Scanning networks often result in a deluge of data sometimes resulting in thousands of vulnerabilities across several systems and applications. So, how would an organization segment, analyze, and address them all?
Here are a few steps that can help.
- Determine which is the worst vulnerability.
- What type of damage can each one cause?
- For ex. a malware found in a network is more severe than not being able to access an application.
- Determine how sensitive the information behind the vulnerability is.
- For ex. personal information exposed is more critical than publicly available information that an organization is comfortable sharing.
- Apply a sensitivity rating with 5 being the highest to help organize the risks.
- Evaluate existing controls.
- Determine which areas have severe controls. Highly sensitive information will have the highest level of security.
- Moderate controls will be employed for less sensitive information.
- Rank these with a rating of 5 for the more severe areas.
Bringing it all together
With the above information and rankings in place, start assessing the vulnerabilities in your reports. The tech guide on ranking vulnerabilities recommends using this formula: Risk score = vulnerability severity x data sensitivity divided by existing controls. If a 5-point scale is used for each measure, the formula will produce a vulnerability ranking. This process may be automated and the results can help organizations have a program in place to assess, analyze and remediate vulnerabilities.