Hitting Above the Security Mendoza Line

Ed Bellis    August 14, 2012

Risk I/O can now be used to identify publicly available exploits to your existing vulnerabilities. Our development team has made it possible for Risk I/O to match attack vectors from databases of quality assured exploits, such as Metasploit and ExploitDB, to applicable vulnerabilities. This information, paired with vulnerability data from assessment tools, allows you to understand how your organization is vulnerable to attacks.

Risk I/O's known exploit feature allows you to know how hackers could attack your organizational data.

You can now get information on publicly available exploits for a specific vulnerability.

In an earlier post, I wrote about the importance of focusing on data that allows you to “hit above the Security Mendoza line,” or the threats most likely to occur based on the evidence and ease of exploit. Alex Hutton referred to the Security Mendoza Line when talking about vulnerabilities exploitable with MetaSploit modules. Josh Corman expanded on this quite a bit with HD Moore’s Law. We built this feature to weed this out of your environment and allow you to hit above the Mendoza line .

We often talk about “enough security” and Josh frames it correctly by stating this is InfoSec table stakes. By combining data from these publicly available exploits and network accessibility, you can truly identify some low hanging fruit and protect yourself from the Point, Click & Pwn of the most casual and opportunistic attackers.

For the dataheads in the audience, a quick and early glance suggests about 14% of active and open vulnerabilities have publicly available exploits through one of these tools or databases. I think there is more interesting views to be had, but clearly an indicator that we have a long way to go before we can protect ourselves from even the most casual adversaries.

If you are a current customer, you can access this new feature in the Vulnerabilities tab. Don’t have an account? Signup for our free version!

One thought on “Hitting Above the Security Mendoza Line

  1. Pingback: Metricon 8 From Outside the Establishment: Size Does(n’t?) Matter. | The Risk I/O BlogThe Risk I/O Blog

Leave a Reply

Your email address will not be published. Required fields are marked *