NT2580
Professor Jackson
Thursday 6-10:30
UNIT 2 ASSIGNMENT 1 - CALCULATE THE WINDOWS OF VULNERABILITY
The time between each of these areas or, the vulnerability’s lifecycle is divided into three risk areas. These areas are listed below and explained briefly.
Black Risk (Exogenous): During the time from discovery to disclosure, only a closed group is aware of this vulnerability. The group could be anyone from hackers to criminals tempted to misuse this knowledge. It may also be researchers and vendors working hard to provide a fix for the identified loophole. The risk exposure that arises from this period is known as the Black Risk because the vulnerability is known to have a security impact whereas the general public has no access to this information.
Gray Risk (Exogenous): From disclosure to patch the user of the software waits for the vendor to issue a patch. The risk exposure that arises from this period is known as the Gray Risk because the general public is aware of this risk but has not yet received a fix from the software owners. This information is provided in the release of the vulnerability to the organization so they can assess the individual risk and possibly implement a workaround, at least until a patch is accessible.
White Risk (Endogenous): The time it takes from patch availability to patch implementation. The length of this time is under direct control of the User. In most organizations, the vulnerability management processes decide this period.
To conclude all of this, we want to look at these two; the Black-Risk and the Gray-Risk, they are the exogenous phases: the user of this software has no say-so on the length of these timeframes. Nonetheless, the White Risk IS under control of the user, this vulnerabilities management process determines the duration of that phase.
The windows of vulnerability are divided below:
1. Black Risk’s Window of Vulnerability = One day.
2. Gray Risk’s Window of Vulnerability = Three