Chris

Vulnerability vs. Exploitability: Why they’re different & why it matters

Vulnerability vs. Exploitability

There is a lot of jargon when it comes to cloud security. While the thought of having a vulnerability in security system seems scary, having an easily exploitable security system is scarier. What’s the difference? How do you prioritize? Well, a vulnerability is a weakness in a software system. Being vulnerable, i.e. having a weakness in your security system, means that one could hypothetically take advantage a misconfiguration to gain elevated privileges. On the flip side, exploitability means that the weakness has a definite path to giving potential attackers access to sensitive information.

Why does the distinction matter? Aren’t they basically the same thing?

In a word: No. There are a few reasons why being vulnerable does not equate to exploitability. An attacker may not have the correct amount of information to exploit the vulnerability, or the attacker may not have proper authentication or access, or may not be able to attack due to existing security controls. Knowing that these qualifiers exist allows your team to focus on more at-risk areas in your environment.

At Threat Stack, we recently conducted an analysis of more than 200 companies running AWS. That analysis found a surprising number of well-documented security vulnerabilities that can be easily exploited. Among the most egregious was a finding that 73% of the companies analyzed had AWS Security Groups configured to leave SSH wide open to the internet. This simple configuration error allows an attacker to attempt remote server access from anywhere, rendering traditional network controls like VPN and firewalls moot. In fact, Threat Stack observed SSH traffic using the root account, which could have severe security repercussions.

sensitive data

However, we also found some vulnerabilities that won’t necessarily be exploited. Multi-factor authentication for AWS users was not being used by 62% of companies. While that may make an organization vulnerable to brute force attacks, there are alternatives to MFAs (like context-aware security) that can keep an organization safe. So long as you some sort of security layer for logins, your security team can focus on areas that are truly at-risk and that can be more easily exploited.

To recap, vulnerability deals with the theoretical, exploitability deals with actuals. You need to be able to identify that while a weakness may be exploitable, there might not be a defined path to exploit the system. The opposite is also true, it’s up to your security team to know the difference, and take the proper action so that your company’s security is not at risk.

How can you tell whether a vulnerability is exploitable? Well, that depends. Vulnerabilities are by definition a weakness in your system – and can lead to the extraction of sensitive data. You should take each vulnerability in a case-by-case basis. It could be that a given vulnerability does not have a large attack surface, meaning there is little a cyber criminal could do to exploit it. It’s also possible that a vulnerability could lead to a massive breach by giving an attack admin privileges to your servers. You’ll need to also examine how the vulnerability could chain together with others on the same system – which would lead to a critical attack.

Companies that take basic security precautions, like environment auditing, are working to ensure that their vulnerabilities cannot be chained and exploited. Other tactics companies can use to make sure they’re meeting security best practices include setting a security baseline, performing regular environmental audits, and adhering to their cloud providers best practices, which may include end-to-end encryption, monitoring file integrity and leveraging multi-factor authentication.

Understanding what is vulnerable and what remains exploitable can help companies prioritize and acknowledge where their security efforts can be improved. Although it is tough, even impossible, to be 100 percent secure, companies can work to minimize threats and ensure best security practices. These practices start with identifying and ensuring good security hygiene to eradicate the possibility of vulnerabilities becoming exploitable. Being able to discern what is vulnerable and what is exploitable makes the world of platform security less scary.

In security, perfect has become the enemy of good. Threats are evolving at an alarming pace, using all sorts of new attack vectors. Organizations must focus on continuously improving their security – detecting a vulnerability or threat early is step one to preventing an exploit. If you’re realistic about what systems are vulnerable (and can wait to be addressed), and what vulnerabilities are exploitable (and need to be addressed now), that can help funnel your resources toward the most critical areas.

By Chris Gervais

Chris Gervais

Chris Gervais, VP of Engineering. As Threat Stack's head of Engineering, Chris is passionate about building, not only a rock solid, high-performance product, but also a team of elite engineers, industry best processes and a culture that attracts the best talent. Prior to Threat Stack, Chris held senior positions at lifeIMAGE, Enservio, Partners Healthcare, Inc., Inflexxion, Inc. and VIS Corporation, where he was responsible for engineering, technical operations, and technology strategy for cloud platforms.

View Website
Chris

Why Containers Can’t Solve All Your Problems In The Cloud

Containers and the cloud Docker and other container services are appealing for a good reason - they are lightweight and ...
Do Not Rely On Passwords To Protect Your Online Information

Do Not Rely On Passwords To Protect Your Online Information

Do Not Rely On Passwords Simple passwords are no longer safe to use online. John Barco, vice president of Global ...
Driving Transformation? It is possible to predict the future.

Driving Transformation? It is possible to predict the future.

Driving Transformation Previously, I wrote about the criticality of defining the Vision for your transformation - what is your real objective, how ...
Numeraire Cryptocurrency

Digital Cashless Society: Dystopian Nightmares or Utopian Dreams

Digital Cashless Society A truly digital cashless society was long the realm of dystopian nightmares (or utopian dreams depending on ...
My Fascination with Amazon Go

My Fascination with Amazon Go

Amazon Go Recently, Amazon unveiled the world’s first completely self-service, no checkout, grocery store — and it’s really captured the public’s imagination. Lines ...
Biometric Authentication

Passwords: More Secure Than Biometric Authentication?

Biometric Authentication Biometrics has long granted or denied access to secure things like premises and vehicles. Now it is being ...
Palo Alto Networks Commitment to Educating European CEOs and Boards on Cybersecurity as a Business Issue

Palo Alto Networks Commitment to Educating European CEOs and Boards on Cybersecurity as a Business Issue

In recent years, the topic of cybersecurity awareness, education, training, and skills has grown in importance across the European Union. On each trip I take to Brussels, I am struck by how this is a ...
Teradata sues Germany's SAP, alleging it stole trade secrets

Teradata sues Germany’s SAP, alleging it stole trade secrets

FRANKFURT (Reuters) - SAP SE, Europe’s most valuable technology company, was sued on Wednesday by U.S. company Teradata, which accused it of stealing trade secrets, copyright infringement and anti-trust violations. The case, filed at the ...
AI Storms Top Supercomputing Show – NVIDIA Brings Talks, Training, Demos, and More to ISC

AI Storms Top Supercomputing Show – NVIDIA Brings Talks, Training, Demos, and More to ISC

This is what smart people do for fun. Detecting gravitational waves millions of light years away, in real time. Powering computationally fast quantum mechanical simulations at high accuracy and low cost. Proving the feasibility of ...