CMMC

A false positive is an alert that incorrectly indicates a vulnerability exists or malicious activity is occurring. These false positives add a substantial number of alerts that need to be evaluated, increasing the noise level for security teams. 

‍

False positives may be triggered by a variety of incidents, such as: 

‍

• User repeatedly mistypes their password, triggering a brute-force alarm
• Scanning and security software identifies a legitimate operation as an attack
• A signature configured to identify a type of malware misidentifies an activity
• Software bugs misidentified as an attack
• Unrecognized network traffic
• Application security testing tools misidentify results as security issues

‍

The increase of security testing and monitoring tools increases the overall number of alerts security teams receive, which in turn increases the number of false positives coming in to be triaged. These types of security events increase the noise for overburdened security teams, making them more likely to ignore valid security events because they assume they are false positives. 

‍

Realistically, security teams cannot and do not need to resolve every single issue exposed by alerts, nor can software development and testing teams analyze each alert. These teams get a high number of alerts and it requires time to investigate each alert. When time-constrained teams continuously receive a high number of alerts, they are more likely to experience alert fatigue and focus on instances where there is a clear issue that needs to be resolved. 

‍

False positives increase the likelihood that internal security teams will miss important security events because they believe them to be invalid or simply see too many alerts to investigate each one. False negatives are similarly problematic, because they show that no vulnerability or security issue is present when there actually is a problem that needs to be addressed. 

‍

While some number of false positives will be investigated to verify that they do not, in fact, pose a threat to the organization, false negatives are less likely to be investigated as test results appear to indicate that the software is functioning as intended. Both false positives and false negatives can pose a threat to security teams and the organizations they protect.

A vulnerability is a weakness that could be exploited or triggered by a threat source in internal controls, procedures for systems security, an information system, or implementation. A weakness is synonymous with deficiency and may result in security or privacy risks or both. 

‍

In cybersecurity terms, a vulnerability is a security exposure that exists in an operating system, in system software, or in an application software component. Each vulnerability can potentially compromise the system or network if exploited.

‍

There are multiple publicly accessible databases of vulnerabilities, sometimes based on the version numbers of software. Common Vulnerabilities and Exposures (CVE) is a common means of enumerating publicly known information security vulnerabilities operated by The MITRE Corporation. 

‍

CVE identifiers assign each vulnerability with a unique name/number, The Common Vulnerability Scoring System (CVSS) is an open industry standard owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization. 

‍

CVSS 3.1 identifies the severity of a vulnerability based on the following metrics: 

Base metrics

• Access vector (what access is required: local, adjacent network, network, physical)
• Access complexity (how easy or hard it is to exploit)
• Privileges required (what level of privileges an attacker requires before exploiting the vulnerability successfully)
• User interaction (whether the attacker requires a separate user or user-initiated process to exploit the vulnerability)

Impact metrics

• Scope (whether a vulnerability in one component impacts resources beyond its security scope)
• Confidentiality (is the confidentiality of data impacted)
• Integrity (what is the impact on the integrity of the system)
• Availability (will the system remain fully functional, experience reduced performance or capabilities, or become unavailable)

‍

A flaw may be the result of poor design or implementation mistakes, and results in unintended functionality. There are also temporal metrics (exploit code maturity, remediation level, and report confidence) and environmental metrics (modified base metrics and confidentiality requirement, integrity requirement, and availability requirement). 

‍

 The Common Weakness Enumeration (CWE) is a list of software and hardware weaknesses that have security ramifications. Weakness severity is scored using Common Weakness Scoring System (CWSS™) and Common Weakness Risk Analysis Framework (CWRAF™) and are based on base findings, attack surface, and environmental metrics. An attacker may exploit vulnerabilities, weaknesses, or user errors individually or combine them to carry out an attack. These metrics help incident response teams and cybersecurity professionals determine the threat level of a vulnerability and how to best address it.

‍