Editing Vulnerability (computer security) (section)

==Management==
{{main |Vulnerability management}}

There is little evidence about the effectiveness and cost-effectiveness of different cyberattack prevention measures.{{sfn|Agrafiotis ''et al.''|2018|p=2}} Although estimating the risk of an attack is not straightforward, the mean time to breach and expected cost can be considered to determine the priority for remediating or mitigating an identified vulnerability and whether it is cost effective to do so.{{sfn|Haber |Hibbert|2018 |pp=97-98}} Although attention to security can reduce the risk of attack, achieving perfect security for a complex system is impossible, and many security measures have unacceptable cost or usability downsides.{{sfn |Tjoa ''et al.''|2024|p=63}} For example, reducing the complexity and functionality of the system is effective at reducing the [[attack surface]].{{sfn |Tjoa ''et al.''|2024|pp=68, 70}} 

Successful vulnerability management usually involves a combination of remediation (closing a vulnerability), mitigation (increasing the difficulty, and reducing the consequences, of exploits), and accepting some residual risk. Often a [[defense in depth]] strategy is used for multiple barriers to attack.{{sfn |Magnusson |2020|p=34}} Some organizations scan for only the highest-risk vulnerabilities as this enables prioritization in the context of lacking the resources to fix every vulnerability.{{sfn|Haber |Hibbert|2018|pp=166-167}}  Increasing expenses is likely to have [[diminishing returns]].{{sfn|Haber |Hibbert|2018 |pp=97-98}}

===Remediation===
Remediation fixes vulnerabilities, for example by downloading a [[software patch]].{{sfn|Haber |Hibbert|2018|p=11}} [[Vulnerability scanner]]s are typically unable to detect zero-day vulnerabilities, but are more effective at finding known vulnerabilities based on a database. These systems can find some known vulnerabilities and advise fixes, such as a patch.{{sfn |Strout |2023|p=8}}{{sfn|Haber |Hibbert|2018|pp=12-13}} However, they have limitations including [[false positive]]s.{{sfn|Haber |Hibbert|2018|p=11}}

Vulnerabilities can only be exploited when they are active-the software in which they are embedded is actively running on the system.{{sfn|Haber |Hibbert|2018|p=84}} Before the code containing the vulnerability is configured to run on the system, it is considered a carrier.{{sfn|Haber |Hibbert|2018|p=85}} Dormant vulnerabilities can run, but are not currently running. Software containing dormant and carrier vulnerabilities can sometimes be uninstalled or disabled, removing the risk.{{sfn|Haber |Hibbert|2018|pp=84-85}} Active vulnerabilities, if distinguished from the other types, can be prioritized for patching.{{sfn|Haber |Hibbert|2018|p=84}}

Vulnerability mitigation is measures that do not close the vulnerability, but make it more difficult to exploit or reduce the consequences of an attack.{{sfn |Magnusson |2020|p=32}} Reducing the [[attack surface]], particularly for parts of the system with [[Superuser|root]] (administrator) access, and closing off opportunities for exploits to engage in [[privilege exploitation]] is a common strategy for reducing the harm that a cyberattack can cause.{{sfn|Haber |Hibbert|2018|p=11}} If a patch for third-party software is unavailable, it may be possible to temporarily disable the software.{{sfn |Magnusson |2020|p=33}}

===Testing===
A [[penetration test]] attempts to enter the system via an exploit to see if the system is insecure.{{sfn|Haber |Hibbert|2018|p=93}} If a penetration test fails, it does not necessarily mean that the system is secure.{{sfn|Haber |Hibbert|2018|p=96}} Some penetration tests can be conducted with automated software that tests against existing exploits for known vulnerabilities.{{sfn|Haber |Hibbert|2018|p=94}}  Other penetration tests are conducted by trained hackers. Many companies prefer to contract out this work as it simulates an outsider attack.{{sfn|Haber |Hibbert|2018|p=96}}