From the Fall 2019 Issue

Avoiding Phantom Risk – Chasing Exploitability, Not Vulnerability

Alex Haynes
CISO | Cheshire Data Systems Ltd.

  •  
  •  
  •  
  •  
  •  
  •  

The gravest warning a pen test report could contain are the words “The host may be vulnerable to remote code execution”.  It is hard to know what that immediately means. Did they get system access on a host? Nope. Was there a public exploit available for that version of software that enabled remote code execution? No again. So why would someone make such a vague alarmist recommendation?

In this case study, the pen test report writer’s logic was that even though there was no public exploit available for that version of software, someone somewhere might have developed one but . . .

Leave a Comment