https://community.isc2.org/t5/Tech-Talk/Evidence-of-risk-materialization-for-server-vulnerabilities/m-p/20421#M1032 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/884809339">@A2jacomel</a>I have had a thought about this since you put this up overnight:&nbsp;&nbsp; One thought is that some vulnerability service management providers, are now providing online cloud services, which include weaponisation.&nbsp;&nbsp; What I mean by this is&nbsp; - instead of the traditional Mitre/CVE approach, they combine the service with actual live security intelligence - so this means instead of obtaining the latest highest priority according to impact - you get a report online based on what the real cyber-criminals are actually focusing upon - which in changes the equation to one of more a risk materialisation approach i.e. higher likelihood that those systems/applications are currently and likely to be under attack and therefore your priority would be to patch those systems/applications now thus reducing the potential impact to the organisation, had they used the traditional approach.</P><P>&nbsp;</P><P>But a month, later of course the results will have changed again, as they cyber-criminals will be focusing on something else etc.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_cautim</P> Sun, 24 Mar 2019 23:04:09 GMT Caute_cautim 2019-03-24T23:04:09Z https://community.isc2.org/t5/Tech-Talk/Evidence-of-risk-materialization-for-server-vulnerabilities/m-p/20412#M1031 <P>For Internal audit or another supervisor entity, have you ever been in the obligation of demostrate that your risks associated to infrastructure vulnerabilities have not been materialized? How have you done it? Which logs or documental supports may I use?</P> Mon, 09 Oct 2023 09:09:40 GMT https://community.isc2.org/t5/Tech-Talk/Evidence-of-risk-materialization-for-server-vulnerabilities/m-p/20412#M1031 A2jacomel 2023-10-09T09:09:40Z https://community.isc2.org/t5/Tech-Talk/Evidence-of-risk-materialization-for-server-vulnerabilities/m-p/20421#M1032 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/884809339">@A2jacomel</a>I have had a thought about this since you put this up overnight:&nbsp;&nbsp; One thought is that some vulnerability service management providers, are now providing online cloud services, which include weaponisation.&nbsp;&nbsp; What I mean by this is&nbsp; - instead of the traditional Mitre/CVE approach, they combine the service with actual live security intelligence - so this means instead of obtaining the latest highest priority according to impact - you get a report online based on what the real cyber-criminals are actually focusing upon - which in changes the equation to one of more a risk materialisation approach i.e. higher likelihood that those systems/applications are currently and likely to be under attack and therefore your priority would be to patch those systems/applications now thus reducing the potential impact to the organisation, had they used the traditional approach.</P><P>&nbsp;</P><P>But a month, later of course the results will have changed again, as they cyber-criminals will be focusing on something else etc.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_cautim</P> Sun, 24 Mar 2019 23:04:09 GMT https://community.isc2.org/t5/Tech-Talk/Evidence-of-risk-materialization-for-server-vulnerabilities/m-p/20421#M1032 Caute_cautim 2019-03-24T23:04:09Z https://community.isc2.org/t5/Tech-Talk/Evidence-of-risk-materialization-for-server-vulnerabilities/m-p/20469#M1041 Thanks! That is very interesting. I think is a good approach to risk based on cyber intelligence. Tue, 26 Mar 2019 09:41:10 GMT https://community.isc2.org/t5/Tech-Talk/Evidence-of-risk-materialization-for-server-vulnerabilities/m-p/20469#M1041 A2jacomel 2019-03-26T09:41:10Z