of whom are involved in remedying vulnerabilities. The security team prioritises security, while downtime is crucial for the operations team, and development works on the principle of “move fast and break things”. Continuous communication can bridge this gap and ensure a robust, end-to-end vulnerability remediation process, including review of corrections for all vulnerabilities.

The first step is to make sure that remedying vulnerabilities is understood by everyone as a company-wide task and business priority. Second, make sure that everyone speaks a common language. Simply providing a list of CVEs (Common Vulnerabilities and Exposures) is not enough.

In addition, you should use quantitative benchmark metrics that are tailored to the specific needs and processes of your organisation. This means that you should establish mechanisms to measure and track the progress of eliminating vulnerabilities. Choosing the right benchmark metrics is critical and ensures that your teams focus on the right key indicators.

Mistake 4: Too Many Blind Spots Make Effective Vulnerability Management Impossible

A complete list of all resources on your network and an understanding of their dependencies and access capabilities are essential elements for effectively remedying vulnerabilities. This may seem simple at first glance, but in reality creating a comprehensive inventory within distributed and complex architectures is more complicated than one might think. Efficient asset management enables the implementation of a smarter vulnerability management process and helps overcome common vulnerability issues.

Mistake 5: Wrong Priorities in Vulnerability Remediation Can Put Your Business at Risk

Finally, the wrong priority is often given to eliminating vulnerabilities. Given the multitude of vulnerabilities that exist, you need a prioritisation methodology that enables you to focus on the essential vulnerabilities – always in relation to your business. Many companies use CVSS (Common Vulnerability Scoring System) assessments as a basis for this. These ratings range from 0 to 10, with values between 9 and 10 being classified as “critical”. It is not surprising that many companies adopt the philosophy of remedying all vulnerabilities classified as “critical” first and only then take care of other vulnerabilities – if they have the time and resources to do so. This may seem sensible at first glance, but in practice it is not the best approach.

Organisations today need to take a risk-based approach and focus on vulnerabilities that pose the greatest and most immediate threat to their network. When prioritising vulnerabilities, it is crucial to remember that the CVSS score or similar metrics refer to technical risks without actual context, whereas each network is in fact unique. The impact of a vulnerability can be different in different environments. Therefore, the threat posed by these vulnerabilities must also be assessed individually. A contextual approach takes into account not only the technical severity of the vulnerability, but also the different functions of the assets, their configurations, security exposure and external threats that may increase the risk.

For example, a vulnerability that is classified as “medium” but is actively exploited in practice may be more dangerous than a “critical” vulnerability for which no known exploits exist. It is not uncommon for cyber criminals to target a lower-rated vulnerability with a known exploit, knowing that critical vulnerabilities are usually fixed first.

Intelligent, Efficient and Automated Vulnerability Management With Vulcan Cyber

The mistakes in vulnerability management described above can have disastrous consequences – do not let it get that far! We are aware that not all questions can be answered and uncertainties eliminated in an article like this. Nevertheless, we are absolutely convinced that vulnerability management is essential today and that many companies still have room for improvement. This is precisely why our partner Vulcan Cyber has developed a platform that addresses the challenges of risk and vulnerability management intelligently and efficiently.
A central dashboard gives you a comprehensive overview of your cyber security situation, enabling you to automate and orchestrate vulnerability remediation across teams and tools. Interested? Learn more about Vulcan Cyber on our website.