Moderate Risk Classification

Definition ¶

Vulnerabilities with a Moderate risk factor are risks that can contribute to a compromise but are unlikely to be wholly sufficient to induce a compromise. They should not be ignored, as they can contribute to a broader compromise if exploited in conjunction with other vulnerabilities. Alone, they are typically not severe enough to be a major concern.

Moderate Risks can be summarised as:

These fixes should be added to the backlog and prioritised as beneficial features

Characteristics ¶

Moderate Risk Vulnerabilities usually have the following characteristics:

• Are not widely targeted and are unlikely to have readily tools targeting
• Have a larger time horizon, which may
• Offer a moderate Threat Surface, providing options for exploitation that should be minimised
• Are likely to be within industry norms meaning less uniquely identifiable and less likely to be hit in widespread attacks but still vulnerable

SkySiege Test Examples ¶

• Cloudfront not using Geo Blocking - allowing for communications from all regions including those without business relevance
• Outdated EKS Version - where the EKS Control Plane and Cluster are running an outdated Kubernetes version
• Lambda Functions using Old Run-time - where the run time for the provided Lambda function should be upgraded

Response ¶

Moderate risk vulnerabilities typically usually associate with a lack of regular maintenance. While they are not immediately dangerous, they have the potential to become more concerning and significant threats over time. It is common for moderate risk issues to escalate into moderate, high, and eventually critical vulnerabilities if they are not addressed.

Treat Moderate risk vulnerabilities as features that offer a long tail benefit and prioritise against your backlog.

Moderate risk vulnerabilities are likely to flag up during an audit as an actionable item but not necessarily a failing item. Should you have an audit in the future look to prioritise fixes within that time frame.