NT2580 Unit 2: Assignment 1-Window of vulnerability
The four parts would be the Discovery-Time, Exploit-Time, Disclosure-Time, and Patch-Time. All four of these must be looked at and evaluated.
Discovery Time –is the earliest date that vulnerability is discovered and recognized to pose a security risk. The discovery date is not publicly known until the public disclosure of the respective vulnerability.
Exploit Time -is the earliest date an exploit for vulnerability is available. We qualify any hacker-tool, virus, data, or sequence of commands that take advantage of vulnerability as an exploit.
Disclosure Time –is the first date vulnerability is described on a channel where the disclosed information on the vulnerability is freely available to the public, published by trusted and independent channel and, has undergone analysis by experts such that risk rating information is included.
Patch Time - is the earliest date the vendor or the originator of the software releases a fix, workaround, or a patch that provides protection against the exploitation of the vulnerability. Fixes and patches offered by third parties are not considered as a patch. A patch can be as simple as the instruction from the vendor for certain configuration changes. Note that the availability of other security mechanisms such as signatures for intrusion prevention systems or anti-virus tools are not considered as a patch in this analysis. Unfortunately, the availability of patches usually lags behind the disclosure of vulnerability.
The time between each of these areas or, the vulnerability’s lifecycle is divided into 3 risk areas. These areas are shown and explained below.
Black Risk (exogenous)
During the time from discovery to disclosure, only a closed group is aware of the vulnerability. This group could be anyone from hackers to organized crime tempted to misuse this knowledge. On the other hand, it could be researchers and vendors working together to provide a fix for the identified vulnerability. We call the risk exposure arising from this period the Black Risk because the vulnerability is known to have a security impact whereas the public has no access to this knowledge.
Gray Risk (exogenous)
During the time from disclosure to patch the user of the software waits for the vendor to issue a