Minimizing exploitability

Cyentia Institute recently produced a new report (the 8th in a series) titled "Measuring and Minimizing Exploitability".

I'm always a fan of these reports, so I read it for you and wrote this post to give you the big picture.

The context of this report is vulnerability management.

There are two well-known vulnerability databases: MITRE's CVE and NIST's NVD.

There is an average of 50 new vulnerabilities added to these databases every day.

You can't patch every bug.

Remediation is expensive. Sometimes, patching a system will break something, and now a 1-hour project takes you a whole week.

Organizations adopt different strategies to prioritize this kind of work. Some ignore it and hope for the best. Many use the Common Vulnerability Scoring System (CVSS). The goal of this score is to tell you how severe a given bug is.

Even prioritizing using Twitter mentions is more effective than using CVSS.

About 16% of vulnerabilities on the CVE list have exploit code available online. Exploit code is a proof-of-concept script, or a tool, ready to be used to exploit a given bug.

The report labels bugs with known exploit code as "high-risk".

75% of firms have "high-risk" vulnerabilities in over 1/4 of their assets.

Filter the list of all vulnerabilities to include only bugs in systems you are running. Then filter it again to include only those observed in the wild, and only those with known exploit code.

That leaves you with about 4% of published vulnerabilities to worry about.

Exploitability is defined as the probability that a given vulnerability will be exploited in a given time-frame.

If you prioritize "high-risk" vulnerabilities, you can drop exploitability by up to 22x.

This is a good example of how adopting a better strategy can give you better results over spending more.

You can find the full report on Cyentia's website. If you do read it, see if you can find the Star Trek pun.

I hope you found this valuable

I send out an e-mail whenever I publish new content. It's free. No spam. Unsubscribe whenever you want.