You Really Should Fix Those Lows

Does your Team Neglect Low Severity Findings?

 

The elephant in the room

So we all know that our pentest reports come in with low severity findings from time to time. We also all know that many times, those lows are going to be shelved indefinitely, or outright ignored.
 

I get it, I really do! After all, there is only so much time in the day and there are probably business logic bugs, features, and high or medium severity security flaws to focus on too! But, here I am going to make the case that we should be addressing the elephant in the room. Your low severity security issues do still matter in some cases. CVSS does a good job of trying to help understand those cases, but it isn’t perfect.

Who could that low severity risk impact?

 

Our first order of business in risk assessment is naturally determining what the scope of the impact would be to begin with right?

Let’s take an easy example, you have a website or mobile app and associated APIs that are customer facing. You don’t set some security headers on that such as Strict Transport Security (HSTS). Well what’s the risk?
 

In this case HSTS happens to help protect the customer against a man in the middle (MITM) style attack. Also in this case the chances of that attack scenario are increased if this is say a mobile application your customers are using (I am assuming no cert pinning). This increased likelihood comes from the prevalent use of public WiFi on mobile devices. We all know it happens and since this is also a distributed application, your customers use it, each and every one of them is a potential victim here.

So when your pentest comes through and notes that your web servers don’t send this header, odds are its going to be marked as a low security risk, but should you fix it anyways? Absolutely! Obviously with this easy example its a pretty easy fix too simply adding another header to your responses. But I feel this at least conveys my point. Even those low risks are still risks!
 
Now this also leads me to my next point. Yes, sometimes it DOES make sense to shelf, or just accept a risk and move on, when it comes to low findings. Let’s take another easy example. Outdated TLS cipher suites. Now I’m not referring to some with realistic attacks here like POODLE. I mean suites with theoretical attacks due to cryptographic weaknesses (CBC DES, SHA1, RC4). So unless your application is of a highly sensitive nature, processing banking/PCI, PHI, or other confidential information then you really are not likely a target of someone with the capacity to target those kinds of issues. Because let’s not forget they have to intercept the data to even mount those attacks to begin with.
 
At the end of the day blue teaming taught me that MOST of your attackers are in it for a quick cash grab. This is why ransomware like cryptolockers, fake AV, and on a more advanced tier banking credential trojans, are king of the playground. Depending on the scope of your business might you see more serious threat actors? Sure! And again if that is something of a concern for you it obviously should be baked into your risk decisions.
 

Are you looking for a security assessment for your network or applications? Send us an email at info@mccormackcyber.com