You can often repair or mitigate a vulnerability.
When
you decide to resolve a vulnerability, do one of the following things:
- Repair the vulnerability
- Mitigate the risk of the vulnerability
Repairing
The
most effective way to resolve a vulnerability is to repair it.
Mitigating
When
you mitigate a vulnerability, you attempt to lessen the impact of
the vulnerability, but you do not eliminate it. Mitigate a vulnerability
only as a temporary measure.
Exceptions and incidents
The SiteProtector™ system provides a simple
way to categorize vulnerabilities:
- If you choose to resolve a vulnerability, categorize it as an
incident.
- If you choose to ignore a vulnerability, categorize it as an exception.
Baseline feature
You can use the baseline
feature to track vulnerabilities that were repaired or mitigated.
Vulnerabilities that cannot be resolved immediately
In special situations,
consider categorizing a vulnerability as an exception especially if
you know that you cannot resolve it immediately.
Resolving vulnerabilities
Use the following
table as a guide when you resolve a vulnerability:
Method |
Task |
Incident or Exception |
Repair vulnerability |
Apply vendor-supplied patches or
upgrades |
Categorize it
as an incident until a patch or an upgrade is implemented and tested. |
Reconfigure vulnerable systems |
- Categorize it as an incident until vulnerable systems are successfully
reconfigured.
- Categorize it as an exception
and schedule the exception to expire after the system is successfully
patched or upgraded.
|
Mitigate vulnerability |
Monitor
the vulnerability for a specified period |
Categorize it as an incident. |
Turn off systems that run vulnerable services |
- Categorize it as an incident until the vulnerable services are
turned off.
- Categorize it as an exception and schedule the exception to expire
after the system is successfully patched or upgraded.
|
Adjust your firewall rules
to prevent access to vulnerable systems Note: This approach is not
secure. Attackers can circumvent firewall rules to access vulnerable
hosts.
|
- Categorize it as an incident until vulnerable services are blocked.
- Categorize it as exception and schedule the exception to expire
after the system is successfully patched or upgraded.
|