Vulnerability vs. Exploitability: Why they’re different

Vulnerability vs. Exploitability

There is a lot of jargon when it comes to cloud security. While the thought of having a vulnerability in security system seems scary, having an easily exploitable security system is scarier. What’s the difference? How do you prioritize? Well, a vulnerability is a weakness in a software system. Being vulnerable, i.e. having a weakness in your security system, means that one could hypothetically take advantage a misconfiguration to gain elevated privileges. On the flip side, exploitability means that the weakness has a definite path to giving potential attackers access to sensitive information.

Why does the distinction matter? Aren’t they basically the same thing?

In a word: No. There are a few reasons why being vulnerable does not equate to exploitability. An attacker may not have the correct amount of information to exploit the vulnerability, or the attacker may not have proper authentication or access, or may not be able to attack due to existing security controls. Knowing that these qualifiers exist allows your team to focus on more at-risk areas in your environment.

At Threat Stack, we recently conducted an analysis of more than 200 companies running AWS. That analysis found a surprising number of well-documented security Vulnerabilities that can be easily exploited. Among the most egregious was a finding that 73% of the companies analyzed had AWS Security Groups configured to leave SSH wide open to the internet. This simple configuration error allows an attacker to attempt remote server access from anywhere, rendering traditional network controls like VPN and firewalls moot. In fact, Threat Stack observed SSH traffic using the root account, which could have severe security repercussions.

sensitive data

However, we also found some vulnerabilities that won’t necessarily be exploited. Multi-factor authentication for AWS users was not being used by 62% of companies. While that may make an organization vulnerable to brute force attacks, there are alternatives to MFAs (like context-aware security) that can keep an organization safe. So long as you some sort of security layer for logins, your security team can focus on areas that are truly at-risk and that can be more easily exploited.

To recap, vulnerability deals with the theoretical, exploitability deals with actuals. You need to be able to identify that while a weakness may be exploitable, there might not be a defined path to exploit the system. The opposite is also true, it’s up to your security team to know the difference, and take the proper action so that your company’s security is not at risk.

How can you tell whether a vulnerability is exploitable? Well, that depends. Vulnerabilities are by definition a weakness in your system – and can lead to the extraction of sensitive data. You should take each vulnerability in a case-by-case basis. It could be that a given vulnerability does not have a large attack surface, meaning there is little a cyber criminal could do to exploit it. It’s also possible that a vulnerability could lead to a massive breach by giving an attack admin privileges to your servers. You’ll need to also examine how the vulnerability could chain together with others on the same system – which would lead to a critical attack.

Companies that take basic security precautions, like environment auditing, are working to ensure that their vulnerabilities cannot be chained and exploited. Other tactics companies can use to make sure they’re meeting security best practices include setting a security baseline, performing regular environmental audits, and adhering to their cloud providers best practices, which may include end-to-end encryption, monitoring file integrity and leveraging multi-factor authentication.

Understanding what is vulnerable and what remains exploitable can help companies prioritize and acknowledge where their security efforts can be improved. Although it is tough, even impossible, to be 100 percent secure, companies can work to minimize threats and ensure best security practices. These practices start with identifying and ensuring good security hygiene to eradicate the possibility of vulnerabilities becoming exploitable. Being able to discern what is vulnerable and what is exploitable makes the world of platform security less scary.

In security, perfect has become the enemy of good. Threats are evolving at an alarming pace, using all sorts of new attack vectors. Organizations must focus on continuously improving their security – detecting a vulnerability or threat early is step one to preventing an exploit. If you’re realistic about what systems are vulnerable (and can wait to be addressed), and what vulnerabilities are exploitable (and need to be addressed now), that can help funnel your resources toward the most critical areas.

By Chris Gervais

Gilad David Maayan
Cloud Security Posture Management Cloud Security Posture Management (CSPM) enables you to secure cloud data and resources. You can integrate CSPM into your development process, to ensure continuous visibility. CSPM is particularly beneficial for DevOps ...
Bitcoin electricity
Bitcoin Heating? Bitcoin mining or cryptocurrency mining has been widely vilified for it’s environmental impact. Why it does draw a huge amount of energy, more and more of it is coming from renewable sources and ...
Matrix
When sci-fi films like Tom Cruise’s Oblivion depict humans living in the clouds, we imagine that humanity might one day leave our primitive dwellings attached to the ground and ascend to floating castles in the ...
Gary Bernstein
Most Dangerous Botnets While it’s no secret that the technical sophistication of cyber-attacks grows exponentially, adversaries often need widespread networks to make it happen. One of the ways to do that is to infect legitimate ...
James Corbishly
Teams Sprawl in the Remote Workspace As working from home has become the new everyday norm, with more employers embracing the remote-work model as a new and likely permanent fixture of the employment world, there ...

SECURITY TRAINING

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.

  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.