Need opinions on severity of security risk from vulnerability scan

eEye Retina
PCI compliance
Security threats
We used eEye's Retina Scanner to run a vulnerability scan on a server. A risk was identified which was classed "Low" but the PCI Severity Level was classed as 5 or urgent. The vulnerability was Microsoft Windows optional Subsystems are permitted to operate on the system and the fix was to change a registry setting. Two things (1) I can't seem to find much more information on this vulnerability, could someone enlighten me? (2) If we don't have to be PCI compliant at this point, nor does the server hold PCI type data, is this something we should even be addressing?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Item #2 is your answer. Why be concerned if you don’t have to be compliant?

I would also ask EEye what the report means on this specific vulnerability. In a way it may be saying just turn off optional services (as they should always be disabled).

Some ways to measure risk include:

How valuable is the asset?
How much of a threat exists?
What is the impact if the system/service is exploited?
Is the vulnerability rated high/medium/low?
Can the risk be reduced and how easy (technical & cost) can it be reduced?
What is the probability of the vulnerability being exploited?

You are asking yourself:
What are you protecting?
What can happen to it? – How can it happen?
What does it mean to the business?
How can the risk be reduced?
How likely is it to happen given the existing conditions?

Risk assessment goal: identify & prioritize risks.
Risk management goal: manage risks to an acceptable level.
– Mitigate: select controls; implement; monitor
– Transfer: purchase insurance
– Accept: do nothing
– Avoid: discontinue activity

Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Kevin Beaver
    Certainly ask eEye for more info...The fact is if you don't have to be compliant, the server's not housing credit card info, and (assuming) the vulnerability can't be exploited, then why worry.? Everything in security is a trade out and if you can't find any good reason for making the effort to mitigate something like this, then document it as such and move on.
    27,550 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: