Vulnerability vs. Exploitability: Why they’re different

Vulnerability vs. Exploitability

There is a lot of jargon when it comes to cloud security. While the thought of having a vulnerability in security system seems scary, having an easily exploitable security system is scarier. What’s the difference? How do you prioritize? Well, a vulnerability is a weakness in a software system. Being vulnerable, i.e. having a weakness in your security system, means that one could hypothetically take advantage a misconfiguration to gain elevated privileges. On the flip side, exploitability means that the weakness has a definite path to giving potential attackers access to sensitive information.

Why does the distinction matter? Aren’t they basically the same thing?

In a word: No. There are a few reasons why being vulnerable does not equate to exploitability. An attacker may not have the correct amount of information to exploit the vulnerability, or the attacker may not have proper authentication or access, or may not be able to attack due to existing security controls. Knowing that these qualifiers exist allows your team to focus on more at-risk areas in your environment.

At Threat Stack, we recently conducted an analysis of more than 200 companies running AWS. That analysis found a surprising number of well-documented security Vulnerabilities that can be easily exploited. Among the most egregious was a finding that 73% of the companies analyzed had AWS Security Groups configured to leave SSH wide open to the internet. This simple configuration error allows an attacker to attempt remote server access from anywhere, rendering traditional network controls like VPN and firewalls moot. In fact, Threat Stack observed SSH traffic using the root account, which could have severe security repercussions.

sensitive data

However, we also found some vulnerabilities that won’t necessarily be exploited. Multi-factor authentication for AWS users was not being used by 62% of companies. While that may make an organization vulnerable to brute force attacks, there are alternatives to MFAs (like context-aware security) that can keep an organization safe. So long as you some sort of security layer for logins, your security team can focus on areas that are truly at-risk and that can be more easily exploited.

To recap, vulnerability deals with the theoretical, exploitability deals with actuals. You need to be able to identify that while a weakness may be exploitable, there might not be a defined path to exploit the system. The opposite is also true, it’s up to your security team to know the difference, and take the proper action so that your company’s security is not at risk.

How can you tell whether a vulnerability is exploitable? Well, that depends. Vulnerabilities are by definition a weakness in your system – and can lead to the extraction of sensitive data. You should take each vulnerability in a case-by-case basis. It could be that a given vulnerability does not have a large attack surface, meaning there is little a cyber criminal could do to exploit it. It’s also possible that a vulnerability could lead to a massive breach by giving an attack admin privileges to your servers. You’ll need to also examine how the vulnerability could chain together with others on the same system – which would lead to a critical attack.

Companies that take basic security precautions, like environment auditing, are working to ensure that their vulnerabilities cannot be chained and exploited. Other tactics companies can use to make sure they’re meeting security best practices include setting a security baseline, performing regular environmental audits, and adhering to their cloud providers best practices, which may include end-to-end encryption, monitoring file integrity and leveraging multi-factor authentication.

Understanding what is vulnerable and what remains exploitable can help companies prioritize and acknowledge where their security efforts can be improved. Although it is tough, even impossible, to be 100 percent secure, companies can work to minimize threats and ensure best security practices. These practices start with identifying and ensuring good security hygiene to eradicate the possibility of vulnerabilities becoming exploitable. Being able to discern what is vulnerable and what is exploitable makes the world of platform security less scary.

In security, perfect has become the enemy of good. Threats are evolving at an alarming pace, using all sorts of new attack vectors. Organizations must focus on continuously improving their security – detecting a vulnerability or threat early is step one to preventing an exploit. If you’re realistic about what systems are vulnerable (and can wait to be addressed), and what vulnerabilities are exploitable (and need to be addressed now), that can help funnel your resources toward the most critical areas.

By Chris Gervais

Bill Talbot

How IT Operations Can Survive and Thrive in a Multi-cloud World

IT Operations Can Thrive in a Multi-cloud World IT operations teams are contending with the reality that growing volumes of workloads are running across multiple cloud services. While multi-cloud environments are growing ubiquitous, many IT ...
Patrick Joggerst

Living on the Edge: The New Real-Time Communications Security Risks

Real-time communications Security Risks As more and more people have been forced to work remotely due to the global public health crisis, collaboration platforms have unexpectedly saved the day for millions of businesses and allowed ...
Printing Industry

How to Choose the Right Cloud Printing Solution for Your Business

Cloud Printing Business Solutions The demand for cloud printing is primarily driven by the overall organizational benefits of Software as a Service (SaaS) portfolio. The expectation of flexibility in workplace tools, of plug-and-play solutions for ...
Anita Raj

A Winning Data Strategy Series Part 2: Data, an Asset, or a Liability?

Data, an Asset, or a Liability? This is the second piece of a 5-part series on plugging the obvious but overlooked gaps in achieving digital success through a refined data strategy. You can read the ...
Tunio Zafer

Remote Collaboration Solutions That Cloud Storage Solves

Remote Collaboration Solutions Over the last few decades, cloud computing has improved the digital world in profound ways. With immediate access to a greater number of resources and tools, cloud computing allows users to pursue ...
Armen Najarian

Martech: Brand Marketing is the New Demand Generation

Martech: Brand Marketing First, An Apology Sorry, demand generation professionals. We still love you and your jobs aren’t going away. But, as you are well aware, the B2B buyer journey has changed—dramatically. Your roles, measurements, data sources, ...