I’ve been struck in the past several weeks about the confusion in the market between vulnerabilities and risk. This confusion is certainly heightened by the “risk” scores that are displayed by the various vulnerability scanners. In truth, there is no way a scanner can tell you the risk associated with a vulnerability. To see why, let’s look at 4 scenarios. Each of these scenarios has the same vulnerability and a scanner treat them all as equivalent. However, it’s obvious that they present dramatically different levels of risk to an enterprise:
This is the worst case scenario: a serious vulnerability on an important server that is directly exposed to threats on the internet. The risk associated with this scenario is very high.
Same threat and vulnerability, but this time we’ve added a firewall to prevent the threat from being able to directly access the vulnerability. The risk in this scenario is much less.
Same threat and vulnerability, and the firewall is still blocking direct access. In this scenario, though, the threat is able to exploit a vulnerability in another, less important system and use that as a base to launch an attack on the important server. This scenario is again high risk. This technique, called “pivoting”, is very commonly used in breaches since important servers are almost always behind one or more layers of firewalls. One key point here is that the impact of a vulnerability may be to more than just the the value of the vulnerable system.
Finally, network security can be deployed in layers to contain the effect of a breach. Using ACLs or firewalls can limit the impact of the exposed vulnerability to just the unimportant server, therefore reducing the risk.
Virtually every definition of risk, such as the one in NIST SP 800-30, combines 4 factors: Threat, Vulnerability, Impact and Mitigating Controls. Evaluating impact and mitigation requires one to understand the entire environment–not just the host containing the vulnerability. This is the kind of calculation RedSeal does to create true risk scores. The “risk” scores provided by scanners are really vulnerability scores that simply combine threat and vulnerability information with an estimate of host value.
Why does this matter? Most organizations discover thousands of vulnerabilities when they scan–more than they could hope to remediate in the short term. However, the vast majority of these are usually mitigated by network security so addressing them can be delayed. True risk scores can identify those few vulnerabilities that need to be dealt with ASAP.
For example, in the scenarios above, the vulnerability creating the most risk is the one in the unimportant system that can be used to attack multiple high value servers. By patching, removing, blocking or containing that vulnerability, the IT department can get the greatest benefit for its efforts.