Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/6/2019
02:00 PM
Robert Huber
Robert Huber
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

When Perceived Cybersecurity Risk Outweighs Reality

Teams need to manage perceived risks so they can focus on fighting the real fires.

In January 2018, enterprise security teams around the world found themselves putting out a fire ignited by the discovery of the Meltdown and Spectre chip-based vulnerabilities. News stories ran daily and continued throughout the year as additional variants were found. None of the vulnerabilities were exploited in the wild, and patches became available. In the end, security teams that had dropped everything to respond to the vulnerabilities discovered there was more smoke than fire. Meet the newest threat facing enterprise security efforts: media-fueled hype.

I'm not suggesting that security teams should ignore news or vulnerabilities, especially those as far-reaching as Meltdown and Spectre. However, the level of attention given to these security flaws — which weren't exploited — was unprecedented. While the threat existed, the perceived risk was out of proportion with reality and security teams were tasked with responding to perceived risk, rather than real risk. The repercussions? Wasted time and budget that would have been better spent on higher-risk issues. To gut-check our thinking, we interviewed a dozen CISOs, analysts, and other security professionals who deal with vulnerability management to get their thoughts.

The security professionals, who all remained anonymous, said the top-down response was disruptive. In some cases, executives were demanding systems be fixed in as little as 15 days, despite the fact that vendors hadn't shipped patches yet. "There was a whole bunch of panic around that at first ... and there was a whole lot of confusion" about what the risks were, said one interview participant. Security teams had to push back and educate executives or waste energy and cycles, diverting resources from other projects. For some, the vulnerability management programs were derailed as a result.

By comparison, the Apache Struts 2 remote code execution vulnerability that was disclosed and patched in August posed a more tangible risk but didn't get quite the level of executive attention as Meltdown and Spectre. This could be because Struts 2 wasn't as novel as the hardware vulnerabilities. It also could be partly due to what I call "vulnerability fatigue" following the hoopla around Meltdown and Spectre. With Apache Struts 2, however, the risk warranted the response, yet only a few organizations gave it a high level of executive attention.

After hearing about these issues from other CISOs, I walked away with two key takeaways:

  • Security teams should be prepared for top-down pressure that doesn't align with their evaluation of the risk. The best way to deal with it is to gather information that can help quantify and assess the legitimate risk. Interview participants suggested convening groups of technical experts, such as Linux experts for open source threats and chip experts for hardware vulnerabilities. This can help teams determine the real impact of a vulnerability so they can respond appropriately. It also helps them build out stronger processes and coalitions with other business units for when similar threats arise in the future. "As long as you have a proactive approach by having a vulnerability management program, having your metrics and having repeatable processes to deal with these things, it becomes a non-fire drill event moving forward," one participant said.
  • Effective communication is crucial for all stakeholders. Top executives rarely have the deep technical background necessary to fully understand the potential risk of a given vulnerability. This means CISOs and security teams must be armed with business context to translate the technical risk into business terms. This ensures the response is measured and appropriate based on real-world risk and not hype. Responding to high-profile vulnerabilities is an opportunity for security teams to build trust and show value.

Headline-grabbing vulnerabilities aren't going away, and it's clear they get the attention of the C-suite. The top-down response shouldn't pose more problems for security teams than the vulnerabilities themselves do. Teams need to manage perceived risks so they can focus on fighting real fires and not be distracted by the emergency flares thrown their way.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Robert Huber is Chief Security Officer at Tenable. He has more than 20 years of information security experience across financial, defense and critical infrastructure sectors. At Tenable, Robert oversees the company's global security teams, working cross-functionally to reduce ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.