Cybersecurity Insurance Checklist - Meet Insurance Requirements with BeyondTrust PAM Download for Free

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Why Exploitability Matters

July 19, 2011

  • Blog
  • Archive
The most common vulnerability scoring system used by vendors and regulatory initiatives is CVSS (the Common Vulnerability Scoring System). It provides a vendor agnostic open scoring standard to model vulnerability severity and provide guidance on prioritization of remediation efforts. The basic metrics allows for rating a vulnerability based on the severity of its components like Access Vector, Access Complexity, Authentication Method, etc. One of the key components outside of the base scoring for CVSS are the Temporal Metrics. These represent three time dependent descriptors for the vulnerability. They are:
  1. Exploitability provides a measure of how complex the process is to exploit the vulnerability in a specific target system. This is vulnerability specific.
  2. Remediation Level provides a measurable level of an available solution. This can be everything from an official security fix to no solution is, and will be, available.
  3. Report Confidence measures the confidence in the existence of the vulnerability, as well as the credibility of its existence.
The Exploitability metric is the most important in this calculation. It provides guidance using four different criteria:
  • Unproven: No exploit code is yet available (time dependent)
  • Proof of Concept: Proof of concept exploit code is available at the time of scoring
  • Functional: Functional exploit code is available
  • High: Exploitable by functional mobile autonomous code or no exploit required and can be a manual trigger
This metric allows for a vulnerability to be graded using the CVSS scoring system based on the possibility of exploitation. So why does this matter? The vulnerability risk score is not enough to prioritize remediation efforts for your environment. The base calculation fails to take into consideration whether someone (or something) can easily exploit the vulnerability, how difficult it will be mitigate the risk, and real world confidence at any point in time that the reported vulnerability is credible especially related to assets contained within your infrastructure. This is why CVSS Temporal Metrics are so important and why the Exploitability Metric is crucial for prioritization efforts. It takes into consideration not only the vulnerability severity, but also how real the threat is for exploitation in your environment at a given time. Retina CS 2.5 provides for CVSS Temporal and Environmental Scoring and the ability to adjust the values for Exploitation to meet your organization needs. This value weights the score based on your knowledge of the vulnerability in relationship to your infrastructure and conditions for remediation and credibility. It is important to note that eEye provides references for penetration testing and exploitability code within exploit-db.com, Metasploit Framework, and Core Impact, but this is by no means the end all be all source for the complete existence of exploits available. This is only a partial list from the most well known sources that are publicly and commercially available. This can assist you in setting the Exploitability metric, but as indicated, is not an absolute source. In fact, there is no global source since many exploits occur in the wild and may appear as zero days first, or the front pages of a newspaper with minimal technical details. This is why this feature is user definable and critical for understanding why exploitability matters for your business. Without it, understanding the vulnerability is solely based on risk and not if it can be truly exploited within your infrastructure. For more information on how Retina CS can help you manage your vulnerabilities and their potential exploitation, please click here. eEye understands prioritizing your time and effort for remediation is just as important as indentifying the vulnerability in the first place. We provide the best solutions for both. Morey J. Haber Product Management
Photograph of Morey J. Haber

Morey J. Haber, Chief Security Officer, BeyondTrust

Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Microsoft Vulnerabilities Report 2021

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.