When Secure Ideas writes up a report from a penetration test, architecture review, or any other security assessment, the findings are an obviously significant part of the report. But how do we determine their risk rating? Which is to say, how do we decide which findings pose a higher degree of risk to the organization when compared to others? There are several methods that a security consulting team may leverage to determine vulnerability risk. These range from using complex scoring formulas (i.e. a very quantitative methodology) to a determination based on experience (i.e. a more qualitative methodology).
Over the hundreds of penetration tests that we, at Secure Ideas, have conducted, we have found that most quantitative (or scorecard) methodologies are fundamentally flawed and overly complicated. This is because even though they deal with numeric scores, the individual components of these are still based on estimation and opinions. This means what we are made to believe is quantitative is really just a complicated qualitative score in disguise. Secure Ideas has opted to leverage our extensive experience to use a simple, qualitative scoring methodology.
The simple answer is that the risk ranking is based on the consultant’s experience and their understanding of the target organization. We evaluate each finding and designate it's risk as Critical, High, Medium, or Low based on what it is and how it is influenced by the following three aspects:
Each of these factors is assessed individually and in combination, to determine the overall risk designation. These assessments are based on Secure Ideas’ professional judgment and experience providing consulting services to enterprises across the country for many years.
The following risk level descriptions demonstrate the types of vulnerabilities designated in each category.
Vulnerabilities found that are being actively exploited in the wild and are known to lead to remote exploitation by external attackers. These security flaws are likely to be targeted and can have a significant impact on the business. These require immediate attention in the form of a workaround or temporary protection. When discovered, Secure Ideas immediately stops all testing and contacts the client for further instructions. Examples of this may include external-facing systems with known remote code execution exploits or remote access interfaces with weak or default credentials.
Vulnerabilities found that could lead to exploitation by internal or remote attackers. These security flaws are likely to be targeted and can have a significant impact on the business. These flaws may require immediate attention for temporary protection, but often require more systemic changes in security controls. Some examples include command injection flaws, use of end-of-life software, and default credentials.
Vulnerabilities or services found that could indirectly contribute to a more significant incident; or that are directly exploitable to the extent that is somewhat limited in terms of availability and/or impact. This class of vulnerability is unlikely to lead to a significant compromise on its own, however, can pose a substantial danger when combined with others. Some examples include weak transport layer security on a sensitive transaction, insufficient network segmentation, or the use of vulnerable software libraries.
Vulnerabilities or services that, when found alone, are not directly exploitable and present little risk, but may provide information that facilitate the discovery or successful exploit of other flaws. Examples include disclosure of server software versions and debugging messages.
As you evaluate providers or read a report from your penetration test, now you are able to understand a little more about the process that evaluated and determined the risk level. This can also help with how our penetration tests run, why you need to perform penetration testing, and how you can prioritize your remediation efforts.