Vulnerable ≠ Exploitable

Ever wonder how much of your time and effort is being wasted fixing things that don’t actually matter?

You may be surprised to hear that a large majority of all vulnerabilities are unexploitable. According to data compiled by Kenna, in 2020, only 2.7% of the vulnerabilities found appeared to be exploitable and only 0.4% of those vulnerabilities were actually observed to be exploited at all.

Traditional agent-based vulnerability scanners and simplistic port-scans aren’t enough.

Volume Control Full Streamline Icon: https://streamlinehq.com
Create too much noise
Monitor Heart Desktop Streamline Icon: https://streamlinehq.com
Ignore how attackers actually think
Password Lock 1 Streamline Icon: https://streamlinehq.com
Provide no prioritization

So how do you know if it is critical to fix what you find?

The hardest part of cyber security is deciding what NOT to fix.

Spending valuable and scarce time and effort on remediating weaknesses that are not exploitable or do not represent a substantial business impact is itself a risk. Find out more about how to prioritize vulnerabilities in this whitepaper.  
Read More

Criticality begins with the exploitability of a weakness. 

There are many reasons why a reported critical finding from vulnerability scanners and some pentesters may not be exploitable or would be very difficult to exploit, hence do not truly impose much or any risk.

Focus Off Streamline Icon: https://streamlinehq.com
No exploit exists

There is no existing exploit available for the vulnerability.

Desktop Computer 1 Streamline Icon: https://streamlinehq.com
Outdated ≠ exploitable

In the absence of a specific vulnerability, software being merely outdated/obsolete does not pose a critical risk.

Monitor Network Streamline Icon: https://streamlinehq.com
Network context

The context of where the vulnerable asset is in the network makes the risk informational rather than critical.

Coding Apps Website Big Data Complexity Streamline Icon: https://streamlinehq.com
High complexity

Several complex and/or impractical conditions must be met for the
vulnerability to be exploited by an attacker.

Lock 2 Streamline Icon: https://streamlinehq.com
Not accessible

The vulnerability exists in a part the software that isn’t accessible from the attacker’s perspective.

Tv Flat Screen Disable Streamline Icon: https://streamlinehq.com
Component not in use

The suspected software doesn’t necessarily run in a vulnerable configuration.

Target End State: Proactive Security Posture

Security Controls

Are you ready to respond to Ransomware? If APT29 is targeting your sector, can you detect and disrupt their known tactics, techniques, and procedures?

So what do you do? Where do you start? From our experience as former CIO’s, the best approach is a Catch Up, Keep Up, and Stay Ahead plan.

Read More

A Future of Continuous Security Assessment

Over the last decade, more and more CVEs/vulnerabilities are being found and reported, making it very hard to keep pace. It’s snowballing and creating fatigue.

With an annual manual pentest, you have giant craters in your security posture that develop between cycles as critical vulnerabilities come out; systems change with new software, patches and hardware; and personnel turns over.

How can NodeZero help you?

Let our experts walk you through a demonstration of NodeZero, so you can see how to put it to work for your company.

Get a Demo