The Importance of Establishing a Ranking of Vulnerabilities in a System

Vulnerabilities are classified into different ranks or scores. Establishing this ranking is important due to the following reasons-

  • The ranking helps to indicate which vulnerability is most likely to be exploited by an attacker
  • It will help determine which vulnerability requires more attention (higher priority)
  • Instrumental in devising an effective security plan
  • Essential for cost-benefit and trade-off analysis and decision-making on mitigation methods

For example, a basic vulnerability ranking system could be V1, V2, V3

Vulnerability Rank Characteristics Example
V1 ·         Lowest priority

·         Unlikely avenues of attack

·         Lowest risk

·         Mitigation: Failing safely is sufficient, as not mission critical

An error in rendering the HTML content correctly on the client’s browser.
While this is undesirable, it more of a temporary inconvenience, than a grave security lapse
V2 ·         Intermediate priority

·         A possible target of an attack, not probable

·         Moderate level of risk

·         Mitigation: Failing safely, along with protecting private and confidential data

An error is sending out a newsletter to all the members, via email.
If the newsletter isn’t rendered correctly it is an inconvenience, but if the email exposes the email ids of all its members (with a failure in the BCC – Blind carbon copy), it will pose a V2 vulnerability.
V3 ·         Highest priority

·         Most likely to be exploited by hackers

·         Highest level of risk

·         Mitigation: Need to have a mitigation plan and controls, and be completely accounted for

Free text input accepted through an Internet form. It can potentially cause a confidential database to be breached through an SQL injection.