Limiting the Impact of Security Incidents

After reducing the impact of Malware the organisation is advised to limit the impact of any inevitable security incidents. This category of strategy is intended to minimise the impact of a security incident once the incident has occurred. The Essential Eight Strategies included in this category are:

  • Patch Operating Systems

  • Restrict Administrative Privileges

  • Multi-Factor Authentication

When looking at which operating systems require any patches an organisation is able to follow the same steps as previously described in the previous section but here we will enhance on how an organisation will prioritise which assets should be patched first.

There are two main vulnerability categorisation methods Tenable provides which will assist in an organisation’s prioritisation of patching efforts. An organisation can leverage the Tenable Asset Criticality Rating (ACR), which rates the criticality of an asset to the organisation. The ACR is expressed as an integer from 1 to 10, where higher values correspond to the asset being more critical to the business.

The Vulnerabilities by ACR widget enables organisations to view risks that are currently open, along with those that have been patched. The information is ranked by ACR score to demonstrate progress of risk remediation efforts, with the most critical assets at the top of the table along with a count of open and patched vulnerabilities. A large count of open vulnerabilities on critical assets indicates that the organisation presents a higher risk of a data breach. A high count of patched vulnerabilities demonstrates that the organisation is addressing cyber risk promptly, and has a mature vulnerability management program.

To view the ACR key driver information for any asset, Navigate to the Assets page and select an asset to view the asset details. In the lower left corner of the assets details page reference the Asset Criticality Rating information and click More.

Tenable assigns an ACR to each asset on the network to represent the relative criticality of the asset as an integer from 1 to 10 . A higher ACR indicates higher criticality. Tenable One customers have the ability to adjust the default Tenable ACR to more accurately reflect organisational risk. Please refer to the Edit an ACR Manually page for more information.

The other categorisation method is the Vulnerability Priority Rating (VPR). VPR is a unique vulnerability severity rating in that the rating can change over time. Tenable updates a vulnerability's VPR score daily to reflect the current threat landscape. VPR ranges are values from 0.1-10, with the highest value representing a higher likelihood of exploitation.

VPR severity ratings cannot be edited or customised. VPR scores are derived from seven key drivers:

  • Age of Vulnerability: - The number of days since the National Vulnerability Database (NVD) published the vulnerability.

  • CVSSv3 Impact Score - The NVD-provided CVSSv3 impact score for the vulnerability. If the NVD did not provide a score, Tenable Vulnerability Management displays a Tenable-predicted score.

  • Exploit Code Maturity - The relative maturity of a possible exploit for the vulnerability based on the existence, sophistication, and prevalence of exploit intelligence from internal and external sources (e.g., Reversinglabs, Exploit-db, Metasploit, etc.). The possible values (High, Functional, PoC, or Unproven) parallel the CVSS Exploit Code Maturity categories.

  • Product Coverage - The relative number of unique products affected by the vulnerability: Low, Medium, High, or Very High.

  • Threat Sources - A list of all sources (e.g., social media channels, the dark web, etc.) where threat events related to this vulnerability occurred. If the system did not observe a related threat event in the past 28 days, the system displays No recorded events.

  • Threat Intensity - The relative intensity based on the number and frequency of recently observed threat events related to this vulnerability: Very Low, Low, Medium, High, or Very High.

  • Threat Recency - The number of days (0-180) since a threat event occurred for the vulnerability.

An organisation can use VPR in conjunction with ACR to establish a sense of priority when deciding what to patch first. An asset with a higher criticality rating should be prioritised over one with a lower rating as the asset is considered to be a lower business risk. Using the Asset Count by ACR (Explore) widget allows an analyst to quickly get a count of assets grouped by their ACR.

When drilling into any of the bars in this widget, the user is navigated to the Assets page with the query set to whichever ACR value bar was selected.

From this page, the user can drill into any asset that matches the query and look at their associated vulnerabilities by also selecting See All Details.

The user is then shown all vulnerabilities associated with the selected asset. The next step the user can do is sort the vulnerabilities by VPR in descending order to see the vulnerabilities with the highest VPRs.

For the organisation to satisfy specific maturity levels for the Patch Applications Strategy, the following ISM controls will be used. For example, if an organisation is trying to verify a control like ISM-1904, or ISM-1905 the queries could make use of filters like “Exploitability Ease” and/or “Patch Published”. The Exploitable Ease filter can be set to equal to “Exploit Exists” which will show any present exploitable vulnerabilities. Paired with the “Patch Published” filter, the organisation can verify some of the requirements for the date patches need to be installed by.

Another aspect that should be considered when limiting the impact of cyber security incidents is that the organisation is advised to Restrict Administrative Privileges. Leveraging Tenable Security Center, Tenable Vulnerability Management , and Tenable Identity Exposure solutions enables organisations to close attack paths, making the organisation a more difficult target to attack.