Evidence of risk materialization for server vulnerabilities
For Internal audit or another supervisor entity, have you ever been in the obligation of demostrate that your risks associated to infrastructure vulnerabilities have not been materialized? How have you done it? Which logs or documental supports may I use?
@A2jacomelI have had a thought about this since you put this up overnight: One thought is that some vulnerability service management providers, are now providing online cloud services, which include weaponisation. What I mean by this is - instead of the traditional Mitre/CVE approach, they combine the service with actual live security intelligence - so this means instead of obtaining the latest highest priority according to impact - you get a report online based on what the real cyber-criminals are actually focusing upon - which in changes the equation to one of more a risk materialisation approach i.e. higher likelihood that those systems/applications are currently and likely to be under attack and therefore your priority would be to patch those systems/applications now thus reducing the potential impact to the organisation, had they used the traditional approach.
But a month, later of course the results will have changed again, as they cyber-criminals will be focusing on something else etc.