Low Risk Classification

Definition ¶

Vulnerabilities with a Low risk factor are unlikely to be a current concern but have potential to contribute a weakened security posture over time. Low risk vulnerabilities often reference a time factor which may indicate when a security concern may manifest in the future.

Low Risks can be summarised as:

These fixes should be implemented when possible

Characteristics ¶

Low Risk Vulnerabilities usually have the following characteristics:

• Are not usually targeted as there is not often a current vulnerability to exploit. Targeted attackers may leverage some information in unique scenarios
• Have an advancing time horizon often taking months or years before becoming a true risk
• Attack surface is no different to a standard attack surface
• Are common throughout the industry, but sensitive organisations should look to eliminate as good practice

SkySiege Test Examples ¶

• RDS Minor Upgrade Pending - where an upgrade for a database is yet to be released
• Spare Elastic IP Addresses Found - where long term public IP addresses are able to be provisioned on the account
• Access Keys over 90 Days Old - where CLI Access Keys have not been rotated in over 90 days

Response ¶

Low risk vulnerabilities should be considered good practice and should be pursued alongside key business and security objectives.

Treat low risk vulnerabilities as the elimination of technical or process debt. However, do consider and prioritise against the increasing risk burden as low priorities remain unmaintained.

Low risk vulnerabilities may not flag up on an audit, however, the management of low risk vulnerabilities composes a key part of security processes such as ISO 27001 certification. Whilst the existence of low risk vulnerabilities are not critical the processes around managing these risk factors can form part of key business objectives.