Introduction

When you run Nessus against your network, you might receive much more data than you bargained for. When staring at a massive report, how do you begin to know where to start fixing things, or where your real problems are? Understanding and classifying reams of vulnerability data will help you conquer the different types of vulnerabilities that have been found. Having a clear idea of what vulnerabilities are out there and in what order they need to be addressed will help you define a plan for fixing your problems most effectively.

We will begin by classifying vulnerabilities into four broad categories: critical vulnerabilities, information leaks, denial-of-service (DoS) vulnerabilities, and failure to implement best practices. Breaking down the types of vulnerabilities by type and potential impact makes it easier to realize what sorts of problems you have on your network and to provide additional information and guidance regarding the order in which the problems should be addressed.

Vulnerability classification is still an emerging field, and information security experts often have strong differences of opinion about the best way to deal with the thorny subject of classifying vulnerabilities. Some people maintain that classification should be done by the affected service, by severity, or by the operating system that is targeted. Still others take a more abstract approach, and it is this model that Nessus follows, classifying vulnerabilities by the potential impact of a successful exploit.

Critical Vulnerabilities

Critical vulnerabilities are your highest-priority problems. These represent vulnerabilities that, if exploited, could lead...