4.3 Analyzing Vulnerabilities

Question 1

Dealing with false information

Answer 1

False positives– A vulnerability is identified that doesn’t really exist
* This is different than a low-severity vulnerability– It’s real, but it may not be your highest priority
* False negatives– A vulnerability exists, but you didn’t detect it
* Update to the latest signatures– If you don’t know about it, you can’t see it
* Work with the vulnerability detection manufacturer– They may need to update their signatures for your
environment

Question 2

Prioritizing vulnerabilities

Answer 2

• Not every vulnerability shares the same priority– Some may not be significant– Others may be critical
• This may be difficult to determine– The research has probably already been done
• Refer to public disclosures and vulnerability databases– The industry is well versed– Online discussion groups, public disclosure mailing lists

Question 3

CVSS

Answer 3

• National Vulnerability Database: http://nvd.nist.gov/– Synchronized with the CVE list– Enhanced search functionality
• Common Vulnerability Scoring System (CVSS)– Quantitative scoring of a vulnerability - 0 to 10– The scoring standards change over time– Different scoring for CVSS 2.0 vs CVSS 3.x
• Industry collaboration– Enhanced feed sharing and automation

Question 4

CVE

Answer 4

• The vulnerabilities can be cross-referenced online– Almost all scanners give you a place to go
• National Vulnerability Database: http://nvd.nist.gov/– Common Vulnerabilities and Exposures (CVE):– https://cve.mitre.org/cve/
• Microsoft Security Bulletins:– https://www.microsoft.com/technet/security/
  current.aspx
• Some vulnerabilities cannot be definitively identified– You’ll have to check manually to see if a system is
  vulnerable– The scanner gives you a heads-up

Question 5

Vulnerability classification

Answer 5

• The scanner looks for everything– Well, not everything - The signatures are the key
• Application scans– Desktop, mobile apps
• Web application scans– Software on a web server
• Network scans– Misconfigured firewalls, open ports, vulnerable
  devices

Question 6

Exposure factor

Answer 6

• Loss of value or business activity if the
  vulnerability is exploited– Usually expressed as a percentage
• A small DDoS may limit access to a service– 50% exposure factor
• A buffer overflow may completely disable a service– 100% exposure factor
• A consideration when prioritizing– Worst possible outcome probably gets priority

Question 7

Environmental variables

Answer 7

• What type of environment is associated with this
  vulnerability?– Internal server, public cloud, test lab
• Prioritization and patching frequency– A device in an isolated test lab– A database server in the public cloud– Which environment gets priority?
• Every environment is different– Number and type of users (internal, external)– Revenue generating application– Potential for exploit

Question 8

Industry/organizational impact

Answer 8

• Some exploits have significant consequences– The type of organization is an important consideration
• Tallahassee Memorial HealthCare - February 2023– Ransomware - closed for two weeks– Diverted emergency cases, surgeries canceled
• Power utilities - Salt Lake City, LA County CA - March 2019– DDoS attacks from an unpatched known vulnerability

Question 9

Risk tolerance

Answer 9

• The amount of risk acceptable to an organization– It’s impractical to remove all risk
• The timing of security patches– Patching immediately doesn’t allow for proper
  testing
• Testing takes time– While you’re testing, you’re also vulnerable
• There’s a middle ground– May change based on the severity