​Scoring Matrix
Critical (9.0 – 10.0)
Vulnerabilities that score in the critical range usually have most of the following characteristics:

• Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
• Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
• This rating is given to flaws that could be easily exploited by a remote unauthenticated attacker and lead to system compromise (arbitrary code execution) without requiring user interaction. These are the types of vulnerabilities that can be exploited by worms. Flaws that require an authenticated remote user, a local user, or an unlikely configuration are not classed as Critical impact.
• Intruders can easily gain control of the host, which can lead to the compromise of your entire network security and may include full read and write access to files, remote execution of commands, and the presence of backdoors.

Impacts of Critical Severity Vulnerabilities
These vulnerabilities can allow attackers to take complete control of your resources. In exploiting this type of vulnerability, attackers could carry out a range of malicious acts including (but not limited to):

• Stealing information (for example, user data)
• Tricking your users into supplying them with sensitive information (for example, credit card details)
• Defacing your website

By exploiting a critical severity vulnerability, attackers can access your website’s entire server. This allows them to acquire user and administrator information that might allow them to make changes such as delete or modify other user accounts.
On exploiting such vulnerabilities, attackers can access and control logged-in user or administrator accounts, enabling them to hijack accounts and make changes that typically only those users can.
Suggested Action for Critical Severity Vulnerabilities
A Critical severity vulnerability means that resources can be exploited at any time. It is advised to make it the highest priority to fix these vulnerabilities immediately via patching, upgrading or other mitigation measures. Once a fix action has been implemented, rescan the affected resource to ensure the vulnerability or weakness has been mitigated.
High (7.0 – 8.9)
Vulnerabilities that score in the high range usually have some of the following characteristics:

• The vulnerability is difficult to exploit.
• Exploitation could result in elevated privileges.
• Exploitation could result in a significant data loss or downtime
• This rating is given to flaws that can easily compromise the confidentiality, integrity, or availability of resources. These are the types of vulnerabilities that allow local users to gain privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow remote users to cause a denial of service.
• Intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host.

Impacts of High Severity Vulnerabilities
On exploiting such vulnerabilities, attackers can view information about your system that helps them find or exploit other vulnerabilities that enable them to take control of your website and access sensitive user and administrator information.
Suggested Action for High Severity Vulnerabilities
A High severity vulnerability means that resources can be exploited and attackers can find other vulnerabilities which have a bigger impact. Fix these types of vulnerabilities immediately. Once a fix action has been implemented, rescan the affected resource to ensure the vulnerability or weakness has been mitigated.
Medium (4.0 – 6.9)
Vulnerabilities that score in the medium range usually have some of the following characteristics:

• Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
• Denial of service vulnerabilities that are difficult to set up.
• Exploits that require an attacker to reside on the same local network as the victim.
• Vulnerabilities where exploitation provides only very limited access.
• Vulnerabilities that require user privileges for successful exploitation.
• This rating is given to flaws that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity, or availability of resources, under certain circumstances. These are the types of vulnerabilities that could have had a Critical impact or High impact but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.
• Intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying.

Impacts of Medium Severity Vulnerabilities
By exploiting Medium Severity Vulnerabilities, attackers will gain information and reconnaissance useful for their attack. Medium Severity vulnerabilities are often used to better understand your system, allowing them to refine and escalate the attacks. Such vulnerabilities can sometimes be connected, to increase the potential damage of the attack.
Suggested Action for Medium Severity Vulnerabilities
Most of the time, since the impact of Medium severity vulnerabilities is not direct, you should first focus on fixing High severity vulnerabilities. However, Medium severity vulnerabilities should still be addressed at the earliest possible opportunity.
Low (0.1 – 3.9)

• Vulnerabilities in the low range typically have very little impact on an organization’s business. Exploitation of such vulnerabilities usually requires local or physical system access.
• Intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions.
• This rating is given to all other issues that have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences.

Impacts of Low Severity Vulnerabilities
Do not overly concern efforts towards resources with low severity vulnerabilities. These types of issues do not have any significant impact and are likely not exploitable.
Suggested Action For Low Severity Vulnerabilities
If time and budget allows, it is worth investigating and fixing Low severity vulnerabilities .
Informational

• Intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities.
• If this vulnerability exists on your system, intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities.
• Information may include NTLM Authorization Required, Email Address found, Robots.txt discovered, Web server version exposed, WAF detected, web server listening on port 80, telnet running, etc..

Impacts of Informational Alerts
Reported simply as supporting information for a resource, as they may not have a direct impact but could help an attacker to gain a better understanding of your underlying systems.
Suggested Action for Informational Alerts
In most cases, no action or fix is required.

Want to find out how many issues you have?  Contact us today and ask about CATSCAN from ProactiveRISK

The Gramm-Leach-Bliley Act (GLBA) is a federal law that requires financial institutions, including accounting and CPA businesses, to protect the privacy of customers' nonpublic personal information (NPI). The GLBA safeguard rules provide specific guidelines for how financial institutions should protect this information. Here are some steps that accounting and CPA businesses can take to comply with the GLBA safeguard rules:

1. Conduct a risk assessment: A risk assessment will help identify potential vulnerabilities in the organization's information systems and processes. This will help determine what types of safeguards are needed to protect customer NPI.
2. Implement administrative, technical and physical safeguards: GLBA requires financial institutions to implement a variety of safeguards to protect customer NPI. Administrative safeguards include policies and procedures for protecting NPI, such as access controls, incident response plans and employee training. Technical safeguards include firewalls, intrusion detection systems, and encryption. Physical safeguards include secure storage and disposal of NPI.
3. Limit access to NPI: Access to NPI should be limited to only those employees who need it to perform their job duties. This can be done by implementing role-based access controls, which restrict access based on an employee's role or job responsibilities.
4. Train employees: Employee training is essential for ensuring that employees understand the importance of protecting customer NPI and know how to do it. This training should be provided on a regular basis and should include information on the organization's policies and procedures for protecting NPI.
5. Review and update policies and procedures: Policies and procedures for protecting NPI should be reviewed and updated regularly to ensure that they are in compliance with the GLBA safeguard rules.
6. Conduct regular audits: Regular audits can help identify potential vulnerabilities in the organization's information systems and processes, and can be used to determine whether the safeguards in place are effective.
7. Maintain records of compliance: Financial institutions are required to maintain records of their compliance with the GLBA safeguard rules. This includes records of risk assessments, employee training, and audits.

By following these steps, accounting and CPA businesses can comply with the GLBA safeguard rules and protect the privacy of their customers' nonpublic personal information. It's important to note that compliance with the GLBA safeguard rules should be an ongoing process and policies and procedures should be updated regularly to stay in compliance.

Cybersecurity is a critical concern for businesses of all sizes and industries. With the increasing reliance on technology, businesses have become vulnerable to cyber attacks, data breaches, and other forms of cybercrime. The potential consequences of a cyber attack can be devastating and far-reaching, including financial losses, reputational damage, and legal liabilities. Therefore, it is essential that businesses take a proactive approach to managing cyber security risks.

One of the main reasons businesses should be proactive about cyber security risks is that the threat landscape is constantly evolving. Hackers and cybercriminals are constantly developing new techniques and strategies to breach security systems and steal sensitive information. Businesses that do not stay up-to-date with the latest security threats and trends will be more vulnerable to attacks. By being proactive and constantly monitoring the threat landscape, businesses can identify potential vulnerabilities and take steps to mitigate them before they are exploited.

Another reason why businesses should be proactive about cyber security risks is that the costs of a cyber attack can be significant. A data breach can result in the loss of sensitive information, such as customer data, financial records, and confidential business information. This can lead to financial losses, legal liabilities, and reputational damage. In addition to the direct costs, businesses may also face indirect costs, such as lost productivity, lost customers, and the need to invest in additional security measures. By being proactive and implementing effective security measures, businesses can reduce the likelihood of a cyber attack and minimize the potential costs.
Proactivity also helps to protect your company's reputation. A cyber attack can seriously damage a company's reputation, as customers and partners may lose trust in the company's ability to protect their sensitive information. This can lead to long-term damage to the company's brand, and it may be difficult to regain customer trust once it is lost. By being proactive and implementing effective security measures, businesses can prevent data breaches, protect customer data, and maintain a positive reputation.

Additionally, with more and more regulations coming into place, it is important for businesses to be proactive about cybersecurity to avoid the legal and financial consequences of non-compliance. Many states and countries now have laws requiring companies to disclose data breaches, and businesses may face significant penalties for failing to comply with these regulations. By being proactive and implementing security measures that comply with relevant regulations, businesses can avoid legal liabilities and fines.
​
In conclusion, being proactive about cybersecurity is essential for businesses of all sizes and industries. The threat landscape is constantly evolving, and the costs of a cyber attack can be significant. By identifying potential vulnerabilities and implementing effective security measures, businesses can reduce the likelihood of a cyber attack and minimize the potential costs. Proactivity also helps to protect the company's reputation, and it is important to comply with the relevant regulations. Businesses that fail to take a proactive approach to managing cyber security risks will be more vulnerable to attacks and face greater consequences. It is important to remember that cyber security is not a one-time or occasional task, it should be an ongoing process, regularly monitored, and updated.