Accounting for Vulnerability “States” in Your Risk Assessments
Vulnerability management (VM) processes have had to evolve exponentially in recent years. Most of this evolution has occurred in terms network coverage, as scanners have moved beyond conducting sequential assessments to advanced agent, connector and credentialing technologies. However, most VM applications are still unable to provide meaningful data for prioritizing vulnerabilities in terms of real risk to the environment in which they’re found.
I recently had a great conversation about vulnerability management shortcomings with Mandy Abercrombie, senior security analysis advisor at Dell SecureWorks, and we realized something about standard vulnerability rating systems: While Proprietary Risk Score, CVSS, PCI DSS, and IAVA can be useful, they assign each vulnerability a static severity rating. These ratings all fail to account for the state of a vulnerability as it’s sitting on a specific asset. In other words, is the flaw actively running on a system – or is it lying dormant and therefore not an immediate threat?
I was so intrigued that I had to write a white paper about it! The paper presents three potential states for vulnerabilities: active, dormant, and carrier. Here’s the gist:
1.) Active vulnerabilities pose immediate risks
The flaw is actively running on the asset and consuming resources. An active vulnerability means successful exploitation would compromise the system (depending on the limitations of the vulnerability).
2.) Dormant vulnerabilities are hiding out
The flaw resides on the host but is not actively consuming any resources at all. A dormant vulnerability might be anything from a disabled service to an installed application that is not being used at a specific time. If the application is executed, the vulnerability is no longer dormant and would be reclassified as active for the duration of its runtime.
3.) Carrier Vulnerabilities represent the “What Ifs”
This flaw is by far the most nebulous classification because it contains a “what if” component. A carrier’s binaries are on an asset but not configured—yet—to be either dormant or active. An additional step is required to change the state, but there is no need for external media or an Internet connection. For example, adding features to a Windows asset can be done with proper credentials and without any external resources. Once the configuration change has occurred, a vulnerability may be present in a dormant or active state until remediation occurs.
At BeyondTrust, we offer a set of solutions that can help you account for vulnerability states in your risk assessments. For example, our PowerBroker for Windows privilege management solution includes patent-pending technology that can dynamically restrict runtime and user permissions as vulnerabilities move from Dormant to Active states. In addition, our Retina Configuration Compliance Module is able to monitor and configuration changes that could introduce a Carrier vulnerability into a Dormant or Active state.
Check out the paper to learn more: The Three States of a Vulnerability – Vulnerability Classifications Beyond Risk