Vulnerability scans provide a way for organizations to check how resistant their networks will be to an attack. The way they typically work is this: a scan shows the known vulnerabilities in the target systems and then ranks them by severity, usually on a scale of “Low,” “Medium,” “High” and “Critical." In order to best protect the network, the Critical and High severity vulnerabilities are fixed, the Medium severity vulnerabilities are dealt with when and if there is personnel and budget capacity, and the Low severity vulnerabilities are left to persist indefinitely.
This approach to vulnerability management, focusing on the findings that the scanning tool labels as Critical and High severity, has some serious flaws that can leave networks at risk. It’s not that fixing these vulnerabilities is the problem, it’s that the Medium and Low severity vulnerabilities can pose significant risks as well. For any given vulnerability, we need to distinguish between its severity and the risk that results from it being present on a particular system on our network.