How are findings risk-ranked?
When Secure Ideas writes up a report from a penetration test, architecture review, or any other security assessment, the findings are a significant part of that deliverable. But how do we determine their risk rating? Which is to say, how do we decide which findings pose a higher degree of risk to the organization when compared to others? There are several methods that a security consulting team may leverage to determine vulnerability risk. These methods range from using complex scoring formulas (i.e., a very quantitative methodology) to a determination based on experience (i.e., a more qualitative methodology).
Over the hundreds of penetration tests that we, at Secure Ideas, have conducted, we have found that most quantitative (or scorecard) methodologies are fundamentally flawed and overly complicated. This is because even though they deal with numeric scores, the quantitative methodologies' individual components are still based on estimations and opinions. This means what we are made to believe is quantitative is really just a complicated qualitative score in disguise. Secure Ideas has opted to leverage our extensive experience to use a simple, qualitative scoring methodology.
The simple answer is that the risk ranking is based on the consultant's experience and understanding of the target organization. We evaluate each finding and designate its risk as Critical, High, Medium, or Low based on what it is and how the following three aspects influence it:
- Potential Threats: When looking at potential threats, Secure Ideas evaluates the type of attack, who would be trying to leverage the flaw, and what type of expertise it would need to be successful. (Expertise comes in two forms: knowledge of the system and understanding of the attack mechanism.)
- Likelihood of Attack: The second piece we use to determine risk rating is a series of considerations. These include attacker motivations, the complexity of the attack vector, and potentially mitigating security controls.
- Possible Impact: Finally, for each finding, Secure Ideas considers the potential damage to the organization resulting from a successful attack.
Each of these factors is assessed individually and in combination to determine the overall risk designation. These assessments are based on Secure Ideas' professional judgment and experience providing consulting services to enterprises across the country for many years.
The following risk level descriptions demonstrate the types of vulnerabilities designated in each category.
This rating is for vulnerabilities that are being actively exploited in the wild and are known to lead to remote exploitation by external attackers. These security flaws are likely to be targeted and can have a significant impact on the business. These require immediate attention in the form of a workaround or temporary protection. When discovered, Secure Ideas immediately stops all testing and contacts the client for further instructions. Examples of this may include external-facing systems with known remote code execution exploits or remote access interfaces with weak or default credentials.
High rated vulnerabilities are those that could lead to exploitation by internal or remote attackers. These security flaws are likely to be targeted and can have a significant impact on the business. These flaws may require immediate attention for temporary protection, but often require more systemic changes in security controls. Some examples include command injection flaws, use of end-of-life software, and default credentials.
Medium rated vulnerabilities could indirectly contribute to a more significant incident or could be directly exploitable to the extent that is somewhat limited in terms of availability or impact. This vulnerability class is unlikely to lead to a significant compromise on its own; however, it can pose a substantial danger when combined with others. Some examples include weak transport layer security on a sensitive transaction, insufficient network segmentation, or the use of vulnerable software libraries.
When found alone, low-rated vulnerabilities are not directly exploitable and present little risk but may provide information that facilitates the discovery or successful exploit of other flaws. Examples include the disclosure of server software versions and debugging messages.
As you evaluate providers or read a report from your penetration test, you can now understand a little more about the process that evaluated and determined the risk level. We hope this information can help you understand how our penetration tests run, why you need to perform penetration testing, and how you can prioritize your remediation efforts.