What is the Difference Between Vulnerabilities and Exposures?


The National Institute of Standards and Technology (NIST) defines a vulnerability as a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.”

Over time, that definition has become entwined with the concepts of CVSS scoring and CVEs. As part of their vulnerability management programs, security teams work with their IT counterparts and spend the bulk of their joint efforts on CVE-related vulnerabilities. This is largely driven by the security toolsets available, the tools heavy CVE focus, and compliance requirements.

The concept of exposures brings the conversation back to the original definition of a vulnerability by focusing more broadly and holistically on any weaknesses in the attack surface of information systems. Exposures can encompass traditional CVE-based vulnerabilities, misconfigurations, missing patches, application security issues, privileged access issues, and anything else an organization would define as a ‘weakness’.

Prioritizing Vulnerabilities and Exposures

Even if all exposure data is aggregated, it can be very difficult to prioritize due to the nature of the weakness and the lack of a common scale to measure them against.

Is presence of a vulnerability with a CVSS score of 9 on a device worse than that device missing a common security control like EDR? The individual and compound nature of exposures can subsequently cause remediation efforts to lack focus and alignment between teams.

NorthStar was built to handle both the data aggregation duties as well as to provide remediation prioritization. The key is a transparent and flexible model that ensures not only are disparate exposure types accurately measured on a common scale, but the reasons for their priority are also surfaced. This visibility ensures that communication within and across teams is clean and concise, with everyone understanding not only what the exposure is, but why its remediation is critical.

There’s a multitude of data that becomes relevant when considering how the attack surface can impact the business. How are you going to make sense of it?