Perimeter
10/4/2012
04:33 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Is Your Organization Doing Good Things Or Doing The Right Things?

Fixing vulnerabilities that are a real threat is the right thing to do

Organizations are spending significant resources on security and still getting compromised. The problem is that they are doing good things that will help build a solid security foundation, but they are not solving the right problems that will actually stop attacks.

The problem is that many organizations are misaligned with risk. The general formula for calculating risk is: risk = threat x vulnerabilities.

Looking at the formula, it is pretty obvious that if an organization wants to reduce a given risk, it would have to reduce one of the two items that are multiplied together. The question now is, which item does an organization control?

Threat is the potential for harm or what the offense is capable of doing. Vulnerabilities are defensive weaknesses that allow a threat to manifest itself. Organizations can control and reduce vulnerabilities; they have little control over the threats. Therefore, if you want to reduce risk, the way this is accomplished is by reducing the vulnerabilities. This is where the problem begins for many organizations.

Fixing random vulnerabilities is a good thing to do. Fixing vulnerabilities in which there is a real threat is the right thing to do.

Many organizations approach vulnerabilities as a numbers game. Organizations often say they will fix the low-hanging fruit weaknesses, or that 30 vulnerabilities reduced a month will keep the attackers away. The problem is that vulnerability reduction is a quality game, not a quantity game. It is better to fix five vulnerabilities in which there is a real threat than 50 in which there is no threat and therefore a minimal risk. Since there is no such thing as a vulnerable-free environment, any time spent on fixing random vulnerabilities is time that cannot be spent on fixing the highest priority vulnerabilities, which are those in which there is a real threat.

Therefore, in managing risk, threat drives the risk calculation and vulnerabilities drive risk reduction. Now the question is which threats to focus on. The answer is the threats that have the highest likelihood that are coupled with the vulnerabilities that have the biggest impact. By focusing in on threats, likelihood and impact to prioritize risk will allow organizations to fix the vulnerabilities that really matter, which will align an organization with the right defenses.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7421
Published: 2015-03-02
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.

CVE-2014-8160
Published: 2015-03-02
net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disall...

CVE-2014-9644
Published: 2015-03-02
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-201...

CVE-2015-0239
Published: 2015-03-02
The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYS...

CVE-2014-8921
Published: 2015-03-01
The IBM Notes Traveler Companion application 1.0 and 1.1 before 201411010515 for Window Phone, as distributed in IBM Notes Traveler 9.0.1, does not properly restrict the number of executions of the automatic configuration option, which makes it easier for remote attackers to capture credentials by c...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.