Analyzing Vulnerabilities - 4.3

Summary

Vulnerability analysis involves confirming whether identified issues are real vulnerabilities, avoiding false positives and negatives. Prioritization is key, using systems like the Common Vulnerability Scoring System (CVSS) and Common Vulnerabilities and Exposures (CVE) to rank vulnerabilities based on severity and impact. Other factors such as exposure, environmental variables, industry impact, and an organization's risk tolerance influence how vulnerabilities are managed and addressed.

Notes:

Confirmation

  • False Positive: A non-issue that is incorrectly identified as a security vulnerability.
  • False Negative: A real security vulnerability that is incorrectly identified as a non-issue.

Prioritization

  • Ranking and classifying vulnerabilities based on factors such as severity, potential impact, likelihood of exploitation, and criticality to the organization.

Common Vulnerability Scoring System (CVSS)

  • A standardized framework used to score the severity of vulnerabilities based on metrics such as impact, exploitability, and complexity.

Common Vulnerabilities and Exposures (CVE)

  • A database of publicly disclosed vulnerabilities and exposures, where each vulnerability is assigned a unique identifier to facilitate tracking and reference.

Exposure Factor

  • Expressed as a percentage, it represents the potential loss or damage incurred during an attack.
  • Example: A 50% service outage due to a DDoS attack.

Environmental Variables

  • Refers to how the environment (e.g., internal, external, cloud, on-premise) affects the impact and prioritization of vulnerabilities.
  • The consequences of an attack can vary based on where it occurs, influencing how vulnerabilities are addressed.

Industry / Organization Impact

  • Attacks on different industries (e.g., healthcare, finance, power generation) can have varying degrees of impact on the organization and the broader community.

Risk Tolerance

  • The level of risk an organization is willing to tolerate while identifying and addressing vulnerabilities.
  • Balancing the need for testing and patching with maintaining system operations, understanding that some systems may remain vulnerable for periods of time.
  • Risk tolerance varies depending on the criticality and importance of the systems in question.
Previous: Penetration TestingNext: Vulnerability Remediation