Vulnerability Assessment
Last updated
Last updated
A vulnerability in cybersecurity refers to a weakness or flaw in a system's design, implementation, or behavior that can be exploited by an attacker to gain unauthorized access or perform unauthorized actions. For example, NIST defines it as a weakness in an information system or its security procedures that could be exploited by a threat source.
In short, a vulnerability is a security gap that can be used by attackers to compromise a system.
A vulnerability assessment is the process of identifying, evaluating, and prioritizing security weaknesses in systems, networks, or applications. It involves scanning for vulnerabilities, analyzing their potential impact, and providing recommendations for mitigating or fixing them to reduce the risk of exploitation by attackers.
Vulnerability Type
Description
Example
Operating System
Vulnerabilities found within Operating Systems, often leading to privilege escalation.
A user gaining unauthorized admin-level access.
(Mis)Configuration-based
Vulnerabilities stemming from incorrectly configured applications or services.
A website exposing customer details due to a misconfigured database.
Weak or Default Credentials
Occur when applications and services with authentication use default or weak credentials, making them easy for attackers to guess.
An admin dashboard with "admin/admin" as default username and password.
Application Logic
Result from poorly designed applications, where flaws in logic allow attackers to exploit the system.
Poorly implemented authentication allowing attackers to impersonate users.
Human-Factor
Vulnerabilities that exploit human behavior, often relying on deception or manipulation.
Phishing emails tricking users into providing sensitive information.
Vulnerability management is the process of identifying, categorizing, and addressing security vulnerabilities in an organization. Since it is impractical to fix every vulnerability, organizations focus on the most dangerous ones, as only around 2% of vulnerabilities are typically exploited.
Vulnerability scoring, such as the Common Vulnerability Scoring System (CVSS), is crucial for prioritizing vulnerabilities by assessing their potential risk and impact. Different frameworks exist to support vulnerability management, each with varying approaches.
The Common Vulnerability Scoring System (CVSS) was introduced in 2005 and is a widely-used framework for assessing and scoring vulnerabilities. It has gone through three iterations, with CVSSv3.1 being the current version, and version 4.0 in draft. CVSS assigns a score to a vulnerability based on several factors, such as the ease of exploitation, the existence of exploits, and how the vulnerability affects the Confidentiality, Integrity, and Availability (CIA) triad. Due to the complexity, a calculator is often used to determine the score. The final score falls into one of five classifications based on severity.
CVSS Qualitative Severity Rating Scale
Score Range
None
0.0
Low
0.1 โ 3.9
Medium
4.0 โ 6.9
High
7.0 โ 8.9
Critical
9.0 โ 10.0
CVSS has been widely used and established for a long time.
It is popular in organizations for vulnerability assessment.
CVSS is free to use and recommended by standards like NIST.
It was not designed to prioritize vulnerabilities, only to assign severity scores.
CVSS heavily relies on the presence of exploits, though only about 20% of vulnerabilities have known exploits.
Vulnerability scores rarely change, even if new factors, like exploits, are discovered later.
Vulnerability Priority Rating (VPR) is a modern, risk-driven framework for vulnerability management developed by Tenable. Unlike CVSS, VPR focuses on the specific risk a vulnerability poses to an organization, rather than its overall impact. VPR only considers vulnerabilities relevant to the organization, meaning if a company doesn't use the affected software, the vulnerability is not prioritized. Additionally, VPR scores are dynamic and can change over time as vulnerabilities age.
VPR uses a similar scoring range to CVSS but does not have a "None/Informational" category, and the same vulnerability may receive different scores in VPR compared to CVSS.
VPR Qualitative Severity Rating Scale
Score Range
Low
0.1 โ 3.9
Medium
4.0 โ 6.9
High
7.0 โ 8.9
Critical
9.0 โ 10.0
VPR is a modern, real-world framework.
It considers over 150 factors when calculating risk.
It is risk-driven, helping organizations prioritize vulnerability patching.
VPR scores are dynamic, adjusting as vulnerabilities age.
VPR is not open-source and requires a commercial platform.
It places less emphasis on the CIA triad (Confidentiality, Integrity, Availability) compared to CVSS.
In cybersecurity, you'll encounter various applications and services, each with unique designs and potential vulnerabilities. Fortunately, there are online resources that track vulnerabilities for different software and systems. Two key databases for this purpose are:
NVD (National Vulnerability Database) [https://nvd.nist.gov/]
Exploit-DB [https://exploit-db.com]
Before using these databases, it's important to understand key terms:
Vulnerability: A weakness in the design, implementation, or behavior of a system or application.
Exploit: An action that leverages a vulnerability to compromise a system.
Proof of Concept (PoC): A tool or technique that demonstrates the exploitation of a vulnerability.