Watch out for those low severity security vulnerabilities, sometimes they’re bigger than they look
Do you know that every single website certificate your external perimeter is valid? What about your VPN certificate? Many companies have robust solutions in place to rotate certificates, but how can you actually guarantee that every IP has the correct certificate installed?
One of the easiest ways is to use your vulnerability scanner, but, if you don’t look carefully carefully, you may be missing this information, and a lot more.
In many organizations, it’s a challenge to look at the highest severity issues that are found in vulnerability scans. Using a risk-based approach to remediation is fine. There’s only so much time in the day and only so many people to fix issues. The whole point of the vulnerability scoring system is to allow you to prioritize and focus on what is important.
Unfortunately, while vulnerability scanners may take into account the severity of the issue technically, they don’t take into account reputational aspects.
Expired certificates are a bane of existence. Given that they need to be replaced more often due to recent browser changes, it’s easier than ever to lose track of them. Unfortunately, most vulnerability scanners place the severity of an expired HTTPS certificate in the low severity category. Rapid7, for instance, puts this issue at a severity 4 out of 10. Qualys classifies expired certificates as a low, too. Because of that, if you are only looking at mediums and above or highs and above, you’d never see the expired certificate issue.
This could have a real impact on your reputation. Can you imagine going to your bank’s website and getting a warning message from your browser that the site was insecure? It would certainly make you question what else is wrong with their security practices.
It’s not impossible for even large organizations and organizations with significant automation to miss, as GitHub found in November 2020 when the certificate for storing images for their website expired. This left their normally stylish website looking like something out of the dial up modem era.
Look at the all the vulnerabilities, at least occasionally — or manually upgrade severity
Expired certificates are not the only low severity issues that might be of interest. Other potential low severity issues you might be interested in are: self-signed certificates facing the internet, the list of user accounts, the list of user accounts with passwords that have never been changed, or the fact that anti-virus software is not running.
I’d recommend taking a full download of your internet-based scan data and review the low severity vulnerabilities. You might find some informational items that you’d absolutely want to know about.
To help out, most vulnerability scanners allow you to “change” the severity of a vulnerability, either up or down, to meet your organization’s needs. But even if you don’t want to do the upgrade the severity in the tool, make sure you are properly sending these findings for remediation or upgrading the severity manually, once they are out of the vulnerability system.
Then, just to sleep more soundly at night, look for the finding that will give you a list of certificates that will expire the next 30 days. That finding is only a severity 1, but if you replace the expired certificate before it impacts a customer connection, that’s priceless.
At this time of great need, please consider giving to your local food bank. In the Chicago area, I recommend the Greater Chicago Food Depository.
Based in Chicago, Jerry Galvin has over 15 years of experience in data center and cybersecurity operations. He currently specializes in vulnerability management. Contact him on Twitter at @jerry_galvin.