Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Accounting for Vulnerability “States” in Your Risk Assessments

Posted June 9, 2014    Morey Haber

enter-here-computerVulnerability management (VM) processes have had to evolve exponentially in recent years. Most of this evolution has occurred in terms network coverage, as scanners have moved beyond conducting sequential assessments to advanced agent, connector and credentialing technologies. However, most VM applications are still unable to provide meaningful data for prioritizing vulnerabilities in terms of real risk to the environment in which they’re found.

I recently had a great conversation about vulnerability management shortcomings with Mandy Abercrombie, senior security analysis advisor at Dell SecureWorks, and we realized something about standard vulnerability rating systems: While Proprietary Risk Score, CVSS, PCI DSS, and IAVA can be useful, they assign each vulnerability a static severity rating. These ratings all fail to account for the state of a vulnerability as it’s sitting on a specific asset. In other words, is the flaw actively running on a system – or is it lying dormant and therefore not an immediate threat?

I was so intrigued that I had to write a white paper about it! The paper presents three potential states for vulnerabilities: active, dormant, and carrier. Here’s the gist:

1.) Active vulnerabilities pose immediate risks
The flaw is actively running on the asset and consuming resources. An active vulnerability means successful exploitation would compromise the system (depending on the limitations of the vulnerability).

2.) Dormant vulnerabilities are hiding out
The flaw resides on the host but is not actively consuming any resources at all. A dormant vulnerability might be anything from a disabled service to an installed application that is not being used at a specific time. If the application is executed, the vulnerability is no longer dormant and would be reclassified as active for the duration of its runtime.

3.) Carrier Vulnerabilities represent the “What Ifs”
This flaw is by far the most nebulous classification because it contains a “what if” component. A carrier’s binaries are on an asset but not configured—yet—to be either dormant or active. An additional step is required to change the state, but there is no need for external media or an Internet connection. For example, adding features to a Windows asset can be done with proper credentials and without any external resources. Once the configuration change has occurred, a vulnerability may be present in a dormant or active state until remediation occurs.

At BeyondTrust, we offer a set of solutions that can help you account for vulnerability states in your risk assessments. For example, our PowerBroker for Windows privilege management solution includes patent-pending technology that can dynamically restrict runtime and user permissions as vulnerabilities move from Dormant to Active states. In addition, our Retina Configuration Compliance Module is able to monitor and configuration changes that could introduce a Carrier vulnerability into a Dormant or Active state.

Check out the paper to learn more: The Three States of a Vulnerability – Vulnerability Classifications Beyond Risk

, , , , ,

Leave a Reply

2 Responses to “Accounting for Vulnerability “States” in Your Risk Assessments”

  1. Jared

    I admire your writings Mr. Haber, but I believe you forgot to mention the flaw in the network security system in the year 2014. The network connections, somehow, pose a threat to every individual who has access to the same. This could make it worse if someone misused the power, they would posses. In order to maintain a secure network, I would change the system datas from the past, if I could. I’m no hawking but I think modern science could be a useful resource to our network breaches. What are your opinions over science and it’s very core of knowledge improving the computer, and the network as whole?

    June 09, 2014 12:29:38, Reply
  2. Morey

    Hi Jared, the unfortunate part of networks, modern systems, and science is that security was always considered an after thought. Security solutions have traditionally been built on top of infrastructure and not designed in from the beginning unless the original requirements warranted. So, using modern science and security to rebuild would be ideal but i think economics would warrant otherwise. Thank you for sharing your thoughts…

    June 10, 2014 11:55:49, Reply

Additional articles

Cavalancia-Headshot - Medium

Making Windows Endpoints the Least of your Worries

Posted September 2, 2015    Nick Cavalancia

We’re all concerned that someday an external hacker will try to gain access to your company’s critical data and systems. The problem? Your endpoints – both your workstations and servers – bypass (and often leave) the safety and security of your environment daily.

, ,

Why Customers Choose PowerBroker: Low Total Cost of Ownership

Posted September 2, 2015    Scott Lang

In a survey of more than 100 customers, those customers indicated that BeyondTrust’s low powerbroker-difference-2total cost of ownership was a competitive differentiator versus other options in the privileged account management market.

, , ,

Passwords: A Hacker’s Best Friend

Posted September 1, 2015    Larry Brock

After all the years of talk about biometrics and multi-factor authentication, we still have passwords and will likely have them for a long time. Because many “high risk” systems require complex passwords (zk7&@1c6), most people that use them believe their passwords are secure. But they aren’t.

, ,