Re: when to fix , when to not to fix the vuln.

[Todd Haverkos <infosec () haverkos com>]

a bv <vbavbalist () gmail com> writes:

> Hi,
> Someone gave you a pentest report , or a basic tool scan report or
> you have done the scan. There are v ulnerabilities found and listed.
> How do you understand the vuln. and when do you try to
> fix it, or when you dont fix it?
> Regards

One part of your question is relatively easy--if the pen test report
doesn't include that value add of explaining the vulnerabilities
they're listing, your penetration tester isn't doing their job.   With
simpler vuln scans, it's not nearly as surprising for a customer to
have to go and do more of the reasearch and risk assessment on their
own. 

In the report, hopefully there are CVE numbers as applicable by which
you can dig in to the various resources linked from the CVE number,
BugTraq ID (BID), or NessusID of the vuln (assuming the scan was done
with Nessus, for instance).  http://cve.mitre.org/cve/ would be one
place to start.  http://securityfocus.com/vulnerabilities is still
very useful as well.  If the report addresses vulnerabilities found in
custom applications, the OWASP Guide or OWASP Top 10 Projects may have
the additional information you seek.   http://owasp.org/ 

Fix everything you can reasonably afford to fix.  When the fix
involves patching, this is generally an easy decision to fix, but
there are environments (air gapped networks for instance) that have a
risk profile such that patching itself is considered a bigger risk to
availability than the security threat would be to the rest of the CIA
triad. 

When the fix involves more than the relatively simple "apply
vendor-supplied software update" then it gets interesting.  To
determine the stuff that is too expensive to fix, the notion of "loss
expectancy" and risk come into play.  And some of the quantifying
there blurs from science into the art catgeory.  If the flaw
discovered is in a custom written web app, or in an application the
vendor isn't supporting very well, things get more interesting still.
This is where the notions of "virtual patching" may be useful looking
to protections that can be afforded by IPS and WAF technology...which
introduce their own issues.

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------