Introduction

Most organizations use automated tools to identify and manage vulnerabilities. These tools scan applications and systems to detect issues and are a critical part of the overall Risk Management Process.

When interpreting scan results, there can be some disagreement about the meaning of some findings. This report aims to clarify the differences between vulnerabilities and false positives and discusses the purpose of mitigation and the residual risk that remains after mitigation.

Determining Risk

The more likely it is that a threat event will occur, the greater the risk. When written as a formula, risk can be defined as follows:

Threat * Vulnerability = Risk

(This formula is presented in the official (ISC)²CISSP Body of Knowledge.)

Reducing Risk

As a remediation methodology, mitigations such as Web Application Firewalls, Whitelists, Input Validation, are typically recommended as best practices to reduce threat when a vulnerability cannot be removed. Reducing the threat by implementing mitigations can decrease the amount of risk to the system but does not eliminate the vulnerability entirely. New ways of bypassing mitigation attempts and exploiting security vulnerabilities are ever-present and are being discovered every day. This is one of the reasons that the Federal Government has adopted a policy of Continuous Monitoring of information systems.

Risk / Threat / Vulnerability Matrix

Here is an example of this concept:

The scanning tool reported this in its findings:

“There is a cross-site scripting high vulnerability that is easily exploitable, making the threat level also high. The overall risk rating for this vulnerability is high”

This is the risk formula for the finding:

High (Threat) * High (Vulnerability) = High (Risk)

Applying the right mitigations to reduce the risk brought the threat level down to moderate and reduced the overall risk:

Moderate (Threat) * High (Vulnerability) = Moderate (Risk)

This can be seen in the

The vulnerability is still High, but reducing the threat brought the risk down to an acceptable level while still complying with the FEMA Risk Management requirements.

Conclusion

To designate a vulnerability detected during a scan a “False Positive” requires proof that the vulnerability never existed in the first place. True False Positives are rare. Applying mitigations to detected vulnerabilities, on the other hand, is part of a mature Risk Management strategy and can greatly improve overall security of the system.

Mitigations do not eliminate a vulnerability but can help to make it manageable.

Definitions

Terminology used throughout this post are taken from National Institute of Standards and Technology (NIST) and Committee on National Security Systems (CNSSI):

Vulnerability:

Weakness in an information system, or in system security procedures, internal controls, or implementation, that could be exploited or triggered by a threat source.

False Positive:

An alert that incorrectly indicates that a vulnerability is present.

Impact:

The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

Mitigation:

Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.

Residual Risk:

Portion of risk remaining after security measures have been applied.

Risk:

The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset. It is an assessment of probability, possibility, or chance.

Threat:

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service