Risk-Based Vulnerability Management
How to Manage Vulnerabilities Discovered on Company Assets?
Let’s consider an example: CVE-2024-0012 – PAN-OS Authentication Bypass in the Management Web Interface.
NIST Description:
“An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges. This allows them to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-947.”
Pretty scary, right? An attacker could gain full management access to a company’s firewall without authentication. So, it’s no surprise that the CVSS score is 9.3 (Critical severity). The obvious reaction would be to install the patch immediately, with the fastest possible patching schedule.
But should you really?
The Problem with CVSS Scores
The Common Vulnerability Scoring System (CVSS) doesn’t consider a company’s unique IT environment. Every organization’s infrastructure is different, and patching isn’t always straightforward.
- Installing a patch often requires downtime, which can disrupt business operations.
- There’s also a reliability risk – patching may cause unexpected system issues.
The Risk-Based Approach
Instead of blindly following CVSS scores, a risk-based vulnerability management approach considers the severity of the vulnerability within the context of the specific business. I’ve developed a simple formula that helps assess risk more effectively.
VRS – Vulnerability Risk Score (0 – 10)
To assess vulnerabilities effectively, we use the Vulnerability Risk Score (VRS), which considers both the likelihood of exploitation and the potential impact on a specific organization.
Key Factors:
- CVSS – Common Vulnerability Scoring System Score (0 – 10)
- EEL – Estimated Exploitation Likelihood (0 – 10)
- EI – Estimated Impact (specific to the organization, in my case 0 – 10)
- MAX EI – Maximum Impact Score (10 in my case)
Calculating VRS for CVE-2024-0012
Step 1: Get the CVSS Score
The CVSS score for CVE-2024-0012 is 9.3 (Critical).
Step 2: Estimate Exploitation Likelihood (EEL)
This requires considering the company’s specific setup.
For example, if the Management Interface is placed in a dedicated VLAN and only accessible through a Jump Box, this reduces the likelihood of exploitation. Based on this setup, I estimate:
EEL = 3
Step 3: Estimate Impact (EI)
Impact should also be assessed based on the organization’s risk register.
For example, a risk record related to firewall compromise might already exist. If this record assigns an impact value of 9, we use that.
EI = 9
Step 4: Calculate the Vulnerability Risk Score (VRS)
Now, let’s calculate the VRS using these values:
To estimate severity, I’m using CVSSv3 Qualitative severity rating scale:
| Rating | Vulnerability Risk Score |
| None | 0.0 |
| Low | 0.1 – 3.9 |
| Medium | 4.0 – 6.9 |
| High | 7.0 – 8.9 |
| Critical | 9.0 – 10.0 |
As you can see, the severity dropped from Critical to Medium after considering the company’s specific environment. This means the patch can typically be applied within 30 days instead of immediately.
Summary: Advantages of Risk-Based Vulnerability Management
- Prioritization – Focuses on the most dangerous risks instead of trying to fix everything at once.
- Efficiency – Saves time and effort by addressing the biggest threats first.
- Better Security – Reduces the risk of cyberattacks by fixing the most critical weaknesses.
- Cost Savings – Prevents wasting money on low-risk issues.
- Less Disruption – Avoids unnecessary updates that could slow down systems or cause downtime.
- Data-Driven Decisions – Uses real company data to decide which problems to fix first.
- Improved Compliance – Helps meet security regulations and industry standards.
- Proactive Approach – Identifies and mitigates threats before they become major problems.