2021-06-12, 09:30–09:55, Track 3
Vulnerabilities are scored by the CVSS calculator and given a score based on several metrics. Let's discuss not only how these vulnerabilities are scored, but that even if they are scored as Low or Medium, they may still be actively exploited. Many organizations do not prioritize these vulnerabilities. This talk is going to give a technical overview of some specific low and medium vulnerabilities, including SQL injection, and how they are used in vulnerability chaining attacks.
Here's the rest of my pitch. :)
Management may prioritize vulnerabilities scored as High or Critical, over lower risk vulnerabilities. But are these vulnerabilities a lower risk to the organization? Discussing specific vulnerabilities and breaking down why they were scored lower, will help both defenders and offensive teams understand how these vulnerabilities are used. Everyone from technical practitioners to management will gain insight into not only how vulnerabilities are scored, but how that does not align to organizational risk. Vulnerabilities should be viewed holistically and not as sole vulnerabilities that need to be remediated.
Nikki Robinson, DSc is a Senior Cyber Engineer by day with XLA, and an Adjunct Professor at Capitol Technology University in the evenings. Her main passions include vulnerability management, continuous monitoring, and improving IT and Security relationships. She love to blend academic research, real-life technical experience, and leadership principles into presentations. She also holds multiple industry certifications, including CISSP and CEH.