I’ve got 99 vulnerabilities but log4j ain’t one!

Most organisations have hundreds to thousands of vulnerabilities. They range across the spectrum from:

  2. HIGH
  4. LOW

The challenge comes in trying to determine how to prioritise. Which ways could we go?

Where do we start?

  • Internet Facing Assets?
  • Back End Systems?
  • Endpoint Devices and Smart Phones
  • Third Party System (e.g., Cloud SaaS/PaaS/IaaS Platforms and Services)
  • Operational Technology Systems?
  • Supply Chain Services

Then how do we subcategorise?

  • Asset Sensitivity?
  • Data Classification?
  • Sensitive Data Volume?
  • Business impact upon serious compromise?
  • Asset Fragility?
  • Likelihood of exploitation?
  • Compliance based? (e.g., Out of support software)
  • History of Threat Abuse?
  • Exploit in the wild?
  • Being known to be actively exploited?
  • Cost to remediate?
  • Impact for remediation outage?
  • Secondary impacts (e.g., loss of productivity)
  • Contractual requirements with customers/suppliers

Hopefully you are starting to see this “simple” task of asset classification, vulnerability classification and remedial prioritization is not so “simple” after all.

There is a real danger that organisations create complex formulas with rigid structures and scoring and then only focus on vulnerabilities with a CVSS above X.

Let’s take this scenario

Internally we have a Windows Server 2003 system, its domain joined, however it has a hardened configuration, has IPS/HIPS and EDR. It is tightly monitored by the SOC; it does however achieve a CVSS CRITICAL RATING. It runs a critical business process and the cost to upgrade the application and therefore OS is significant, the business doesn’t want to do this until next year Q4.


CVSS v2.0 Base Score: 10.0/ CVSS v3.0 Base Score 10.0

On the perimeter we have an in-support VPN appliance, however users do not require MFA to sign in. This leaves you exposed to the risk of credential loss, combined with lack of MFA which could be chained to full network compromise by an external threat actor. It does however not fail compliance requirements (as administrators can only access the management plane from an IP allow list inside the network).

Which would you focus on first? Both appear to be CRITICAL in terms of the potential business risk and potential incident impact (one incident from an external threat actor, one incident from failure of compliance and regulatory fines)


I didn’t write this post to tell everyone how and what to do, that’s not how this game works I’m afraid, there is no cookie cutter (though you will find those types on LinkedIn selling cookie cutter templates, strong avoid would be my recommendation, sure take guidance and tailor it but we get good security through learning, and we don’t learn by copy pasta!)

Hopefully this scenario is useful when thinking about enterprise vulnerability landscapes. I’ve starred into the abys that is thousands of vulnerabilities, and if you think there’s a simple answer to this then I wonder why so many orgs struggle (maybe because this part is hard especially when not in green field environments where security was at the forefront of thinking)

Further Reading

Vulnerability management – NCSC.GOV.UK