Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

How Vulnerable Are We?

CISOs often ask “How vulnerable are we?” when presented with vulnerability metrics and reports. As the head of a security team, are you prepared to answer that question? The answer to that question often lies in the relationship between vulnerability and exploitability. All exploitable vulnerabilities are, of course, vulnerabilities. But when a vulnerability isn’t marked “exploitable,” what does that mean? The most accurate answer would be that an exploitation hasn’t been discovered yet, but the vulnerability still has the potential to be exploited.

CISOs often ask “How vulnerable are we?”

Tenable.io™ helps you better understand the vulnerability of your network and your risk exposure with the data presented in the Critical and Exploitable Vulnerabilities report.

Tenable.io helps you better understand the vulnerability of your network and your risk exposure

First, let’s clear up some terminology.

Vulnerabilities

In computer security, a "vulnerability" is a weakness in the steps that are taken to secure a system that may allow unauthorized access to privileged data. In the simplest form, a misconfiguration of file level permissions can grant unauthorized users access to a file, folder, application, or service. In a more complex example, unpatched versions of SMB on Windows hosts allow attackers to bypass authentication and execute code remotely as demonstrated by the WannaCry ransomware. Regardless of how simple or complex the vulnerability, the question quickly becomes: can the vulnerability be exploited? Tenable.io leverages your scan data to provide accurate insight into all the vulnerabilities detected in your organization.

Exploits

The term "exploit" is commonly used to describe software that has been developed to attack an asset by taking advantage of a vulnerability. The objective of many exploits is to gain control of an asset. For example, a successful exploit of a database vulnerability can provide an attacker with the means to collect or exfiltrate all the records from that database, resulting in a data breach. Exploits are also developed to attack a vulnerability in order to gain remote administrative privileges on a host. With Tenable.io, you can identify which hosts in your network have exploitable vulnerabilities, and prioritize remediation efforts accordingly.

Exploit frameworks

Security researchers know that to truly test and understand the nature of exploiting a vulnerability, an exploit framework is needed. An exploit framework is an abstraction in which the foundation of the software provides the generic functionality, and users can write code modules to perform specific tasks. For example, the developers of Metasploit, Core Impact and several others created exploit frameworks to leverage common attack techniques and delivery methods, while the users create the actual exploits. These exploit frameworks can be used by inexperienced attackers to create an attack that may look sophisticated because most of the difficult work has been created by the framework. For example, once you understand how to leverage the exploit framework to exploit a buffer overflow, replicating the attack seems trivial. The industry is seeing a rise in malware code that appears to have been developed using the various exploit frameworks as they become more popular. Tenable.io enables you to search for the presence of vulnerabilities in your network related to specific exploit frameworks.

The Tenable.io solution

Tenable.io can easily identify systems that are more vulnerable and exploitable than other systems. The Critical and Exploitable Vulnerabilities report provides detailed information on these hosts.

Tenable.io Critical and Exploitable Vulnerabilities report

The chapters in the Critical and Exploitable Vulnerabilities report give you a comprehensive list of the hosts on your network with critical or exploitable vulnerabilities identified during vulnerability scanning. Also included are the top ports being leveraged and lists of the most critical or exploitable vulnerabilities. All of this detailed information can be used to prioritize hosts and vulnerabilities for remediation.

The Critical Vulnerabilities tables in two of the chapters list the most pervasive exploitable and critical vulnerabilities. The vulnerabilities in these lists should be targeted for efficient remediation to effectively reduce the overall vulnerability and risk exposure of the network.

Critical Vulnerabilities table list

Regardless of your approach to mitigating risks identified by Tenable.io – by applying patches, configuring mitigation controls, or hardening operating systems – the first step is to clearly qualify the risks into actionable tasks and deliverables. Tenable.io provides information security professionals with the tools and resources needed to perform a detailed qualitative analysis of the risk that threatens business assets. The Critical and Exploitable Vulnerabilities report provides insight into your current risk exposure. Armed with Tenable.io, you’ll be prepared to provide an accurate answer the next time the CISO asks you how vulnerable your organization is.

Armed with Tenable.io, you’ll be prepared to provide an accurate answer the next time the CISO asks you how vulnerable your organization is

Try Tenable.io

Tenable.io provides accurate information on how well your organization is addressing security risks, and helps track improvements over time. Get a free trial of Tenable.io Vulnerability Management for 60 days.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training