BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Accounting for Vulnerability “States” in Your Risk Assessments

Posted June 9, 2014    Morey Haber

enter-here-computerVulnerability management (VM) processes have had to evolve exponentially in recent years. Most of this evolution has occurred in terms network coverage, as scanners have moved beyond conducting sequential assessments to advanced agent, connector and credentialing technologies. However, most VM applications are still unable to provide meaningful data for prioritizing vulnerabilities in terms of real risk to the environment in which they’re found.

I recently had a great conversation about vulnerability management shortcomings with Mandy Abercrombie, senior security analysis advisor at Dell SecureWorks, and we realized something about standard vulnerability rating systems: While Proprietary Risk Score, CVSS, PCI DSS, and IAVA can be useful, they assign each vulnerability a static severity rating. These ratings all fail to account for the state of a vulnerability as it’s sitting on a specific asset. In other words, is the flaw actively running on a system – or is it lying dormant and therefore not an immediate threat?

I was so intrigued that I had to write a white paper about it! The paper presents three potential states for vulnerabilities: active, dormant, and carrier. Here’s the gist:

1.) Active vulnerabilities pose immediate risks
The flaw is actively running on the asset and consuming resources. An active vulnerability means successful exploitation would compromise the system (depending on the limitations of the vulnerability).

2.) Dormant vulnerabilities are hiding out
The flaw resides on the host but is not actively consuming any resources at all. A dormant vulnerability might be anything from a disabled service to an installed application that is not being used at a specific time. If the application is executed, the vulnerability is no longer dormant and would be reclassified as active for the duration of its runtime.

3.) Carrier Vulnerabilities represent the “What Ifs”
This flaw is by far the most nebulous classification because it contains a “what if” component. A carrier’s binaries are on an asset but not configured—yet—to be either dormant or active. An additional step is required to change the state, but there is no need for external media or an Internet connection. For example, adding features to a Windows asset can be done with proper credentials and without any external resources. Once the configuration change has occurred, a vulnerability may be present in a dormant or active state until remediation occurs.

At BeyondTrust, we offer a set of solutions that can help you account for vulnerability states in your risk assessments. For example, our PowerBroker for Windows privilege management solution includes patent-pending technology that can dynamically restrict runtime and user permissions as vulnerabilities move from Dormant to Active states. In addition, our Retina Configuration Compliance Module is able to monitor and configuration changes that could introduce a Carrier vulnerability into a Dormant or Active state.

Check out the paper to learn more: The Three States of a Vulnerability – Vulnerability Classifications Beyond Risk

Tags:
, , , , ,

Leave a Reply

2 Responses to “Accounting for Vulnerability “States” in Your Risk Assessments”

  1. Jared

    I admire your writings Mr. Haber, but I believe you forgot to mention the flaw in the network security system in the year 2014. The network connections, somehow, pose a threat to every individual who has access to the same. This could make it worse if someone misused the power, they would posses. In order to maintain a secure network, I would change the system datas from the past, if I could. I’m no hawking but I think modern science could be a useful resource to our network breaches. What are your opinions over science and it’s very core of knowledge improving the computer, and the network as whole?

    June 09, 2014 12:29:38, Reply
  2. Morey

    Hi Jared, the unfortunate part of networks, modern systems, and science is that security was always considered an after thought. Security solutions have traditionally been built on top of infrastructure and not designed in from the beginning unless the original requirements warranted. So, using modern science and security to rebuild would be ideal but i think economics would warrant otherwise. Thank you for sharing your thoughts…

    June 10, 2014 11:55:49, Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,