In daily system operations, many IT administrators likely find themselves overwhelmed by the endless stream of newly announced vulnerabilities. In this column, we will outline effective ways to protect your systems within the constraints of limited resources.

Knowing Your Information Assets Before Tackling Vulnerabilities

It is not uncommon for an organization to panic when a major vulnerability is disclosed, asking, "Are we safe?" In these moments, the critical question is whether you accurately know what systems exist under your management, and what OS or software they are running, down to the specific version. If there are unmanaged servers or past systems that were left abandoned, they become direct entry points for attackers. As the first step in vulnerability management, it is essential to diligently clarify your information assets so you can swiftly determine whether your systems are affected when a new threat emerges. 

Establishing Your Own Criteria for Vulnerability Response

Once you have a clear grasp of your information assets, the next step is to scrutinize the disclosed vulnerabilities. While addressing every single vulnerability immediately is ideal—and enabling automatic updates where available is highly advisable—doing so across the board is often unrealistic due to human and financial resource constraints. This is where "triage"—the concept of prioritizing responses—becomes crucial. 

The Common Vulnerability Scoring System (CVSS) is widely used to measure the severity of vulnerabilities, rating them on a scale from 0.0 to 10.0. Organizations can prioritize their responses based on the score's magnitude and the underlying metrics. For instance, a Remote Code Execution (RCE) vulnerability must be addressed with the highest priority because it could allow an attacker to breach the system from an external network. Alternatively, a Local Privilege Escalation vulnerability requires the attacker to have already gained access to the system; therefore, outside of environments where local user accounts could be exploited, its priority can be lowered slightly. Establishing these prioritization criteria within your organization ahead of time enables rapid decision-making. 

Furthermore, just because a vulnerability is disclosed, does not mean a cyberattack exploiting it will happen immediately. To navigate this, the Known Exploited Vulnerabilities (KEV) catalog, published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), serves as an excellent reference. The KEV is a catalog of vulnerabilities that have been actively exploited in the wild and have known remediations. In short, being exposed to a KEV vulnerability means your organization could fall victim at any moment, making immediate action imperative. CISA has issued BOD 26-04 as a prioritization standard based on metrics like KEV, so please consider referencing this as well. 

Toward a Smart Approach to Managing Vulnerabilities

As long as you continue to operate systems, reducing vulnerabilities to zero is impossible. Recently, with the evolution of Frontier AI, the threat landscape is shifting, and new vulnerabilities are being disclosed at an unprecedented frequency. That is precisely why we must operate under the assumption that "vulnerabilities will inevitably be found" and return to the basics: understanding our information assets and establishing clear response criteria. By thoroughly mastering these fundamentals, organizations can build a sustainable framework to manage vulnerabilities effectively.

Yu Tsuda
Security Architect, Institute for Information Management and Communication