Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Accounting for Vulnerability “States” in Your Risk Assessments

Posted June 9, 2014    Morey Haber

enter-here-computerVulnerability management (VM) processes have had to evolve exponentially in recent years. Most of this evolution has occurred in terms network coverage, as scanners have moved beyond conducting sequential assessments to advanced agent, connector and credentialing technologies. However, most VM applications are still unable to provide meaningful data for prioritizing vulnerabilities in terms of real risk to the environment in which they’re found.

I recently had a great conversation about vulnerability management shortcomings with Mandy Abercrombie, senior security analysis advisor at Dell SecureWorks, and we realized something about standard vulnerability rating systems: While Proprietary Risk Score, CVSS, PCI DSS, and IAVA can be useful, they assign each vulnerability a static severity rating. These ratings all fail to account for the state of a vulnerability as it’s sitting on a specific asset. In other words, is the flaw actively running on a system – or is it lying dormant and therefore not an immediate threat?

I was so intrigued that I had to write a white paper about it! The paper presents three potential states for vulnerabilities: active, dormant, and carrier. Here’s the gist:

1.) Active vulnerabilities pose immediate risks
The flaw is actively running on the asset and consuming resources. An active vulnerability means successful exploitation would compromise the system (depending on the limitations of the vulnerability).

2.) Dormant vulnerabilities are hiding out
The flaw resides on the host but is not actively consuming any resources at all. A dormant vulnerability might be anything from a disabled service to an installed application that is not being used at a specific time. If the application is executed, the vulnerability is no longer dormant and would be reclassified as active for the duration of its runtime.

3.) Carrier Vulnerabilities represent the “What Ifs”
This flaw is by far the most nebulous classification because it contains a “what if” component. A carrier’s binaries are on an asset but not configured—yet—to be either dormant or active. An additional step is required to change the state, but there is no need for external media or an Internet connection. For example, adding features to a Windows asset can be done with proper credentials and without any external resources. Once the configuration change has occurred, a vulnerability may be present in a dormant or active state until remediation occurs.

At BeyondTrust, we offer a set of solutions that can help you account for vulnerability states in your risk assessments. For example, our PowerBroker for Windows privilege management solution includes patent-pending technology that can dynamically restrict runtime and user permissions as vulnerabilities move from Dormant to Active states. In addition, our Retina Configuration Compliance Module is able to monitor and configuration changes that could introduce a Carrier vulnerability into a Dormant or Active state.

Check out the paper to learn more: The Three States of a Vulnerability – Vulnerability Classifications Beyond Risk

, , , , ,

Leave a Reply

2 Responses to “Accounting for Vulnerability “States” in Your Risk Assessments”

  1. Jared

    I admire your writings Mr. Haber, but I believe you forgot to mention the flaw in the network security system in the year 2014. The network connections, somehow, pose a threat to every individual who has access to the same. This could make it worse if someone misused the power, they would posses. In order to maintain a secure network, I would change the system datas from the past, if I could. I’m no hawking but I think modern science could be a useful resource to our network breaches. What are your opinions over science and it’s very core of knowledge improving the computer, and the network as whole?

    June 09, 2014 12:29:38, Reply
  2. Morey

    Hi Jared, the unfortunate part of networks, modern systems, and science is that security was always considered an after thought. Security solutions have traditionally been built on top of infrastructure and not designed in from the beginning unless the original requirements warranted. So, using modern science and security to rebuild would be ideal but i think economics would warrant otherwise. Thank you for sharing your thoughts…

    June 10, 2014 11:55:49, Reply

Additional articles

webinar 2

On Demand Webinar: Because Auditing Stinks Sometimes

Posted July 2, 2015    Lindsay Marsh

Auditing stinks. Well, mostly stinks. In this on demand webinar, lead by Group Policy MVP Jeremy Moskowitz, you’ll learn the three key tenets to real Group Policy auditing. Tenet 1: Why do you care about Group Policy auditing? Tenet 2: How does Eventing help you know “Who did what?” Tenet 3: How does Reporting tell…

, , , ,

Stopping the Skeleton Key Trojan

Posted June 29, 2015    Robert Auch

Earlier this year Dell’s SecureWorks published an analysis of a malware they named “Skeleton Key”. This malware bypasses authentication for Active Directory users who have single-factor (password only) authentication. The “Skeleton Key” attack as documented by the SecureWorks CTU relies on several critical parts.

, , , , ,
webinar 2

On Demand Webinar: 10 Steps to Building an Effective Vulnerability Management Program

Posted June 26, 2015    BeyondTrust Software

In this on demand webinar, Cybersecurity Expert, Derek A.Smith will take you through his 10 steps for a successful vulnerability management program and how to get started now.

, ,