Vulnerability Mitigation vs. Remediation: Vulnerability mitigation and remediation are two words used a lot in cyber security, often interchangeably. However, they are two different approaches in dealing with discovered vulnerabilities. In this article, we’ll explain what these terms mean and when one is preferred over the other. But, vulnerability management process should be overviewed first to explain them in a broader context.
What is Vulnerability?
In cyber security, a vulnerability is a flaw or weakness in a system that could be exploited by a threat vector and lets the adversary bypass the implemented protection mechanisms with respect to confidentiality, integrity and availability. Vulnerabilities can allow attackers to gain unauthorized access to resources, steal, modify or destroy data, install malware etc.
What is Vulnerability Management?
Vulnerability management is defined as the security practice that proactively identifies, evaluates and resolves vulnerabilities in an IT system.
Since both the system under evaluation and the cyber attacks are constantly evolving, vulnerability management should be conducted as a cyclic and repetitive process to respond to the changes and establish a more secure system.
A vulnerability management process consists of the following steps:
- Vulnerability Identification: Vulnerabilities in a system can be detected through vulnerability scanning (using vulnerability scanner tools), penetration testing or security testing (source code evaluations and testing).
- Vulnerability Verification: Detected vulnerabilities should be verified to eliminate any false positives.
- Vulnerability Assessment: As part of a risk assessment process, vulnerability assessment is evaluating the probability of a vulnerability being exploited by an attacker and determining the impact should the vulnerability is exploited. According to the findings of vulnerability assessment, a vulnerability resolution strategy is determined at the next step.
- Vulnerability Resolution: Once a vulnerability has been discovered and evaluated, there remains one last critical step, that is resolution (a.k.a. vulnerability treatment). The solutions that can be applied for vulnerability resolution falls into either the category of mitigation or remediation. But what is the difference between these two approaches?
Vulnerability Mitigation vs. Remediation
As verbs, mitigate means to reduce, lessen, or decrease while remediate means to correct or improve a deficiency or problem.
Similar to their dictionary definitions,
Remediating a vulnerability means fixing or eliminating it, dealing with the root cause of the vulnerability. Mitigating a vulnerability, on the other hand, means finding a temporary solution or workaround to decrease the possibility of a vulnerability being exploited.
In this respect, once a vulnerability has been discovered, the ideal solution is to fix or remediate it, before it can become a security threat. For this purpose, either a readily available software patch could be applied or the vulnerable software could be updated to a higher version that does not contain a vulnerability any more.
However, sometimes remediation isn’t possible for several reasons.
- First, a fix, patch or an updated version of the software is not available immediately, since it takes time for the vendors to prepare and distribute them.
- Secondly, not all vulnerabilities need to be fixed. This is usually the case when a vulnerability does not pose a threat since it is not directly accessible or exploitable by a threat actor. For instance, the vulnerable software could be disabled on the Internet connected devices while running only on the not connected devices.
- Thirdly, due to managerial issues, you could be hindered from applying a remediation action. This usually happens when a company has strict QoS requirements on customer facing systems and cannot tolerate any downtime required to patch a vulnerability or update a software.
- The last reason that prevents taking a remediation action could be technical. Due to some restrictions, such as compatibility issues with other software being used in a system, a fix or patch cannot be applied at all.
In these cases, the concept of mitigation comes into play. Actions to mitigate a vulnerability could be one or some of the following.
- Blocking a port on a firewall (on a network or host) that could expose a vulnerability to malicious actors.
- Limiting the use of the vulnerable software to a separated network or a select list of users.
- Disabling the vulnerable software temporarily.
To sum up, remediation is the act of removing or eradicating a vulnerability from a system. Mitigation, on the other hand, is creating strategies to minimize the potential threat of a vulnerability when it cannot be eliminated immediately.
Also note that, usually mitigation isn’t the final step in dealing with a vulnerability. It’s rather a temporal solution that buys time before applying a remediation solution, such as patching or updating. Ultimately, eliminating or fixing a vulnerability is better than a precarious and temporal solution.
You can never protect yourself 100%. What you do is protect yourself as much as possible and mitigate risk to an acceptable degree. You can never remove all risk.
Kevin Mitnick
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
If you would like to learn more about vulnerabilities, you can also read our articles What Is a Security Vulnerability? or What Is Vulnerability Scanning?
