by Cesar Navas
October 16, 2017
An asset is no longer just a laptop or server. Assets have developed into a complex mix of digital platforms and other devices, which represent an organizations modern attack surface. Assets and their associated vulnerabilities are constantly expanding and contracting. This elastic attack surface has created a massive gap in an organization’s ability to truly understand its Cyber Exposure at any given time.
Tenable.io conducts live discovery of every modern asset across the computing environment. This live discovery provides continuous visibility into where an asset is vulnerable or secure, and assists organizations understand the impact of each vulnerability and the threat posed. Severity ranking using the Common Vulnerability Scoring System (CVSS) provides organizations with a greater understanding of the impact of each threat posed.
The CVSS is a method to define and characterize the severity of a vulnerability. Vulnerabilities are scored on a scale of 0 to 10, with a score of 10 considered to be the most severe. Vulnerabilities with a CVSS base score of 10 have a severity level of critical. In addition to specifying the severity of a vulnerability, industry sources are checked to determine if a publically-known exploit for the vulnerability exists.
Critical and exploitable vulnerabilities create gaps in the network's integrity, which attackers can take advantage of to gain access to the network. Once inside the network, an attacker can perform malicious attacks, steal sensitive data, and cause significant damage to critical systems. By identifying the most severe vulnerabilities, analysts and security teams can better focus patch management efforts and better protect the network, thereby reducing the organization’s Cyber Exposure gap.
This report provides information on critical and exploitable vulnerabilities that have been detected on the network. The report utilizes data such as the CVSS base score and information from exploit frameworks including Metasploit, Core Impact, Canvas, Elliot, and ExploitHub to accurately represent and communicate cyber risk to the business unit.
The report presents a cumulative view of the data to provide an analyst with a comprehensive understanding of the discovered critical and exploitable vulnerabilities. Using various visual aids, the report displays the data in an easy to understand manner. The information from this report will enable analysts to discover assets, measure the attack surface, prioritize, and remediate critical and exploitable vulnerabilities in a timely manner.
While assisting executives, the report also is beneficial to risk management and system administrators, providing data on the critical and exploitable vulnerabilities existing within the environment. When using this report, the security team can add target groups to the report template and report to different asset managers on the risk to their specific areas of concern. System administrators can take the same reports as actionable items to help set the priority to corrective actions and mitigation strategies. Overall this report is beneficial to several groups within the organization to better reduce cyber risk.
Cyber Exposure will help the risk management leaders drive a new level of dialogue with the business. By being able to know which areas of your business are vulnerable or exploitable, management can more effectively measure the organization’s Cyber Risk. For example, how much and where to invest to reduce risk to an acceptable amount and help drive strategic business decisions. Tenable.io is the first solution in Cyber Exposure to provide the key risk metrics businesses need to measure risk exposures.
Chapters
Executive Summary - This chapter provides a series of tables and charts to provide a summary view of critical vulnerabilities and the comparison to the exploitability of the vulnerability. The tables provide two views, one with vulnerabilities discovered in the last 30 days, and the other view of vulnerabilities to the exploit framework. The trend analysis provides a 6-month view of exploitable critical vulnerabilities and overall count of total critical vulnerabilities over the past 6 months.
Exploitable Vulnerability Summary - This chapter displays a summary of top exploitable critical vulnerabilities. The chapter contains a bar chart of the top 20 exploitable systems, a table of top 10 systems with system details, a port summary, and the top exploitable critical vulnerabilities.
Critical Vulnerability Summary - This chapter displays a summary of top critical vulnerabilities. The chapter contains a bar chart of the top 20 systems, a table of top 10 systems with system details, a port summary, and the top critical vulnerabilities.