What Comes First? Prioritising Patches

Silicon Editorial,
Linkedin
What Comes First? Prioritising Patches

The number of new vulnerabilities—Common Vulnerabilities and Exposures (CVE)—is continually increasing. Even IT professionals find it challenging to prioritise these vulnerabilities.

According to FIRST, the Common Vulnerability Scoring System (CVSS) provides a method for identifying the most important characteristics of a vulnerability. It offers a numerical rating of vulnerability severity, ranging from 0.0 to 10.0. This system is not only widely used for prioritisation but is also mandated in some industries and government agencies, including the Payment Card Industry (PCI).

The scale for classifying vulnerability severity is as follows:

  • None: 0.0
  • Low: 0.1 – 3.9
  • Medium: 4.0 – 6.9
  • High: 7.0 – 8.9
  • Critical: 9.0 – 10.0

The crux of the matter is that CVSS can be used to classify the severity of a vulnerability, but it cannot predict which CVEs threat actors will exploit in the future, nor when they will do so. Therefore, prioritising patches based solely on CVSS scores is not necessarily the most targeted approach. For example, Howlands’ research, which involved a sample of over 28,000 CVEs, shows that vulnerabilities with a CVSS score of 7 are the most likely to be weaponised.

Vulnerabilities with a score of 5 are more likely to be exploited than those with a score of 6, and vulnerabilities with a score of 10 (critical vulnerabilities) are less likely to be exploited than those with a score of 9 or 8. There does not appear to be a clear correlation between the CVSS score and the likelihood of exploitation.

Alternative Prioritisation with EPSS

Another method for prioritising patches is the Exploit Prediction Scoring System (EPSS). In contrast to CVSS, which assesses the severity of a vulnerability, EPSS provides a probability value for the likelihood of exploitation of a specific vulnerability. However, as Sophos X-Ops specialists point out, EPSS does not measure the likelihood of a company being specifically targeted, the impact of a successful attack, or whether a vulnerability is included in the toolkit of threat actors, such as a worm or ransomware gang.

In addition to CVSS and EPSS, there are other prioritisation options, such as SSVC and the KEV Catalogue. It is not surprising that there is no perfect solution or combination of prioritisation methods that addresses all prioritisation challenges. However, a combination of prioritisation options is almost always more effective than relying on a single system. Prioritisation also extends beyond the use of appropriate tools. Vulnerability management and prioritisation decisions should ideally be based on a variety of sources, including threat data, vulnerabilities, security posture, controls, risk assessments, penetration test results, or security audits.

Security experts from Sophos provide details of vulnerability and patch prioritisation options in two reports. Click here for Reports I and II.