WEBVTT

00:07.160 --> 00:13.010
When we talk about scanning, and we often refer to our cvss scores as the resigning factor of what

00:13.010 --> 00:15.290
gets prioritized or fixed first.

00:15.320 --> 00:21.200
Usually, a high Cvss score indicates that we have a critical vulnerability that's easy to pull off,

00:21.200 --> 00:26.030
and in return, we want to prioritize that fix to be at the top of the priority list.

00:26.060 --> 00:26.540
Right.

00:26.540 --> 00:30.680
However, context awareness is something that we need to be aware of.

00:30.710 --> 00:37.250
If I have a high cvss score for an item that is air gapped with behind a system, meaning that it doesn't

00:37.250 --> 00:40.040
have access to the network, it's behind lock and key.

00:40.040 --> 00:41.840
But it's a critical vulnerability.

00:41.960 --> 00:44.630
But it costs like an enormous amount of money to fix.

00:44.660 --> 00:50.150
Do I really need to fix that, that high Cvss score item right away?

00:50.150 --> 00:56.360
When we think about prioritization of critical components or critical vulnerabilities within our network,

00:56.360 --> 01:02.870
we always have to keep in mind our context awareness Usually we dictate this by who, what, when,

01:02.900 --> 01:04.670
where, and sometimes how.

01:04.700 --> 01:05.240
The how.

01:05.240 --> 01:10.170
Being already written into the Cvss score of how easy is it to pull off this vulnerability?

01:10.200 --> 01:13.530
Or I should say, this exploit against this vulnerability?

01:13.560 --> 01:15.300
Who would be going after it?

01:15.300 --> 01:19.050
This is where we kind of look at it from, who has the capability.

01:19.350 --> 01:25.200
I can have a critical vulnerability that could take root access, but if it's behind an air gapped system,

01:25.200 --> 01:30.060
the chances of someone being able to actually get into that system, the who would only be our internal

01:30.060 --> 01:34.800
employees, meaning that unless you're an internal employee, you don't have access to the system and

01:34.800 --> 01:37.470
may not pay off to fix that vulnerability right away.

01:37.500 --> 01:43.020
On the flip side, if I have a critical vulnerability, but it has very high technical requirements,

01:43.020 --> 01:48.630
the Cvss score may be in the middle somewhere, but who has the actual capabilities of pulling it off?

01:48.660 --> 01:54.720
Windows is notorious for having vulnerabilities, especially in something like Windows 7 or older windows

01:54.720 --> 01:59.970
XP systems that when they came out, they had critical vulnerabilities that Microsoft knew about.

02:00.000 --> 02:05.160
However, the capabilities actually exploit those vulnerabilities didn't actually exist.

02:05.160 --> 02:11.140
And so while it yes, it was a critical vulnerability, the capability to actually enact or exploit

02:11.140 --> 02:12.070
those vulnerabilities?

02:12.100 --> 02:15.400
Was it so enormously high that it really wasn't worth fixing?

02:15.430 --> 02:19.690
We call this context awareness when we think about context awareness.

02:19.720 --> 02:23.650
The other crucial aspect is internal, external or isolated.

02:23.680 --> 02:28.930
Now, I kind of referred to this a little bit already when I talked about an air gap system being isolated

02:28.930 --> 02:33.580
from the rest of my network, and we talked about how it really didn't make sense for anybody to gain

02:33.580 --> 02:36.010
access to it outside of our normal environment.

02:36.010 --> 02:37.900
It would take an internal employee.

02:37.930 --> 02:41.320
However, we also have context awareness to internal aspects of it.

02:41.320 --> 02:47.200
Being that hey is an internal flaw that only somebody inside my network can see and take advantage of.

02:47.200 --> 02:52.930
While we have internal flaws or internal, uh, employees that can take advantage of those.

02:52.930 --> 02:59.980
We have to understand also that not every internal employee necessarily has the capability to enact

02:59.980 --> 03:02.590
or to exploit a specific vulnerability.

03:02.590 --> 03:07.960
If I have a vulnerability with a critical component to it, meaning that it has a critical point which

03:07.960 --> 03:13.690
allows root access into the system, but it takes a high degree of capability to gain access to it,

03:13.690 --> 03:18.160
then there's probably only a handful of employees within my enterprise environment that could actually

03:18.160 --> 03:20.770
take advantage of that, uh, vulnerability.

03:20.770 --> 03:23.020
So we need to look at the internal aspects of it.

03:23.050 --> 03:25.780
We also need to look at it, the external aspects of it.

03:25.810 --> 03:31.510
Do I have a high vulnerability with a low technical component to it, where you have to be a mastermind

03:31.540 --> 03:37.060
of technology to not only see the vulnerability, but able to exploit the vulnerability as well?

03:37.060 --> 03:38.800
And we call those external components.

03:38.830 --> 03:39.220
Right.

03:39.220 --> 03:41.500
So is it external to our network?

03:41.500 --> 03:46.090
Is it internal to our network, or is it an isolated network aspect that we need to be aware of?

03:46.120 --> 03:51.130
Remember, when we're looking at vulnerabilities, when we're looking at the exploited ness of a vulnerability,

03:51.160 --> 03:53.440
we always have to have context awareness.

03:53.440 --> 04:00.040
How easy is it for this vulnerability to actually be attacked from internal forces, from external forces,

04:00.040 --> 04:02.830
or is it an isolated incident that could take place?

04:02.860 --> 04:06.070
When we're looking at context awareness, be aware of your surroundings.

04:06.100 --> 04:06.700
Be aware.

04:06.700 --> 04:13.780
Hey, does it make sense to spend the amount of money to cover this vulnerability, or does it make

04:13.780 --> 04:20.290
more sense to let it go and and hide it or mitigate it behind a defense in depth infrastructure?