Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/6/2019
02:00 PM
Robert Huber
Robert Huber
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

When Perceived Cybersecurity Risk Outweighs Reality

Teams need to manage perceived risks so they can focus on fighting the real fires.

In January 2018, enterprise security teams around the world found themselves putting out a fire ignited by the discovery of the Meltdown and Spectre chip-based vulnerabilities. News stories ran daily and continued throughout the year as additional variants were found. None of the vulnerabilities were exploited in the wild, and patches became available. In the end, security teams that had dropped everything to respond to the vulnerabilities discovered there was more smoke than fire. Meet the newest threat facing enterprise security efforts: media-fueled hype.

I'm not suggesting that security teams should ignore news or vulnerabilities, especially those as far-reaching as Meltdown and Spectre. However, the level of attention given to these security flaws — which weren't exploited — was unprecedented. While the threat existed, the perceived risk was out of proportion with reality and security teams were tasked with responding to perceived risk, rather than real risk. The repercussions? Wasted time and budget that would have been better spent on higher-risk issues. To gut-check our thinking, we interviewed a dozen CISOs, analysts, and other security professionals who deal with vulnerability management to get their thoughts.

The security professionals, who all remained anonymous, said the top-down response was disruptive. In some cases, executives were demanding systems be fixed in as little as 15 days, despite the fact that vendors hadn't shipped patches yet. "There was a whole bunch of panic around that at first ... and there was a whole lot of confusion" about what the risks were, said one interview participant. Security teams had to push back and educate executives or waste energy and cycles, diverting resources from other projects. For some, the vulnerability management programs were derailed as a result.

By comparison, the Apache Struts 2 remote code execution vulnerability that was disclosed and patched in August posed a more tangible risk but didn't get quite the level of executive attention as Meltdown and Spectre. This could be because Struts 2 wasn't as novel as the hardware vulnerabilities. It also could be partly due to what I call "vulnerability fatigue" following the hoopla around Meltdown and Spectre. With Apache Struts 2, however, the risk warranted the response, yet only a few organizations gave it a high level of executive attention.

After hearing about these issues from other CISOs, I walked away with two key takeaways:

  • Security teams should be prepared for top-down pressure that doesn't align with their evaluation of the risk. The best way to deal with it is to gather information that can help quantify and assess the legitimate risk. Interview participants suggested convening groups of technical experts, such as Linux experts for open source threats and chip experts for hardware vulnerabilities. This can help teams determine the real impact of a vulnerability so they can respond appropriately. It also helps them build out stronger processes and coalitions with other business units for when similar threats arise in the future. "As long as you have a proactive approach by having a vulnerability management program, having your metrics and having repeatable processes to deal with these things, it becomes a non-fire drill event moving forward," one participant said.
  • Effective communication is crucial for all stakeholders. Top executives rarely have the deep technical background necessary to fully understand the potential risk of a given vulnerability. This means CISOs and security teams must be armed with business context to translate the technical risk into business terms. This ensures the response is measured and appropriate based on real-world risk and not hype. Responding to high-profile vulnerabilities is an opportunity for security teams to build trust and show value.

Headline-grabbing vulnerabilities aren't going away, and it's clear they get the attention of the C-suite. The top-down response shouldn't pose more problems for security teams than the vulnerabilities themselves do. Teams need to manage perceived risks so they can focus on fighting real fires and not be distracted by the emergency flares thrown their way.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Robert Huber is Chief Security Officer at Tenable. He has more than 20 years of information security experience across financial, defense and critical infrastructure sectors. At Tenable, Robert oversees the company's global security teams, working cross-functionally to reduce ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...