Perimeter
10/4/2012
04:33 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Is Your Organization Doing Good Things Or Doing The Right Things?

Fixing vulnerabilities that are a real threat is the right thing to do

Organizations are spending significant resources on security and still getting compromised. The problem is that they are doing good things that will help build a solid security foundation, but they are not solving the right problems that will actually stop attacks.

The problem is that many organizations are misaligned with risk. The general formula for calculating risk is: risk = threat x vulnerabilities.

Looking at the formula, it is pretty obvious that if an organization wants to reduce a given risk, it would have to reduce one of the two items that are multiplied together. The question now is, which item does an organization control?

Threat is the potential for harm or what the offense is capable of doing. Vulnerabilities are defensive weaknesses that allow a threat to manifest itself. Organizations can control and reduce vulnerabilities; they have little control over the threats. Therefore, if you want to reduce risk, the way this is accomplished is by reducing the vulnerabilities. This is where the problem begins for many organizations.

Fixing random vulnerabilities is a good thing to do. Fixing vulnerabilities in which there is a real threat is the right thing to do.

Many organizations approach vulnerabilities as a numbers game. Organizations often say they will fix the low-hanging fruit weaknesses, or that 30 vulnerabilities reduced a month will keep the attackers away. The problem is that vulnerability reduction is a quality game, not a quantity game. It is better to fix five vulnerabilities in which there is a real threat than 50 in which there is no threat and therefore a minimal risk. Since there is no such thing as a vulnerable-free environment, any time spent on fixing random vulnerabilities is time that cannot be spent on fixing the highest priority vulnerabilities, which are those in which there is a real threat.

Therefore, in managing risk, threat drives the risk calculation and vulnerabilities drive risk reduction. Now the question is which threats to focus on. The answer is the threats that have the highest likelihood that are coupled with the vulnerabilities that have the biggest impact. By focusing in on threats, likelihood and impact to prioritize risk will allow organizations to fix the vulnerabilities that really matter, which will align an organization with the right defenses.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

CVE-2014-0762
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows physically proximate attackers to cause a denial of service (infinite loop or process crash) via crafted input over a serial line.

CVE-2014-2380
Published: 2014-08-27
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows remote attackers to obtain sensitive information by reading a credential file.

CVE-2014-2381
Published: 2014-08-27
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows local users to obtain sensitive information by reading a credential file.

CVE-2014-3344
Published: 2014-08-27
Multiple cross-site scripting (XSS) vulnerabilities in the web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCuq31129, CSCuq3...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.