Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:00 PM
Connect Directly
E-Mail vvv

Framing the Security Story: The Simplest Threats Are the Most Dangerous

Don't be distracted by flashy advanced attacks and ignore the more mundane ones.

There is a general misunderstanding about what makes a vulnerability dangerous. Hype and publicity tend to be focused on the most advanced threats and tactics. In response to this, security teams focus more on controlling these advanced attacks rather than the more mundane ones, largely because the business supports these sensational cases more easily — at least until the memory has faded.

Consequently, security controls are often incomplete at the lower levels, leaving a wobbly foundation to build more advanced controls to counter more advanced threats. The result: Threats can breach at modest levels anyway, and the advanced controls become symbols of overspending and poor execution.

Often, it is the simplest vulnerabilities that are leveraged to breach a system. The reason for this: The easier a vulnerability is to exploit, the higher the number of threat actors that can, and actually will, exploit that vulnerability. It is a simple numbers game, yet the CISO and security team have a real problem framing this security story in a way that is both accurate and meaningful for executive leadership.

What I've discovered in almost two decades of attack simulation (including penetration testing and red/blue/purple teaming) as well as developing and advising these programs globally is that breaking in is still relatively easy. This does not mean that all the security work organizations have done is wasted or poor.

Often, security programs have covered many solid things, but they are uncalibrated and unbalanced, and they have not been integrated effectively. Foundationally, security should be about basic coverage (closing all the easy doors) before it is about elite capability (closing some of the doors very securely).

When done right, attack simulation can measure individual control performance. Equally valuable, it can measure the performance of parts of the security ecosystem (that is, prevent, detect, respond), and the ecosystem as a whole (impact mitigation). By doing so, it can also strongly indicate budget and resource performance, including over- and underspending. It is the ultimate form of security program assurance.

Here are three issues that undermine successful attack simulation and its strategic and tactical influence in business.

1. Attack simulations are often pitched and perceived as "advanced vulnerability assessment." This almost forces the business to treat them as a commodity. They are poorly scoped, funded, and resourced, and thus can mimic only modest or unrealistic threat scenarios. Tactically, this provides a false sense of security but also eviscerates its unique strategic value proposition — controls and program assurance.

2. Second are what I call the "Hack Olympics." White-hat hackers are very proud and competitive and like to show off to their peers. They will often try fancy new attack vectors for a quick "breach win" and not explore a myriad of more modest, but more common, breach scenarios. Often, this behavior is supported by their employers because they want to demonstrate strong value back to the customer — and to one-up competitors — and they believe that is done by doing something that less capable (that is, commodity) testers cannot do. In their view, this helps justify increased rates (rightly so) and should lead to customer loyalty (not necessarily).

The good news is that we can integrate the above issues into a business-savvy win. Modest cost/sophistication attack simulations can be framed as exactly that: efforts to cost-effectively discover modest breach scenarios. These can cover, say, the bottom 70% of scope. Next, leverage more sophisticated resources for the top 30%. This model demonstrates strong strategic and tactical value, as well as shrewd budget utilization.

3. Uninspired and stagnant reports are globally pervasive and undermine even great attack simulations. Reports fail to calibrate the difficulty level to breach and affect high-value business assets. They do not thoroughly explain the attacker’s decision process/tree/options, as well as which controls frustrated them and which controls could have and should have but did not — and why. Such reports rarely link the story of threat benefit (how hard are threats willing to try?) to business impact (how much do I really care?). An attack simulation report should wrap around a story arc like Ocean’s 11. It should be gripping and easy to understand to executives (goals and impacts to both sides), while showing a decision and execution path for SecOps to effect change.

Undeniably, attack simulation is a critical component of a robust security program. However, several issues undermine the quality and influence of these attack scenarios. This leads to inconsistent security capability, unbalanced budget allocation, uncalibrated security strategy, fear of breach at any moment, and frustration with SecOps, the CISO, and business executive leadership.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Douglas Ferguson, a security professional of over 20 years, is the founder and CTO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where Are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-19
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and settin...
PUBLISHED: 2020-10-19
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administr...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
A flaw was found in Infinispan version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.