Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Accounting for Vulnerability “States” in Your Risk Assessments

Posted June 9, 2014    Morey Haber

enter-here-computerVulnerability management (VM) processes have had to evolve exponentially in recent years. Most of this evolution has occurred in terms network coverage, as scanners have moved beyond conducting sequential assessments to advanced agent, connector and credentialing technologies. However, most VM applications are still unable to provide meaningful data for prioritizing vulnerabilities in terms of real risk to the environment in which they’re found.

I recently had a great conversation about vulnerability management shortcomings with Mandy Abercrombie, senior security analysis advisor at Dell SecureWorks, and we realized something about standard vulnerability rating systems: While Proprietary Risk Score, CVSS, PCI DSS, and IAVA can be useful, they assign each vulnerability a static severity rating. These ratings all fail to account for the state of a vulnerability as it’s sitting on a specific asset. In other words, is the flaw actively running on a system – or is it lying dormant and therefore not an immediate threat?

I was so intrigued that I had to write a white paper about it! The paper presents three potential states for vulnerabilities: active, dormant, and carrier. Here’s the gist:

1.) Active vulnerabilities pose immediate risks
The flaw is actively running on the asset and consuming resources. An active vulnerability means successful exploitation would compromise the system (depending on the limitations of the vulnerability).

2.) Dormant vulnerabilities are hiding out
The flaw resides on the host but is not actively consuming any resources at all. A dormant vulnerability might be anything from a disabled service to an installed application that is not being used at a specific time. If the application is executed, the vulnerability is no longer dormant and would be reclassified as active for the duration of its runtime.

3.) Carrier Vulnerabilities represent the “What Ifs”
This flaw is by far the most nebulous classification because it contains a “what if” component. A carrier’s binaries are on an asset but not configured—yet—to be either dormant or active. An additional step is required to change the state, but there is no need for external media or an Internet connection. For example, adding features to a Windows asset can be done with proper credentials and without any external resources. Once the configuration change has occurred, a vulnerability may be present in a dormant or active state until remediation occurs.

At BeyondTrust, we offer a set of solutions that can help you account for vulnerability states in your risk assessments. For example, our PowerBroker for Windows privilege management solution includes patent-pending technology that can dynamically restrict runtime and user permissions as vulnerabilities move from Dormant to Active states. In addition, our Retina Configuration Compliance Module is able to monitor and configuration changes that could introduce a Carrier vulnerability into a Dormant or Active state.

Check out the paper to learn more: The Three States of a Vulnerability – Vulnerability Classifications Beyond Risk

, , , , ,

Leave a Reply

2 Responses to “Accounting for Vulnerability “States” in Your Risk Assessments”

  1. Jared

    I admire your writings Mr. Haber, but I believe you forgot to mention the flaw in the network security system in the year 2014. The network connections, somehow, pose a threat to every individual who has access to the same. This could make it worse if someone misused the power, they would posses. In order to maintain a secure network, I would change the system datas from the past, if I could. I’m no hawking but I think modern science could be a useful resource to our network breaches. What are your opinions over science and it’s very core of knowledge improving the computer, and the network as whole?

    June 09, 2014 12:29:38, Reply
  2. Morey

    Hi Jared, the unfortunate part of networks, modern systems, and science is that security was always considered an after thought. Security solutions have traditionally been built on top of infrastructure and not designed in from the beginning unless the original requirements warranted. So, using modern science and security to rebuild would be ideal but i think economics would warrant otherwise. Thank you for sharing your thoughts…

    June 10, 2014 11:55:49, Reply

Additional articles

PowerBroker for Unix & Linux helps prevent Shellshock

Posted September 25, 2014    Paul Harper

Like many other people who tinker with UNIX and Linux on a regular basis, BASH has always been my shell of choice.  Dating back to the early days moving from Windows to a non-Windows platform, mapping the keys correctly to allow easy navigation and control helped ensure an explosion of use for the shell. Unfortunately,…

Bash “Shellshock” Vulnerability – Retina Updates

Posted September 24, 2014    BeyondTrust Research Team

A major vulnerability was recently discovered within bash which allows arbitrary command execution via specially crafted environment variables. This is possible due to the fact that bash supports the assignment of shell functions to shell variables. When bash parses environment shell functions, it continues parsing even after the closing brace of the function definition. If…


7 Reasons Customers Switch to Password Safe for Privileged Password Management

Posted September 24, 2014    Chris Burd

It’s clear that privileged password management tools are essential for keeping mission-critical data, servers and assets safe and secure. However, as I discussed in my previous post, there are several pitfalls to look out for when deploying a privileged password management solution. At this point, you may be wondering how BeyondTrust stacks up. With that,…

, , , , ,