Some argue that vulnerabilities don’t matter unless there’s an available exploit. Do you agree with that statement, or not?
In your 150-300 word response, what is your rationale?
If you respond to another post, be able to defend your counter point in a 150+ word response as well.
Dan Bilenker says
The underlying issue at play here is the concept of risk. A vulnerability is defined as a “the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally.” What matters, is the extent of the vulnerability, and the depth of damage that could be caused by exploitation. In some cases, a vulnerability may exist, that is minor, and the worst-case scenario presents little or no loss. In this instance, an organization may accept the vulnerability, despite an exploitable error, based on a low risk factor. A decision maker may decide that the cost of resolving the deficiency is more costly than the worst-case loss if exploited. In that scenario, an organization is not likely to be concerned about the vulnerability. However, this assumption can prove costly in the long run. A vulnerability may not present a high risk factor at the present time, but available exploits may uncover further vulnerabilities that do pose high risk factors. Unfortunately, technology evolves quickly, and even good penetration testing can miss potential exploits if they are not known to exist yet. It is a best practice to close any vulnerability and avoid the risk for further damage entirely. Organizations should not open up to the possibility of exploitation under any circumstance.
Vince Kelly says
No, I definitely don’t agree. Clearly it would be as silly and impractical to attempt to spend the time and money needed to address every possible vulnerability as it would be trying to anticipate every bad outcome that could happen when planning for a vacation. But that being said, vulnerabilities serve as the ‘sugar rush’ motivators craved by hackers and as such, they fuel enormous expenditures of time, energy and resources both in terms of the offensive and defensive efforts to address them. Like any resource constrained hospital emergency room, the only way to address vulnerabilities is through an on-going process of diligent triage – a process in which you pick what you believe are the most dangerous potential vulnerabilities and then pray that you’ve guessed correctly.
But I think that this also brings up an interesting question, that is, how are *potential* threats perceived and ‘ranked? What’s the process for determining which particular vulnerability needs the most attention? One might say, ‘Well duh! that’s what security professionals do!’ but is it? Do security professionals actually drive this discussion or is it driven by those who have a vested interest in its outcome? – Security software and hardware vendors for example. From a purely cynical perspective, one might argue that in the hyper-competitive world of systems software and hardware sales, vendors are constantly struggling to differentiate themselves in a crowded market and as such they are continually adding features and ‘unique architectures’ that other vendors don’t have. This begs the question, does this behavior encourage a practice of ‘advertising vulnerability problems that conveniently fit their solutions?’ Falling back on the medical industry analogy, medical providers are often accused of ordering unnecessary tests and treatments – they would argue that they’re just being cautious and methodical but others might claim that this behavior drives huge outcomes and ripple effects.
Duy Nguyen says
A vulnerability is defined as the quality or state of being exposed to the possibility of being attacked or harmed. In my opinion, all vulnerabilities matter even one that does not have exploits. All vulnerabilities adds to risk an organization must account for even accepted risk. Accepting a risk or vulnerability mean the organization has documented the vulnerability and accepted the lost in event of its exploitation. The cost to mitigate the vulnerability is greater than the lost incur in event of an exploit, the organization has determined that it’s tolerable. It’s not that the vulnerability currently doesn’t have exploits, but good risk management and clear assessment of vulnerabilities. With the advancement in technology and advancements in hacking techniques, one can argue that any vulnerability will be exploited sooner or later.
Brandan Mackowsky says
Vulnerabilities always matter, regardless if there is an available exploit. While they always matter, the big determining factor is the risk level that they hold. A high or critical risk vulnerability that would greatly impact systems and business operations should be made to be as secure as possible and heavily monitored to prevent any exploit from occurring, regardless if it is currently available or not. A low risk vulnerability only matters because the organization should be aware of it, (making it so it matters), but can choose to accept the risk of it and ignore mitigating it. As long as the organization made the conscious choice to do so, it is still aware of the risk.
Jonathan Reid Kerr says
When looking at the presence of vulnerabilities in a system, it is understandable that one would immediately assume they are inherently dangerous. If someone were to discover such a vulnerability and use it to their advantage, thus creating an exploit, it could lead to catastrophic losses for an organization. This is true, however time and time again we see companies either completely ignoring vulnerabilities or taking little precautions against them. This has sometimes led to major security breaches, and other times it hasn’t. Either way, it is important that companies are aware of the vulnerabilities their systems have, even if they choose to do little about it. In my opinion, all vulnerabilities should be fixed, though I understand why many are unwilling to do so. It can be costly, and may not even be necessary. If anything, all company’s should be at least have all of the proper information in order to make informed decision about vulnerabilities in their systems.