Vulnerable vs Exploitable - what vulnerabilities count?

All vulnerabilities are not equal. They certainly aren’t all exploitable. In fact, the majority of vulnerabilities do not have trivially available exploits. This can be for a number of reasons: There may be insufficient information in the public domain to exploit the vulnerability, the vulnerability may require prior authentication, or other existing controls such as Data Execution Prevention render the attack improbable. Treating all vulnerabilities as equal, or even trying to correct every single finding in the first place can mean that organisations are wasting resources on low-risk issues that are unlikely to be exploited, while ignoring the important stuff. We aren’t aiming for perfect security, we’re aiming for adequate security. So how do we prioritise our vulnerabilities, and what to fix?

Common Vulnerability Scoring System

The first tool we can use is CVSS. CVSS –currently in version 3– rates vulnerabilities from 0 to 10 based on severity. It utilises a number of metrics, including difficulty of successful attack, to provide a base score. CVSS is far from perfect, in fact, it can be awful in certain real-world situations, but it does provide a basic mechanism to rate vulnerabilities, and a vulnerability with a rating of nine is probably going to be more of a priority than a vulnerability with a rating of two. It’s important to satisfy yourself that the rating you are using is accurate. Unfortunately, CVSS ratings can be miscalculated and wildly inaccurate, so ensure the quality of our data first. The obvious choice is

Exploitation data

News reports of vulnerabilities will often contain information regarding the exploitability of a vulnerability. Some vulnerabilities are exploited almost immediately, while others have little or no known exploitation at all. Checking to see if the vulnerability is being exploited “in-the-wild” can be useful in prioritising corrective actions.

Environmental Metrics

This is partially covered in CVSS, but on what system(s), and to whom/what the vulnerability is exposed can also be a useful consideration. This consideration can be fraught with error however, due to the assumption that all attacks are external, and that a Domain member server’s compromise cannot be escalated. If we are sensible however, it’s still a valid consideration.

In conclusion

We need to add context on vulnerability data for it to be useful. We need to prioritise our correction action plans, and we need to understand that many vulnerabilities will never be exploited.