Vulnerability Management Fatigue

CVEDetails says that there is currently over 14,000 vulnerabilities that have a CVE score of 9.0 or higher. The average CVE score is a 6.6, and the total number of CVE’s is over 103,000. You are responsible for every single one of them. If you’re a small shop, that is in addition to your monitoring load, your incident response load, your asset management load, your policies and procedures load, your documentation load, your event investigation load, your… You get it. The never ending load of infosec.

I look at vulnerability fatigue as being the failure to appreciate each new vulnerability with the respect you gave your first real understood vulnerability. I remember the first time I used a vulnerability scanner and thought every vulnerability was a true-positive, and was just as critical as the scanner scored it. It took a long time to start to realize that the scanners can be wrong, or the asset may not be critical enough to warrant remediation efforts.

Once I had more experience dealing with vulnerability scanners, I understood that nearly each vulnerability required some investigation. Which is exhausting.

The scanner vendors generally provide some solid guidance with their own rating systems, including the CVE scores from above. Many compliance guidelines are set up to use these guidelines. Which means that some organizations don’t have a real option about patching.

PCI 6.2: “Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.”

The fatigue part comes in when you have a new vulnerability and it becomes easier to consider accepting the risk, dismissing the risk, or just immediately passing it on as a ticket to the data owner without doing the proper investigations. Which means you just pass the work along to your teammate.

There isn’t some secret to this problem though. It really is part of the drudging day in, day out of vulnerability management. It’s difficult, but at the same time, rewarding. Imagine if MS17-010 had been properly anticipated and patched across networks around the world? Wannacry would never have happened. Ukraine is currently under constant malicious attack by Russia. Hospitals are getting brought down by preventable ransomware.

Vulnerability management literally saves lives today.