Vulnerable ≠ Exploitable
Ever wonder how much of your time and effort is being wasted fixing things that don’t actually matter?
You may be surprised to hear that a large majority of all vulnerabilities are unexploitable. According to data compiled by Kenna, in 2020, only 2.7% of the vulnerabilities found appeared to be exploitable and only 0.4% of those vulnerabilities were actually observed to be exploited at all.
Traditional agent-based vulnerability scanners and simplistic port-scans aren’t enough.
Create too much noise
Ignore how attackers actually think
Provide no prioritization
So how do you know if it is critical to fix what you find?
The hardest part of cyber security is deciding what NOT to fix.
Spending valuable and scarce time and effort on remediating weaknesses that are not exploitable or do not represent a substantial business impact is itself a risk. Find out more about how to prioritize vulnerabilities in this whitepaper.
Criticality begins with the exploitability of a weakness.
There are many reasons why a reported critical finding from vulnerability scanners and some pentesters may not be exploitable or would be very difficult to exploit, hence do not truly impose much or any risk.
No exploit exists
There is no existing exploit available for the vulnerability
Outdated ≠ exploitable
In the absence of a specific vulnerability, software being merely outdated/obsolete does not pose a critical risk.
Network context
The context of where the vulnerable asset is in the network makes the risk informational rather than critical.
High complexity
Several complex and/or impractical conditions must be met for the
vulnerability to be exploited by an attacker.
Not accessible
The vulnerability exists in a part the software that isn’t accessible from the attacker’s perspective.
Component not in use
The suspected software doesn’t necessarily run in a vulnerable configuration.
Target End State: Proactive Security Posture
Security Controls
Are you ready to respond to Ransomware? If APT29 is targeting your sector, can you detect and disrupt their known tactics, techniques, and procedures?
So what do you do? Where do you start? From our experience as former CIO’s, the best approach is a Catch Up, Keep Up, and Stay Ahead plan.
A Future of Continuous Security Assessment
Over the last decade, more and more CVEs/vulnerabilities are being found and reported, making it very hard to keep pace. It’s snowballing and creating fatigue.
With an annual manual pentest, you have giant craters in your security posture that develop between cycles as critical vulnerabilities come out; systems change with new software, patches and hardware; and personnel turns over.
How can NodeZero help you?
Let our experts walk you through a demonstration of NodeZero, so you can see how to put it to work for your company.
