Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity.
Critical (9.0 – 10.0)
Vulnerabilities that score in the critical range usually have most of the following characteristics:
These vulnerabilities can allow attackers to take complete control of your resources. In exploiting this type of vulnerability, attackers could carry out a range of malicious acts including (but not limited to):
On exploiting such vulnerabilities, attackers can access and control logged-in user or administrator accounts, enabling them to hijack accounts and make changes that typically only those users can.
Suggested Action for Critical Severity Vulnerabilities
A Critical severity vulnerability means that resources can be exploited at any time. It is advised to make it the highest priority to fix these vulnerabilities immediately via patching, upgrading or other mitigation measures. Once a fix action has been implemented, rescan the affected resource to ensure the vulnerability or weakness has been mitigated.
High (7.0 – 8.9)
Vulnerabilities that score in the high range usually have some of the following characteristics:
On exploiting such vulnerabilities, attackers can view information about your system that helps them find or exploit other vulnerabilities that enable them to take control of your website and access sensitive user and administrator information.
Suggested Action for High Severity Vulnerabilities
A High severity vulnerability means that resources can be exploited and attackers can find other vulnerabilities which have a bigger impact. Fix these types of vulnerabilities immediately. Once a fix action has been implemented, rescan the affected resource to ensure the vulnerability or weakness has been mitigated.
Medium (4.0 – 6.9)
Vulnerabilities that score in the medium range usually have some of the following characteristics:
By exploiting Medium Severity Vulnerabilities, attackers will gain information and reconnaissance useful for their attack. Medium Severity vulnerabilities are often used to better understand your system, allowing them to refine and escalate the attacks. Such vulnerabilities can sometimes be connected, to increase the potential damage of the attack.
Suggested Action for Medium Severity Vulnerabilities
Most of the time, since the impact of Medium severity vulnerabilities is not direct, you should first focus on fixing High severity vulnerabilities. However, Medium severity vulnerabilities should still be addressed at the earliest possible opportunity.
Low (0.1 – 3.9)
Do not overly concern efforts towards resources with low severity vulnerabilities. These types of issues do not have any significant impact and are likely not exploitable.
Suggested Action For Low Severity Vulnerabilities
If time and budget allows, it is worth investigating and fixing Low severity vulnerabilities .
Reported simply as supporting information for a resource, as they may not have a direct impact but could help an attacker to gain a better understanding of your underlying systems.
Suggested Action for Informational Alerts
In most cases, no action or fix is required.
Want to find out how many issues you have? Contact us today and ask about CATSCAN from ProactiveRISK
The Gramm-Leach-Bliley Act (GLBA) is a federal law that requires financial institutions, including accounting and CPA businesses, to protect the privacy of customers' nonpublic personal information (NPI). The GLBA safeguard rules provide specific guidelines for how financial institutions should protect this information. Here are some steps that accounting and CPA businesses can take to comply with the GLBA safeguard rules:
Cybersecurity is a critical concern for businesses of all sizes and industries. With the increasing reliance on technology, businesses have become vulnerable to cyber attacks, data breaches, and other forms of cybercrime. The potential consequences of a cyber attack can be devastating and far-reaching, including financial losses, reputational damage, and legal liabilities. Therefore, it is essential that businesses take a proactive approach to managing cyber security risks.
One of the main reasons businesses should be proactive about cyber security risks is that the threat landscape is constantly evolving. Hackers and cybercriminals are constantly developing new techniques and strategies to breach security systems and steal sensitive information. Businesses that do not stay up-to-date with the latest security threats and trends will be more vulnerable to attacks. By being proactive and constantly monitoring the threat landscape, businesses can identify potential vulnerabilities and take steps to mitigate them before they are exploited.
Another reason why businesses should be proactive about cyber security risks is that the costs of a cyber attack can be significant. A data breach can result in the loss of sensitive information, such as customer data, financial records, and confidential business information. This can lead to financial losses, legal liabilities, and reputational damage. In addition to the direct costs, businesses may also face indirect costs, such as lost productivity, lost customers, and the need to invest in additional security measures. By being proactive and implementing effective security measures, businesses can reduce the likelihood of a cyber attack and minimize the potential costs.
Proactivity also helps to protect your company's reputation. A cyber attack can seriously damage a company's reputation, as customers and partners may lose trust in the company's ability to protect their sensitive information. This can lead to long-term damage to the company's brand, and it may be difficult to regain customer trust once it is lost. By being proactive and implementing effective security measures, businesses can prevent data breaches, protect customer data, and maintain a positive reputation.
Additionally, with more and more regulations coming into place, it is important for businesses to be proactive about cybersecurity to avoid the legal and financial consequences of non-compliance. Many states and countries now have laws requiring companies to disclose data breaches, and businesses may face significant penalties for failing to comply with these regulations. By being proactive and implementing security measures that comply with relevant regulations, businesses can avoid legal liabilities and fines.
In conclusion, being proactive about cybersecurity is essential for businesses of all sizes and industries. The threat landscape is constantly evolving, and the costs of a cyber attack can be significant. By identifying potential vulnerabilities and implementing effective security measures, businesses can reduce the likelihood of a cyber attack and minimize the potential costs. Proactivity also helps to protect the company's reputation, and it is important to comply with the relevant regulations. Businesses that fail to take a proactive approach to managing cyber security risks will be more vulnerable to attacks and face greater consequences. It is important to remember that cyber security is not a one-time or occasional task, it should be an ongoing process, regularly monitored, and updated.