Subscribe to the CyberThreatPOV Podcast

Episode 56: Vulnerabilities & Severity – Explain It To Me Like I’m 5

In this episode, Brad and Spencer talk about how vulnerabilities are assigned severity ratings, why they are important, how they are not perfect and why you should not rely on severity ratings alone to determine risk.

Introduction 

Section Overview: The hosts introduce themselves and the topic of discussion, which is the severity of vulnerabilities in cybersecurity. 

  • The episode aims to demystify what a vulnerability is and explain severity ratings. 
  • Severity ratings are commonly used in risk assessments, audits, penetration tests, and other security assessments. 
  • The hosts emphasize the importance of not relying solely on severity ratings to determine risk. 

02:19 Ambiguity in Cybersecurity Terminology 

Section Overview: The hosts discuss the ambiguous nature of cybersecurity terminology and its impact on understanding and communication within the industry. 

  • Disagreements about what constitutes a penetration test highlight the lack of adherence to standards in the industry. 
  • Foundational elements like vulnerability, threat, and risk are essential concepts in information security. 
  • A tweet by Casey John Ellis provides a simple analogy for understanding these concepts: 
  • Threat actor = someone who wants to punch you 
  • Threat = the punch being thrown 
  • Vulnerability = inability to defend against that punch 
  • Risk = likelihood of getting punched 

04:05 Vulnerabilities and Their Limitations 

Section Overview: The hosts delve into vulnerabilities and their limitations, including their failure to consider existing mitigations and real-world exploits. 

  • A vulnerability is a weakness or flaw that can be exploited to cause harm. 
  • Vulnerabilities do not take into account existing mitigations or real-world exploits when assessing their severity. 
  • Communicating vulnerabilities effectively involves considering their impact on an organization beyond just technical aspects. 

05:21 Existing Mitigations for Vulnerabilities 

Section Overview: The hosts discuss examples of existing mitigations for vulnerabilities. 

  • An example given is finding a weak password on an admin account but having multi-factor authentication (MFA) in place. 
  • Existing mitigations can reduce the severity or impact of a vulnerability. 
  • It is important to consider existing mitigations when assessing the overall risk posed by a vulnerability. 

06:00 Conclusion 

Section Overview: The hosts conclude the discussion on vulnerabilities and severity ratings, emphasizing the need for comprehensive risk assessment beyond relying solely on severity ratings. 

  • Severity ratings are valuable but should not be the sole determinant of risk. 
  • Effective communication about vulnerabilities involves considering their impact and existing mitigations. 
  • Understanding vulnerabilities and their limitations is crucial for effective cybersecurity management. 

06:04 TLS and Compensating Controls 

Section Overview: This section discusses the use of TLS (Transport Layer Security) as an example of a mitigating factor. It also introduces the concept of compensating controls and their relationship to risk mitigation. 

TLS as a Mitigating Factor 

  • TLS is used as an example of a mitigating factor. 
  • Weak TLS may be present, but it is protected by a Web Application Firewall (WAF) within a DMZ. 
  • The internal resource is not directly accessible externally, which adds compensating controls to mitigate vulnerabilities. 

Risk Mitigation and Compensating Controls 

  • Risk mitigation involves processes, education, and technology. 
  • People, process, and technology are considered broad categories of mitigating factors. 
  • Compensating controls are a sub-category of mitigating factors that can reduce the impact of vulnerabilities. 
  • A WAFF in front of a vulnerable application is an example of a compensating control. 
  • MFA implementation on an account with a weak password is another example. 

09:49 Impact of Mitigating Factors on Vulnerability Severity 

Section Overview: This section explores whether mitigating factors affect the severity of vulnerabilities. 

Dependency on Context 

  • The impact of mitigating factors on vulnerability severity depends on the context. 
  • There are cases where compensating controls or mitigating factors decrease vulnerability severity, but there are also cases where they don’t. 

Objective Analysis 

  • Objective analysis is required to determine the effect of mitigating factors on vulnerability severity. 
  • In some situations, objective analysis may reveal that certain compensations or mitigations do not decrease vulnerability severity. 

10:35 Example from Banking Environment 

Section Overview: This section provides an example from the banking environment to illustrate how technology limitations can impact mitigating factors. 

Encrypted Protocols in the DMZ 

  • In a banking environment, plain text protocols were used in the DMZ due to transaction speed and volume. 
  • Hardware decryptor couldn’t handle the decryption rate, so plain text communication was necessary. 
  • The networks were physically isolated, making it impossible to sniff the traffic without compromising the machines. 

Conclusion 

Mitigating factors such as TLS and compensating controls play a crucial role in reducing vulnerability impact. However, their effect on vulnerability severity depends on various factors and requires objective analysis. The example from the banking environment highlights how technology limitations can influence mitigating factors. Understanding these concepts is essential for effective risk management in information security. 

12:20 Risk Tolerance and Vulnerability Mitigation 

Section Overview: The discussion focuses on the concept of risk tolerance and how vulnerabilities can be mitigated to minimize exposure to an organization. The severity rating of a vulnerability is also introduced as a measure of its potential impact. 

Risk Tolerance and Vulnerability Mitigation 

  • Without fully patching or eliminating a vulnerability, it will still exist but can be mitigated to minimize exposure to the organization. 
  • The severity rating of a vulnerability determines its potential impact. Factors such as unencrypted protocols and network architecture affect the severity rating. 
  • Severity rating frameworks, such as CVSS (Common Vulnerability Scoring System), help label the danger level of vulnerabilities. CVSS scores range from 0.0 to 10.0, with labels like critical, high, medium, low, and informational.

13:05 Importance of Context in Severity Rating 

Section Overview: The conversation emphasizes the importance of considering context when assessing severity ratings for vulnerabilities. 

Importance of Context in Severity Rating 

  • Severity ratings provide a starting point for understanding the potential danger posed by a vulnerability. However, context is crucial in interpreting these ratings effectively. 
  • Organizations should create internal programs that include contextual factors when evaluating severity ratings. For example, considering if a vulnerability is actively exploited in the wild can influence its priority level. 17:25 
  • Medium-rated vulnerabilities may have significant organizational impact depending on their nature, sometimes even more than higher-rated ones. 

18:20 

Section Overview: In this section, the speaker discusses the limitations of severity ratings in vulnerability management and emphasizes the importance of considering business context. 

Lack of Business Context in Severity Ratings 

  • Severity ratings lack the ability to consider business context and chaining together multiple vulnerabilities. 
  • A flaw in a web app may be low or medium severity on its own, but when combined with other vulnerabilities, it can pose a higher risk. 
  • It is important to assess vulnerabilities in the context of the entire environment and understand their potential impact. 

Value of Business Context 

  • Certain low or informational vulnerabilities may have more value than high-severity ones depending on their business impact. 
  • The goal is to defend organizations from real attackers who won’t rely on simple attacks like Suite 32. 
  • Example: Field tampering in a web application may seem insignificant if it changes a printed document’s name. However, if that field represents a source account for wire transfers, it becomes highly critical. 

Importance of Severity Ratings 

  • Severity ratings help prioritize risks, assess vulnerabilities, and communicate their significance within an organization. 
  • They allow for categorization and understanding of how serious vulnerabilities are and how quickly they should be remediated. 
  • Having a comprehensive vulnerability management program that focuses on actual threats specific to an organization is crucial. 

20:14 

Section Overview: In this section, the speaker highlights common misconceptions about severity ratings and emphasizes the need for a realistic vulnerability management program. 

Misconceptions About Severity Ratings 

  • Many vulnerability management programs focus on large numbers of medium-severity vulnerabilities without considering their actual impact. 
  • Most vulnerabilities are not truly exploitable or have any real-world impact. 
  • Organizations get hung up on severity ratings (high, critical) without understanding their true significance. 

Realistic Vulnerability Management Program 

  • A real vulnerability management program should identify actual threats to an organization and prioritize their remediation. 
  • It is different from a patching program that solely aims to reduce the number of vulnerabilities. 
  • The focus should be on addressing flaws that can compromise the organization, either individually or in aggregate. 

Limitations of Achieving Zero Vulnerabilities 

  • It is impossible to completely eliminate vulnerabilities and reach zero. 
  • Organizations should aim for a meaningful reduction in vulnerabilities rather than striving for perfection. 

22:35 

Section Overview: In this section, the speaker discusses the difference between traditional internal network penetration testing and a threat-focused approach. They emphasize understanding real vulnerabilities that can impact an organization. 

Traditional Internal Network Penetration Testing 

  • Traditional internal network penetration testing involves scanning with tools like Nmap and running Metasploit modules. 
  • This approach often relies on spraying and praying, without considering how real adversaries would behave. 

Threat-Focused Approach 

  • A threat-focused approach considers the behavior of real adversaries on the network. 
  • It looks at different aspects and vulnerabilities that are more likely to be exploited by attackers. 
  • This approach forms the core foundation of internal assessments and purple team exercises. 

Understanding Real Vulnerabilities 

  • The goal is to help organizations understand the vulnerabilities that pose a genuine risk to their environment. 
  • Assessments should focus on identifying actual threats rather than getting lost in large numbers of medium-severity vulnerabilities. 

23:35 

Section Overview: In this section, the speaker emphasizes the importance of having concise reports in vulnerability management programs. 

Importance of Concise Reports 

  • A conversation highlighted a case where a pen test report was 500 pages long, indicating excessive detail. 

Focus on Actual Flaws 

  • Reports should focus on actual flaws that have an impact on an organization’s security. 
  • Differentiate between vulnerabilities that are truly exploitable and those that have little practical significance. 

Evaluating Vulnerability Management Programs 

  • Organizations should evaluate their vulnerability management programs to ensure they prioritize actual threats. 
  • A patching program alone is not sufficient; the focus should be on identifying and addressing real vulnerabilities. 

24:00 Understanding True Risks and Vulnerabilities 

Section Overview: In this section, the speaker discusses the importance of identifying true risks and vulnerabilities within an organization. They emphasize that the goal is not to find as many CVEs (Common Vulnerabilities and Exposures) as possible, but rather to identify real risks. 

The Purpose of Vulnerabilities and Severity Ratings 

  • 24:24 Vulnerabilities and severity ratings serve a purpose in prioritizing and assessing risk. 
  • They are not perfect, but they help evaluate things in context. 
  • However, it is important to consider that they are subjective and lack context. 

Taking Context into Account 

  • 24:43 Context plays a crucial role in understanding vulnerabilities and severity ratings. 
  • It is important to recognize that these ratings have a unique purpose. 
  • While they are valuable, they should be taken into account along with other factors. 

Importance of Objective Analysis 

  • 25:02 Objective analysis combined with human brain power is essential in understanding risks. 
  • Vulnerability scans should be conducted, addressing identified vulnerabilities based on severity. 
  • Everything should be considered in context for effective risk management. 

Blog: https://offsec.blog/
Youtube: https://www.youtube.com/@cyberthreatpov
Twitter: https://twitter.com/cyberthreatpov
Work with Us: https://securit360.com