Vulnerability vs. Exploitability: Why they’re different

Chris Gervais

Vulnerability vs. Exploitability

There is a lot of jargon when it comes to cloud security. While the thought of having a vulnerability in security system seems scary, having an easily exploitable security system is scarier. What’s the difference? How do you prioritize? Well, a vulnerability is a weakness in a software system. Being vulnerable, i.e. having a weakness in your security system, means that one could hypothetically take advantage a misconfiguration to gain elevated privileges. On the flip side, exploitability means that the weakness has a definite path to giving potential attackers access to sensitive information.

Why does the distinction matter? Aren’t they basically the same thing?

In a word: No. There are a few reasons why being vulnerable does not equate to exploitability. An attacker may not have the correct amount of information to exploit the vulnerability, or the attacker may not have proper authentication or access, or may not be able to attack due to existing security controls. Knowing that these qualifiers exist allows your team to focus on more at-risk areas in your environment.

At Threat Stack, we recently conducted an analysis of more than 200 companies running AWS. That analysis found a surprising number of well-documented security Vulnerabilities that can be easily exploited. Among the most egregious was a finding that 73% of the companies analyzed had AWS Security Groups configured to leave SSH wide open to the internet. This simple configuration error allows an attacker to attempt remote server access from anywhere, rendering traditional network controls like VPN and firewalls moot. In fact, Threat Stack observed SSH traffic using the root account, which could have severe security repercussions.

sensitive data

However, we also found some vulnerabilities that won’t necessarily be exploited. Multi-factor authentication for AWS users was not being used by 62% of companies. While that may make an organization vulnerable to brute force attacks, there are alternatives to MFAs (like context-aware security) that can keep an organization safe. So long as you some sort of security layer for logins, your security team can focus on areas that are truly at-risk and that can be more easily exploited.

To recap, vulnerability deals with the theoretical, exploitability deals with actuals. You need to be able to identify that while a weakness may be exploitable, there might not be a defined path to exploit the system. The opposite is also true, it’s up to your security team to know the difference, and take the proper action so that your company’s security is not at risk.

How can you tell whether a vulnerability is exploitable? Well, that depends. Vulnerabilities are by definition a weakness in your system – and can lead to the extraction of sensitive data. You should take each vulnerability in a case-by-case basis. It could be that a given vulnerability does not have a large attack surface, meaning there is little a cyber criminal could do to exploit it. It’s also possible that a vulnerability could lead to a massive breach by giving an attack admin privileges to your servers. You’ll need to also examine how the vulnerability could chain together with others on the same system – which would lead to a critical attack.

Companies that take basic security precautions, like environment auditing, are working to ensure that their vulnerabilities cannot be chained and exploited. Other tactics companies can use to make sure they’re meeting security best practices include setting a security baseline, performing regular environmental audits, and adhering to their cloud providers best practices, which may include end-to-end encryption, monitoring file integrity and leveraging multi-factor authentication.

Understanding what is vulnerable and what remains exploitable can help companies prioritize and acknowledge where their security efforts can be improved. Although it is tough, even impossible, to be 100 percent secure, companies can work to minimize threats and ensure best security practices. These practices start with identifying and ensuring good security hygiene to eradicate the possibility of vulnerabilities becoming exploitable. Being able to discern what is vulnerable and what is exploitable makes the world of platform security less scary.

In security, perfect has become the enemy of good. Threats are evolving at an alarming pace, using all sorts of new attack vectors. Organizations must focus on continuously improving their security – detecting a vulnerability or threat early is step one to preventing an exploit. If you’re realistic about what systems are vulnerable (and can wait to be addressed), and what vulnerabilities are exploitable (and need to be addressed now), that can help funnel your resources toward the most critical areas.

By Chris Gervais

Mark Barrenechea

The Digital Era Moves Into The Information Era

We have entered the Information Era Building on the groundwork of automation, connectivity and computing power that defined digital, the Information Era is characterized by ...
Fahim Kahn

The 5 Biggest Hybrid Cloud Management Challenges—And How to Overcome Them

Hybrid Cloud Management Challenges The benefits of the cloud—reduced costs, greater IT flexibility, and more—are well-established. But now many organizations are moving to hybrid cloud ...
Figure4

DevOps – Secure and Scalable CI/CD Pipeline with AWS

Secure and Scalable CI/CD Pipeline According to Gartner, a leading research company, worldwide public cloud revenue will grow by 17.3 percent in 2019. Total spending ...
Ajay

Explainable Intelligence Part 3 – The Strategy for XAI

The Strategy for XAI It is not enough to say that something is true just because 'I know it’s true!' – we have to have ...
Eddie Segal

Kubernetes on AWS: Tips for Cloud-Native Development

Kubernetes AWS Tips Kubernetes is a container orchestration and management tool that automates container deployment. Kubernetes is mainly used in the cloud. A recent survey ...
Bruce Guptill

Resolving IT-Finance Asynchronization on Cloud Improvements

Resolving IT-Finance Asynchronization While CIO-CFO communications and alignment may never seem better, what is considered to be C-level, strategic “alignment” increasingly obscures realities that keep ...
Holiday Access.png