This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies By closing this message or continuing to use our site, you agree to our cookie policy. Learn MoreThis website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Home » Why 'Low Severity' Vulnerabilities Can Still Be 'High Risk'
Vulnerability scans provide a way for organizations to check how resistant their networks will be to an attack. The way they typically work is this: a scan shows the known vulnerabilities in the target systems and then ranks them by severity, usually on a scale of “Low,” “Medium,” “High” and “Critical." In order to best protect the network, the Critical and High severity vulnerabilities are fixed, the Medium severity vulnerabilities are dealt with when and if there is personnel and budget capacity, and the Low severity vulnerabilities are left to persist indefinitely.
This approach to vulnerability management, focusing on the findings that the scanning tool labels as Critical and High severity, has some serious flaws that can leave networks at risk. It’s not that fixing these vulnerabilities is the problem, it’s that the Medium and Low severity vulnerabilities can pose significant risks as well. For any given vulnerability, we need to distinguish between its severity and the risk that results from it being present on a particular system on our network.