Vulnerability vs. Exploitability: Why they’re different

Vulnerability vs. Exploitability

There is a lot of jargon when it comes to cloud security. While the thought of having a vulnerability in security system seems scary, having an easily exploitable security system is scarier. What’s the difference? How do you prioritize? Well, a vulnerability is a weakness in a software system. Being vulnerable, i.e. having a weakness in your security system, means that one could hypothetically take advantage a misconfiguration to gain elevated privileges. On the flip side, exploitability means that the weakness has a definite path to giving potential attackers access to sensitive information.

Why does the distinction matter? Aren’t they basically the same thing?

In a word: No. There are a few reasons why being vulnerable does not equate to exploitability. An attacker may not have the correct amount of information to exploit the vulnerability, or the attacker may not have proper authentication or access, or may not be able to attack due to existing security controls. Knowing that these qualifiers exist allows your team to focus on more at-risk areas in your environment.

At Threat Stack, we recently conducted an analysis of more than 200 companies running AWS. That analysis found a surprising number of well-documented security Vulnerabilities that can be easily exploited. Among the most egregious was a finding that 73% of the companies analyzed had AWS Security Groups configured to leave SSH wide open to the internet. This simple configuration error allows an attacker to attempt remote server access from anywhere, rendering traditional network controls like VPN and firewalls moot. In fact, Threat Stack observed SSH traffic using the root account, which could have severe security repercussions.

sensitive data

However, we also found some vulnerabilities that won’t necessarily be exploited. Multi-factor authentication for AWS users was not being used by 62% of companies. While that may make an organization vulnerable to brute force attacks, there are alternatives to MFAs (like context-aware security) that can keep an organization safe. So long as you some sort of security layer for logins, your security team can focus on areas that are truly at-risk and that can be more easily exploited.

To recap, vulnerability deals with the theoretical, exploitability deals with actuals. You need to be able to identify that while a weakness may be exploitable, there might not be a defined path to exploit the system. The opposite is also true, it’s up to your security team to know the difference, and take the proper action so that your company’s security is not at risk.

How can you tell whether a vulnerability is exploitable? Well, that depends. Vulnerabilities are by definition a weakness in your system – and can lead to the extraction of sensitive data. You should take each vulnerability in a case-by-case basis. It could be that a given vulnerability does not have a large attack surface, meaning there is little a cyber criminal could do to exploit it. It’s also possible that a vulnerability could lead to a massive breach by giving an attack admin privileges to your servers. You’ll need to also examine how the vulnerability could chain together with others on the same system – which would lead to a critical attack.

Companies that take basic security precautions, like environment auditing, are working to ensure that their vulnerabilities cannot be chained and exploited. Other tactics companies can use to make sure they’re meeting security best practices include setting a security baseline, performing regular environmental audits, and adhering to their cloud providers best practices, which may include end-to-end encryption, monitoring file integrity and leveraging multi-factor authentication.

Understanding what is vulnerable and what remains exploitable can help companies prioritize and acknowledge where their security efforts can be improved. Although it is tough, even impossible, to be 100 percent secure, companies can work to minimize threats and ensure best security practices. These practices start with identifying and ensuring good security hygiene to eradicate the possibility of vulnerabilities becoming exploitable. Being able to discern what is vulnerable and what is exploitable makes the world of platform security less scary.

In security, perfect has become the enemy of good. Threats are evolving at an alarming pace, using all sorts of new attack vectors. Organizations must focus on continuously improving their security – detecting a vulnerability or threat early is step one to preventing an exploit. If you’re realistic about what systems are vulnerable (and can wait to be addressed), and what vulnerabilities are exploitable (and need to be addressed now), that can help funnel your resources toward the most critical areas.

By Chris Gervais

Marty

How cloud technologies improve innovation in the healthcare industry?

How cloud technologies improve innovation in the healthcare industry? The uptake of VPS hosting in the cloud within the heavily regulated healthcare industry has until recently been perceived as relatively slow. There is little doubt ...
Scott Leatherman

Beware the Perils of Blind Cloud Provisioning

The COVID-19 Rush to the Cloud Results in Steep Costs and Chaos For many companies, their data center capacity was not built for the instant tsunami-sized jolt of increased load caused by the global pandemic ...
Madhaven Krishnan

Steps To Achieve Hyper Productivity With Your Digital Apps Development

Achieve Hyper Productivity The mobile and cloud revolution in enterprise IT is well underway and is already causing never-before--seen changes in the way apps are developed, managed and transformed. The driving factors behind these changes ...
Chris Collins

Why Cloud Technology is a Smart Business Move for Higher Education

Higher Education Technology Cloud technology is not just for the world of big business. A growing number of higher education institutions are also embracing the cloud’s many advantages, especially for its data gathering and analytics ...
Martin Mendelsohn

Supporting CISOS, CIOS and CTOS That Are Overwhelmed During the COVID Battle

The Covid Era and CISO Stress Even before COVID-19, senior technology executives, including CISOs, CIOs and CTOs were overwhelmed, and felt an increasing lack of ballast in their lives. Some went so far as to ...
Deepak Jayagopal

Leveraging DevOps Infrastructure as Code to Improve Cloud Provisioning Time by 65%

Improving Cloud Provisioning Time Infrastructure provisioning used to be a highly manual process for Digital Service Providers (DSPs). Infrastructure engineers would rack and stack the servers and will manually configure them. Then they will install ...