Ever wonder how much of your time and effort is being wasted fixing things that don’t actually matter?

Criticality is a Function of Exploitability and Impact

The hardest part of cyber security is deciding what not to do because of limited time and resources. Spending valuable and scarce time and effort on remediating weaknesses that are not exploitable or do not represent a substantial  business impact is itself a risk. At the very least, you should be able to trust that the findings from your security tools and services will appropriately guide your remediation and staffing decisions.

Criticality begins with the exploitability of a weakness. There are many reasons why a reported critical finding from vulnerability scanners and some pentesters may not be exploitable or would be very difficult to exploit, hence do not truly impose much or any risk.

1. No exploit exists – There is no existing exploit available for the vulnerability.
2. High complexity – Several complex and/or impractical conditions must be met for the vulnerability to be
exploited by an attacker.
3. Component is not in use – The suspected software doesn’t necessarily run in a vulnerable configuration.
4. Outdated ≠ exploitable – In the absence of a specific vulnerability, software being merely outdated/obsolete
does not pose a critical risk.
5. Not accessible – The vulnerability exists in a part the software that isn’t accessible from the attacker’s
6. Network context – The context of where the vulnerable asset is in the network makes the risk informational
rather than critical.

The number of CVEs disclosed has increased significantly in the last decade

The number of new CVEs published annually has increased over three-fold since 2011. This trend has accelerated since the expansion of the CVE Numbering Authority program in the last few years.

…yet the proportion of distinct vulnerabilities exploited is falling…

Although the known universe of vulnerabilities is exploding, an increasingly small number of those vulnerabilities result in actual breaches. Focusing your remediation efforts on high-impact mitigations has never been more important.

Above graphs and research are courtesy of Kenna Research – https://www.kennaresearch.com/a-decade-of-insights/

A Future of Continuous Security Assessment

Over the last decade, more and more CVEs/vulnerabilities are being found and reported, making it very hard to keep pace...it’s snowballing and creating fatigue. With an annual manual pentest, you have giant craters in your security posture that develop between cycles as critical vulnerabilities come out; systems change with new software, patches and hardware; and personnel turns over.

Proof of Value – Continuous, Proactive Security

Your PoV is unlimited for 30 days. Assess your entire attack surface; view detailed reports with paths, proofs,
and best practices; and take advantage of immediate access to full op reviews with our vCISOs.