The International Organization for Standardization (ISO) defines risk as “the effect of uncertainty on objectives”, referring to the potential impact from possible future events on the organization’s ability to achieve its objectives. Risk is typically evaluated by multiplying the expected adverse impact if the situation or event occurs by the likelihood of event occurrence. For an introduction to this topic, see the risk management essentials post.

                                                                                          

For example, loss of data confidentiality is a potential event which would have an adverse impact on most organizations. Therefore, the ‘loss of data confidentiality’ event should be considered in risk assessments which have operational handling of confidential or sensitive data in scope. There are many possible ways to mitigate (“treat”) the risk of this potential event, by taking actions to reduce either the likelihood or impact of this potential future event.

What is a vulnerability?

The Computer Security Resource Center of the US National Institute of Standards and Technology (NIST CSRC) defines a vulnerability as “a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source”. In other words, it is a weakness in a technology component or in the way that component is operated which could be exploited by a malicious actor. These can be grouped into two main categories:

  • Product vulnerabilities are security flaws (defects) in product code or components that can lead to a direct or indirect compromise of data confidentiality, integrity, or availability. Components includes hardware, software, and embedded third party code or components in hardware or software. For example, common types of product vulnerabilities for web application are identified in the OWASPTop Ten.
  • Environment vulnerabilities are not inherent to the components themselves but arise from how these are configured and operated, including these examples:
    • Improper component configuration allowing use of weak encryption
    • Excessively broad access permissions granted to applications, data, networks, systems
    • Improper operational processes such as poor access control or gaps on system monitoring

                                             

 

How does vulnerability management help to address risk?

One of the available risk mitigations to protect data is a robust vulnerability management program encompassing both the customer-managed on-premises environments and customer-managed components of cloud environments. Addressing vulnerabilities reduces the likelihood of data loss because applications, systems and networks are no longer susceptible to the exploitation of the vulnerabilities and consequently reduce opportunities for malicious actors.

As noted in Verizon’s 2024 Data Breach Investigations Report (DBIR), malicious actors frequently target vulnerabilities in web applications. Therefore, effective vulnerability management for both product and environment vulnerabilities can help organizations protect data by reducing the likelihood potential adverse events such as unauthorized access to data.

Vulnerability remediation and mitigation

Remediation and mitigation are the two main strategies for reducing the likelihood of adverse events related to exploited vulnerabilities. Remediation activities eliminate the vulnerability from the environment. Mitigation activities often involve procedural or technical control mechanisms that don’t eliminate the vulnerability, but which aim to provide some level of protection against exploitation of a vulnerability. Available remediation and mitigation actions depend on the specific issue, affected component and environment. Some examples activities include:

Strategy

Vulnerability Type

Activity

Remediation

Product
  • Update a vulnerable component to a version without the vulnerability such as applying patches
  • Remove a vulnerable component

Environment
  • Restrict access to applications, data, networks and systems
  • Configure components to use only strong encryption

Mitigation

Product
  • Disable or remove access to a vulnerable feature

Environment
  • Increase monitoring of applications, systems and networks
  • Isolate a vulnerable component into a separate server or network segment

 

Risk-based vulnerability prioritization

Multiple factors should be considered when calculating the likelihood and impact of potential events related to exploitation of specific vulnerabilities within your organization, including:

  • Vulnerability severity ratings from the providers of affected components
  • Threat intelligence such as the Known Exploited Vulnerabilities Catalog (KEV Catalog) from the US Cybersecurity and Infrastructure Security Agency (CISA)
  • Sensitivity of the data processed in the relevant environments
  • Protections around the components or environments which can limit the likelihood or impact of vulnerability exploitation

Customer responsibilities

Customers are responsible for the security of on-premises environments and the components of their cloud environments in their control. For example, customers are solely responsible for how they configure and use Oracle Cloud Infrastructure (OCI) services in their tenancy. This includes applying security patches for components that customers deploy and operate, no matter where they reside.

Recommendations

Risk assessments to determine strategies and priorities for vulnerability management activities should consider factors such as your policies, security objectives, vulnerability severity, criticality of relevant data/systems, data sensitivity and executive direction.

Oracle offers resources and guidance for customers of on-premises products and Oracle Cloud:

  1. Subscribe to email notifications about Oracle’s Critical Patch Updates and Security Alerts.
  2. Explore Oracle’s Trust Center to learn more about Oracle’s security practices and how Oracle prevents and addresses product vulnerabilities.
  3. Watch the Trust Center tour video.