Skip to main content

Remediation options

The following options are commonly used to resolve a vulnerability.

Patch

Patches refer to software updates or fixes that are specifically designed to address identified security vulnerabilities. When a software vulnerability is discovered, the software vendor or developer usually works to create a patch. This patch is a piece of code that is designed to fix the specific vulnerability, effectively closing the security hole. Once the patch is released, users of the affected software can apply it to their systems to protect against potential exploitation of the vulnerability.

Regularly updating software with patches helps to:

  • Minimize exploitation risk

    Reduce the chances of attackers successfully exploiting known vulnerabilities.

  • Maintain security posture

    Maintain a more secure environment, especially in the face of emerging threats.

  • Comply with security standards

    Many security standards and regulations require organizations to promptly apply security patches to mitigate risks.

  • Protect data and systems

    Ensures that sensitive data and critical systems are not left exposed to potential attacks.

  • Prevent spread of malware

    Vulnerabilities in software can be exploited by malware to spread and infect other systems. Applying patches helps prevent such outbreaks.

  • Address known vulnerabilities

    Patches directly target known vulnerabilities, effectively "fixing" the weaknesses in the software's code.

Tip

Delays or completely neglecting to patch a vulnerability can leave your systems vulnerable to attacks and increase the organization's overall risk exposure. Automated patch management systems can help streamline the process and ensure that critical security updates are applied efficiently across the organization's software and systems.

Upgrade, replace, remove, or uninstall

The choice of remediation action depends on various factors, such as the severity of the vulnerability, the availability of patches or updates, the criticality of the software to the organization's operations, and the feasibility of implementing the chosen solution. The goal is to implement the most effective and efficient remediation strategy to reduce the risk exposure associated with the identified vulnerabilities.

Possible actions to address and fix the identified vulnerabilities:

  • Upgrade

    Install a newer version of the software that contains fixes for the identified vulnerabilities. Software vendors often release updates and new versions that address security flaws found in previous versions. By upgrading to the latest version, you have the assurance that the vulnerabilities have been patched and that they are using the most secure version available.

  • Replace

    When it is not possible or practical to upgrade to a newer version of the software. You may choose to replace the vulnerable software with an alternative product that is not affected by the same vulnerabilities. This action may require you to find a comparable software solution from a different vendor or switching to a different software category altogether.

  • Remove

    Eliminate or disable the specific functionality or feature that contains the vulnerability. This action allows you to continue using the software without exposing your software to the risk associated with the vulnerable part.

  • Uninstall

    Completely remove the software from the system. This action is taken when the software is no longer needed or when the identified vulnerabilities pose significant risks that cannot be mitigated through other means. Uninstalling ensures that the vulnerable software is no longer present on the system and cannot be exploited.

Reconfigure vulnerable software

Make changes to your configuration settings, software setup, or system setup to mitigate or reduce the risks posed by identified vulnerabilities. This is a proactive approach to risk management that aims to reduce the attack surface and strengthen the security posture of the software or systems. It is often used as a temporary or immediate measure while more comprehensive remediation efforts, such as developing and deploying patches or updates, are being implemented.

Reconfiguring your affected software may include:

  • Security settings

    Adjust security settings in vulnerable software to limit access, restrict privileges, or disable specific features that could be exploited.

  • Access controls

    Strengthen access controls to ensure that only authorized users or processes can interact with the vulnerable software.

  • Firewalls and network configurations

    Configure firewalls and network settings to block or filter traffic that could exploit the vulnerability.

  • Updates and patches

    Apply updates, hotfixes, or patches that address the vulnerability and fix the software.

  • Software versions

    Reconfigure your systems to use a different version of the software that is not affected by the vulnerability.

  • Isolation and segmentation

    Isolate the vulnerable software from critical systems or sensitive data to limit the potential impact of an exploit.

  • Policy changes

    Update security policies or best practices to prevent similar vulnerabilities from arising in the future.

Security controls

Use alternative measures or safeguards to mitigate the risks associated with a specific vulnerability when it is not possible or feasible to immediately patch or fix the vulnerability. These controls are used as a temporary solution to reduce the risk exposure until a permanent fix can be implemented.

Use compensating controls that are designed to address the specific security concerns posed by the vulnerability. This can vary depending on the nature of the vulnerability and the system it affects. The compensating control acts as a contingency plan, reducing the potential impact of an exploited vulnerability until a proper patch or remediation can be applied.

Compensating controls may include:

  • Tighten access controls

    Restrict access to the vulnerable component to only authorized users or IP addresses.

  • Network segmentation

    Isolate the vulnerable component from critical systems and data to minimize the potential impact of an exploit.

    Note

    Scope measures whether a vulnerability in one system or component impacts other resources beyond its security scope.

  • Intrusion detection or prevention systems

    Deploy systems that can detect and block suspicious activity targeting the vulnerability.

Accept the risk

When you accept the potential consequences of a specific vulnerability without taking further action to remediate or mitigate it because you perceive that the impact or likelihood of a threat actor exploiting a vulnerability is within an acceptable range.

Possible reasons for accepting the risk

  • Low Impact

    The vulnerability may have a low potential impact on the organization's operations, data, or reputation. Therefore, the cost and effort of remediation outweigh the potential harm caused by the vulnerability.

    Note

    Impact measures consequences of a vulnerability being exploited by combining the score of these three factors: confidentiality, integrity, and availability.

  • Infeasibility

    It is technically or financially infeasible to address the vulnerability, especially if the software is outdated or unsupported by the vendor.

  • Risk vs. benefit analysis

    Your organization's risk vs. benefit analysis determines that accepting the risk is the most cost-effective approach, especially if the vulnerability is difficult to exploit (Attack Complexity is High) or the potential damage is minimal compared to the cost of fixing it.

    Note

    Attack complexity measures the level of difficulty required for an attacker to exploit a vulnerability.

  • Short-term acceptance

    You may temporarily accept a risk while a proper remediation plan is being developed or while you wait for an official patch from the software vendor.

Tip

  • Accepting a risk should be a conscious decision made after careful consideration of the potential consequences.

  • Risk acceptance should never be used as a default response to all vulnerabilities.

  • Risk acceptance should be a part of a broader risk management strategy where organizations prioritize and allocate resources based on the severity, likelihood, and potential impact of vulnerabilities to maintain an appropriate level of security posture.

  • Regularly reassess accepted risks to ensure that changing circumstances do not change your initial assessment that the vulnerability is in an acceptable range.

In this section: