Many security professionals were geeks as kids. Most of us weren’t jocks, weren’t cheerleaders, and weren’t popular. We spent time tinkering with things, trying to break them down to the lowest common denominator and then rebuild them to suit our needs. We did things that weren’t cool because it interested us and no one else was doing them.
And what happened? We were made fun of, we were pushed into the dirt, and we sat in our rooms planning our revenge. Fast forward a few years…
The bullies look different these days. They look like us. They are technically proficient, well versed in what they do, and they command amazing tools. We’re security professionals now and we live in a world where the bullies have raised their sights from making an individual miserable to attacking millions of people by exploiting every instance of misconfigured software and every open vulnerability they can find!
Bullies have gone digital. Every day there are new tales of security incidents, privacy breaches, security officers getting fired.
My colleague Ken Westin (@KWestin) recently posted an article outlining one of the biggest problems: Too much noise, not enough signal. SIEMs are firing off way too much and the operations teams don’t have enough resources to investigate everything.
The big bullies just sneak on through push us in the dirt and take our lunch money (or yacht money, since we’re a big business and all). Well I for one am tired of being pushed into the dirt. We have all this technology; it’s about time we start using it to protect ourselves! It’s time we start patching the risks that make us vulnerable and plan our revenge!
Where do I start?
Bullies like to pick on low hanging fruit. They survey their targets; see which one they can get the most lunch money from with the least amount of effort and attack. Take this to technology, I want to look at all my assets and see which will give up the most lunch money and is the easiest to attack. A quick and easy way to do this is with a vulnerability scan.
“I do that already” you say. Then what’s the problem? Are you too cool to remediate? None of the cool kids do it, right? Look what happened to them!
I know, the toughest part of managing vulnerability risk is knowing what to patch first. Vulnerability management tools often give you a LONG list of vulnerabilities to remediate. The system administrators are swamped and once you finally convince them to do something about it, you get hit with a false positive and lose the traction you’ve gained. I covered the scanning methodologies to reducing false positives in an earlier post.
How do I know what to fix first?
Tripwire published a white paper that outlines the limitations of traditional vulnerability scoring methodologies. The long story short, there are too many vulnerabilities with the same score of “high” or “10”.
In order to figure out what to fix first, we need to look at what is the bully’s easiest point of entry. They will always pick the path of least resistance or the path that will require the least amount of skill and effort. This is the first element.
Before putting in time and money into a project, organizations will do a cost-benefit analysis. Similarly, a bully will do a cost-benefit analysis to see if the privilege gained upon successful exploitation will be worth the effort they had to put in. This is the second element.
The longer a bully has time to think about what he’s going to do with your vulnerability, the more thought he’s put into his strategy, and the higher the likelihood of his success. This is the third element.
Now if we put these three together in a meaningful way, you get an actionable and reliable metric for calculating your vulnerability risk score. Based on the time your operations teams have available, they can remediate the highest scoring individual vulnerabilities, remediate the highest scoring hosts, and/or the highest scoring business units.
We can now allocate our limited resources in a very strategic manner that will provide us the most security for the least amount of effort.
So instead of being scared and thinking “the bullies are coming for us next”. Let’s get proactive and avenge our fallen brethren by protecting our lunch money. Eventually the bullies will starve to death (or pick on someone their own size).
- Interrupting a Cyber Attack in Progress
- Ten Steps for Early Incident Detection
- Restoring Trust After a Data Breach
- How to Perform Early Detection of a Distributed Attack
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock