Critical Risk Classification

Definition ¶

Vulnerabilities with a Critical risk factor are wholly sufficient vulnerabilities to constitute a compromise. In some cases the existence of a Critical vulnerability is a compromise with the underlying data, communication and credentials exposed.

Critical Risks can be summarised as:

This needs fixing right now

Characteristics ¶

Critical Risk Vulnerabilities usually have the following characteristics:

• Do not need targeting as they are easily attacked in a widespread attack. They are found instantly without any specific targeting or focus on behalf of attackers and can be compromised via numerous tools available online
• Do not have a time horizon as their existence infers a compromise - the compromise has already occurred
• Attack surface is total with all components exposed
• Are not common within the industry and carry a large reputation and potentially legal risk

SkySiege Test Examples ¶

• Public AMIs Available - providing a full scan machine available to any AWS customer
• Public RDS Snapshots - providing full database dumps available to any AWS customer
• S3 Buckets with No Restrictions - allowing any internet connected user or system to retrieve any data in the bucket
• Load Balancers Accepting Un-encrypted HTTP - where the Load Balancer accepts plain text communications including API Keys, authentication headers and payloads

Response ¶

Critical risk vulnerabilities require immediate action up to and including taking the impacted infrastructure offline immediately. Critical vulnerabilities are better off not existing rather than remaining online. Depending on legal jurisdiction, keeping a critical vulnerability online after discovery can be considered negligent.

Treat Critical risk vulnerabilities as a security incident.

Critical risk vulnerabilities can initiate business ending impact whether that is irreversible legal or technical damage such as data loss.