Low to High: Risk Adverse May Not Make the Most Risk Sense
Recent evidence shows that a surprisingly high portion of vulnerabilities incorporated into malware or exploit kits are ranked low or medium severity. Counter to commonly-accepted practices, focusing only on high-severity vulnerabilities and setting a ‘cut-off’ point for lower scored issues, is not a safe or effective strategy. More importantly, proof-of-concept (POC) code for lower priority vulnerabilities is appearing more quickly after 0-day announcement leading to leading to widespread attacks equally as quickly. NSFOCUS and Nopsec will delve into this recent trend, discuss some of these lower level vulnerabilities being quickly exploited, and provide some thoughts how to better protect against these in the future.