RISK DEEP DIVE

Prioritizing Vulnerabilities

Lets say you get an application penetration testing report back for your internal intranet site, and there are two findings as follows:

1. Cross-site scripting vulnerability

2. Privilege escalation vulnerability

Both were rated as high risks by the testing team, but there are only enough development resources to fix one in the next release of the intranet application. How would you advise senior management?

If you arent familiar with the details of these vulnerabilities, start with a quick Google search. Cross-site scripting on a public-facing application might be a big risk, but for an internal application, it just isnt as exploitable. The privilege escalation has a much higher likelihood of being abused because it would be a more attractive attack vector for malicious insiders.

Keep in mind that risk can never be eliminated unless the threat is completely removed, the weakness is totally fixed, or the scenario is avoided altogether. As opposed to remediation actions that would fix a vulnerability, most mitigation actions are simply going to decrease the risk. For example, putting in a firewall is a mitigation step that doesnt eliminate the risk of a network compromise, but it does reduce the likelihood of this occurrence. Automatically purging sensitive data from a server after 90 days may reduce the severity of a compromise because less data is exposed. The goal is to reduce risk to an acceptable level without hindering business processes. If you get caught up in trying to eliminate (or remediate) every risk, you may be wasting resources. A certain level of risk exposure is almost always acceptable.

Q1: Discuss and identify, how the risk was reduced to the acceptable level in the organization?

__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Q2: Can you recommend any other solution to reduce the risk level to an acceptable level in the above scenario?

__________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________