Vulnerability assessment tools provide the ability to assess our internal and external networks for vulnerabilities….useful! The results are typically categorized tiers of risk levels…high, medium and low. The highs are obvious and detail a “clear an present danger”, the medium also need (in my opinion) to be re-mediated quickly, but the lows?
The Nature of Lows
The lows present a different issue. Rather than detailing a specific exploit path, lows focus on information requests. These can be numerous and can actually take away functionality from the overall environment. Example of this would be disabling NetBIOS ports to disable network discovery etc.
No Broad Brush Approach
Many lows just detail information, such as “you are running a SSH server on port 22″…and your remediation comment would be “I know, I put it there.”. Some do present a minor risk, however when used in conjunction with other lows can actually provide an attacher with some useful information that could save them time in planning an attack. Unfortunately, the answer to this question is that each low needs to be assessed and re-mediated in context of the environment. The key phrase is “in context of the environment” as this may help weigh the risks…after all we are the ones that have to not only defend the environment but the decisions around its architecture and protection strategy.