Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/4/2012
04:33 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Is Your Organization Doing Good Things Or Doing The Right Things?

Fixing vulnerabilities that are a real threat is the right thing to do

Organizations are spending significant resources on security and still getting compromised. The problem is that they are doing good things that will help build a solid security foundation, but they are not solving the right problems that will actually stop attacks.

The problem is that many organizations are misaligned with risk. The general formula for calculating risk is: risk = threat x vulnerabilities.

Looking at the formula, it is pretty obvious that if an organization wants to reduce a given risk, it would have to reduce one of the two items that are multiplied together. The question now is, which item does an organization control?

Threat is the potential for harm or what the offense is capable of doing. Vulnerabilities are defensive weaknesses that allow a threat to manifest itself. Organizations can control and reduce vulnerabilities; they have little control over the threats. Therefore, if you want to reduce risk, the way this is accomplished is by reducing the vulnerabilities. This is where the problem begins for many organizations.

Fixing random vulnerabilities is a good thing to do. Fixing vulnerabilities in which there is a real threat is the right thing to do.

Many organizations approach vulnerabilities as a numbers game. Organizations often say they will fix the low-hanging fruit weaknesses, or that 30 vulnerabilities reduced a month will keep the attackers away. The problem is that vulnerability reduction is a quality game, not a quantity game. It is better to fix five vulnerabilities in which there is a real threat than 50 in which there is no threat and therefore a minimal risk. Since there is no such thing as a vulnerable-free environment, any time spent on fixing random vulnerabilities is time that cannot be spent on fixing the highest priority vulnerabilities, which are those in which there is a real threat.

Therefore, in managing risk, threat drives the risk calculation and vulnerabilities drive risk reduction. Now the question is which threats to focus on. The answer is the threats that have the highest likelihood that are coupled with the vulnerabilities that have the biggest impact. By focusing in on threats, likelihood and impact to prioritize risk will allow organizations to fix the vulnerabilities that really matter, which will align an organization with the right defenses.

Dr. Eric Cole, Ph.D., is a security expert with more than 15 years of hands-on experience. Cole has experience in information technology with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of more than 20 patents, and is a researcher, writer, and speaker. Cole is a member of the Commission on Cyber Security for the 44th President and several executive advisory boards, and is CTO of the Americas for McAfee. Cole is involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS fellow, instructor, and course author. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-28026
PUBLISHED: 2021-03-05
jpeg-xl v0.3.2 is affected by a heap buffer overflow in /lib/jxl/coeff_order.cc ReadPermutation. When decoding a malicous jxl file using djxl, an attacker can trigger arbitrary code execution or a denial of service.
CVE-2021-27907
PUBLISHED: 2021-03-05
Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javasc...
CVE-2021-20663
PUBLISHED: 2021-03-05
Cross-site scripting vulnerability in in Role authority setting screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and ea...
CVE-2021-20664
PUBLISHED: 2021-03-05
Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlie...
CVE-2021-20665
PUBLISHED: 2021-03-05
Cross-site scripting vulnerability in in Add asset screen of Contents field of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and ear...