Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/6/2019
02:00 PM
Robert Huber
Robert Huber
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

When Perceived Cybersecurity Risk Outweighs Reality

Teams need to manage perceived risks so they can focus on fighting the real fires.

In January 2018, enterprise security teams around the world found themselves putting out a fire ignited by the discovery of the Meltdown and Spectre chip-based vulnerabilities. News stories ran daily and continued throughout the year as additional variants were found. None of the vulnerabilities were exploited in the wild, and patches became available. In the end, security teams that had dropped everything to respond to the vulnerabilities discovered there was more smoke than fire. Meet the newest threat facing enterprise security efforts: media-fueled hype.

I'm not suggesting that security teams should ignore news or vulnerabilities, especially those as far-reaching as Meltdown and Spectre. However, the level of attention given to these security flaws — which weren't exploited — was unprecedented. While the threat existed, the perceived risk was out of proportion with reality and security teams were tasked with responding to perceived risk, rather than real risk. The repercussions? Wasted time and budget that would have been better spent on higher-risk issues. To gut-check our thinking, we interviewed a dozen CISOs, analysts, and other security professionals who deal with vulnerability management to get their thoughts.

The security professionals, who all remained anonymous, said the top-down response was disruptive. In some cases, executives were demanding systems be fixed in as little as 15 days, despite the fact that vendors hadn't shipped patches yet. "There was a whole bunch of panic around that at first ... and there was a whole lot of confusion" about what the risks were, said one interview participant. Security teams had to push back and educate executives or waste energy and cycles, diverting resources from other projects. For some, the vulnerability management programs were derailed as a result.

By comparison, the Apache Struts 2 remote code execution vulnerability that was disclosed and patched in August posed a more tangible risk but didn't get quite the level of executive attention as Meltdown and Spectre. This could be because Struts 2 wasn't as novel as the hardware vulnerabilities. It also could be partly due to what I call "vulnerability fatigue" following the hoopla around Meltdown and Spectre. With Apache Struts 2, however, the risk warranted the response, yet only a few organizations gave it a high level of executive attention.

After hearing about these issues from other CISOs, I walked away with two key takeaways:

  • Security teams should be prepared for top-down pressure that doesn't align with their evaluation of the risk. The best way to deal with it is to gather information that can help quantify and assess the legitimate risk. Interview participants suggested convening groups of technical experts, such as Linux experts for open source threats and chip experts for hardware vulnerabilities. This can help teams determine the real impact of a vulnerability so they can respond appropriately. It also helps them build out stronger processes and coalitions with other business units for when similar threats arise in the future. "As long as you have a proactive approach by having a vulnerability management program, having your metrics and having repeatable processes to deal with these things, it becomes a non-fire drill event moving forward," one participant said.
  • Effective communication is crucial for all stakeholders. Top executives rarely have the deep technical background necessary to fully understand the potential risk of a given vulnerability. This means CISOs and security teams must be armed with business context to translate the technical risk into business terms. This ensures the response is measured and appropriate based on real-world risk and not hype. Responding to high-profile vulnerabilities is an opportunity for security teams to build trust and show value.

Headline-grabbing vulnerabilities aren't going away, and it's clear they get the attention of the C-suite. The top-down response shouldn't pose more problems for security teams than the vulnerabilities themselves do. Teams need to manage perceived risks so they can focus on fighting real fires and not be distracted by the emergency flares thrown their way.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Robert Huber is Chief Security Officer at Tenable. He has more than 20 years of information security experience across financial, defense and critical infrastructure sectors. At Tenable, Robert oversees the company's global security teams, working cross-functionally to reduce ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.