In the first installment of my vulnerability management blog series, I discuss the pitfalls of not having a vulnerability testing and tracking strategy and the serious consequences of failing to recognize what is meaningful to the business. In part two of the series, I will expand on the idea of recognizing what is meaningful to the business and discuss the importance of business context in vulnerability management.
It sounds nebulous, and for good reason. From my observations over the years, I’ve heard claims that the best approach to cyber security is either 1) purchasing more technology to keep ahead of the latest vulnerabilities or 2) changing behaviors that pose the most risk, such as clicking on unknown links or using stronger passwords. While there is a place in a security program for these and other security measures, time and budget constraints create major barriers. Instead of asking, “which new technologies do we need to add to our security stack?” or “why isn’t my organization getting a perfect score on our phishing assessments?”, the most important question that needs to be asked is, “So what?”
“So what?” is arguably one of the most elemental and important criteria in any cybersecurity situation, from policy to technical security controls. The question forms the basis of nearly every security decision and requires alignment to core business objectives to be determined and applied before a direction is taken. Recognizing how each security decision impacts your business is vital. To understand the importance of “So what?” we must first understand its place in your cyber security strategy.
Strategy is another concept that can mean different things to different people, in part because there is not a standard approach to cyber security program development. Each business has different security needs. As security leaders, we address the threats that pose imminent and perceived harm to the environment, and those that get noticed most, get attention first. And understandably so, given the ever-advancing threats companies face. Often is the case, however, that what is considered harmful to the environment is not always rooted in what is most important, or what poses the most risk to a business. That is where a business-aligned vulnerability management program comes into play.
How to Achieve a Business-Aligned Vulnerability Management Program
A business-aligned vulnerability management program takes into consideration the vulnerabilities that would have the most significant, negative impact on the business, the most relevant threats that could exploit those vulnerabilities, how to remediate, as well as the controls needed to counter those threats. Such a strategy is built on a framework that enables, implements, and maintains the program and informs all security initiatives, controls, and processes.
Once a business-aligned vulnerability management program is in place, we can ask, “So what?” when considering a potential risk, a discovered vulnerability, a detected event, a proposed initiative, or virtually any other consideration affecting security posture. Let’s look at a few hypothetical vulnerability findings:
|Vulnerability Finding||So What?||Remediation Recommendations|
|Poor Administrator Account Password||Attacker can gain access to and steal data. Poses enterprise risks to information, business operations, regulatory compliance, and business reputation. Regulatory non-compliance leading to financial sanctions. Legal action by affected customers leading to financial reparations.||Change the admin password. Strengthen the admin password. Use multifactor authentication. Use “zero trust” access model. Purchase technology to enhance identity and access controls. Conduct vulnerability testing more often.|
|Vulnerable Version – PHP||Successful exploitation of available vulnerabilities may allow a remote unauthenticated attacker to execute arbitrary commands directly or indirectly on the affected systems. As a result, the confidentiality, integrity, and availability of the affected systems and associated data may be compromised.||Disable or uninstall PHP if it is not required for a defined business purpose. If PHP is required, upgrade to the latest stable version of the software or apply vendor supplied patches. If no fix is available, contact the vendor for solutions and consider isolating the affected service via host based and network firewalls.|
|SQL Injection||SQL injection may allow an attacker to extract, modify, add, or delete information from database servers, causing the confidentiality and integrity of the information stored in the database to be compromised.Depending on the SQL implementation, the attacker may also be able to execute system commands on the affected host. In some circumstances, this provides the means to take control of the server hosting the database, leading to the complete compromise of the confidentiality, integrity, and availability of the affected host.||Employ a layered approach to security that includes using parameterized queries when accepting user input. Strictly define the data type that the application will accept. Also, disable detailed error messages that could give an attacker information about the database. Additionally, following the principle of least privilege when assigning permissions for the service account and database user helps limit the impact of a successful SQL injection attack.|
Eliminate the “So what?” column and it becomes difficult to choose which vulnerability to prioritize. Taking these examples further, we can use this same strategy to determine what the ramifications are for conducting certain types of vulnerability scans, from the resources needed to conduct the test to the large number of vulnerability instances that will require analysis. For example, if you target scans to detect just the vulnerabilities that pose a significant answer to “So what?” or in other words, has a major impact on the business, you can focus your resources – people, time, money – on the meaningful measures to manage risk to the business.
This is all ties back to risk-based security. By now, the security industry understands why risk-based security strategies are more effective than compliance-based strategies, but are often challenged as to how to make the shift. To mature your security program and achieve a risk-based strategy, it is essential to align business logic with vulnerability management and prioritize the vulnerabilities that pose the highest risk specific to your business.