Perimeter
10/4/2012
04:33 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Is Your Organization Doing Good Things Or Doing The Right Things?

Fixing vulnerabilities that are a real threat is the right thing to do

Organizations are spending significant resources on security and still getting compromised. The problem is that they are doing good things that will help build a solid security foundation, but they are not solving the right problems that will actually stop attacks.

The problem is that many organizations are misaligned with risk. The general formula for calculating risk is: risk = threat x vulnerabilities.

Looking at the formula, it is pretty obvious that if an organization wants to reduce a given risk, it would have to reduce one of the two items that are multiplied together. The question now is, which item does an organization control?

Threat is the potential for harm or what the offense is capable of doing. Vulnerabilities are defensive weaknesses that allow a threat to manifest itself. Organizations can control and reduce vulnerabilities; they have little control over the threats. Therefore, if you want to reduce risk, the way this is accomplished is by reducing the vulnerabilities. This is where the problem begins for many organizations.

Fixing random vulnerabilities is a good thing to do. Fixing vulnerabilities in which there is a real threat is the right thing to do.

Many organizations approach vulnerabilities as a numbers game. Organizations often say they will fix the low-hanging fruit weaknesses, or that 30 vulnerabilities reduced a month will keep the attackers away. The problem is that vulnerability reduction is a quality game, not a quantity game. It is better to fix five vulnerabilities in which there is a real threat than 50 in which there is no threat and therefore a minimal risk. Since there is no such thing as a vulnerable-free environment, any time spent on fixing random vulnerabilities is time that cannot be spent on fixing the highest priority vulnerabilities, which are those in which there is a real threat.

Therefore, in managing risk, threat drives the risk calculation and vulnerabilities drive risk reduction. Now the question is which threats to focus on. The answer is the threats that have the highest likelihood that are coupled with the vulnerabilities that have the biggest impact. By focusing in on threats, likelihood and impact to prioritize risk will allow organizations to fix the vulnerabilities that really matter, which will align an organization with the right defenses.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2006-1318
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

CVE-2014-1391
Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

CVE-2014-4350
Published: 2014-09-19
Buffer overflow in QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MIDI file.

CVE-2014-4376
Published: 2014-09-19
IOKit in IOAcceleratorFamily in Apple OS X before 10.9.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted API arguments.

CVE-2014-4390
Published: 2014-09-19
Bluetooth in Apple OS X before 10.9.5 does not properly validate API calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application.

Best of the Web
Dark Reading Radio