Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/6/2019
02:00 PM
Robert Huber
Robert Huber
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

When Perceived Cybersecurity Risk Outweighs Reality

Teams need to manage perceived risks so they can focus on fighting the real fires.

In January 2018, enterprise security teams around the world found themselves putting out a fire ignited by the discovery of the Meltdown and Spectre chip-based vulnerabilities. News stories ran daily and continued throughout the year as additional variants were found. None of the vulnerabilities were exploited in the wild, and patches became available. In the end, security teams that had dropped everything to respond to the vulnerabilities discovered there was more smoke than fire. Meet the newest threat facing enterprise security efforts: media-fueled hype.

I'm not suggesting that security teams should ignore news or vulnerabilities, especially those as far-reaching as Meltdown and Spectre. However, the level of attention given to these security flaws — which weren't exploited — was unprecedented. While the threat existed, the perceived risk was out of proportion with reality and security teams were tasked with responding to perceived risk, rather than real risk. The repercussions? Wasted time and budget that would have been better spent on higher-risk issues. To gut-check our thinking, we interviewed a dozen CISOs, analysts, and other security professionals who deal with vulnerability management to get their thoughts.

The security professionals, who all remained anonymous, said the top-down response was disruptive. In some cases, executives were demanding systems be fixed in as little as 15 days, despite the fact that vendors hadn't shipped patches yet. "There was a whole bunch of panic around that at first ... and there was a whole lot of confusion" about what the risks were, said one interview participant. Security teams had to push back and educate executives or waste energy and cycles, diverting resources from other projects. For some, the vulnerability management programs were derailed as a result.

By comparison, the Apache Struts 2 remote code execution vulnerability that was disclosed and patched in August posed a more tangible risk but didn't get quite the level of executive attention as Meltdown and Spectre. This could be because Struts 2 wasn't as novel as the hardware vulnerabilities. It also could be partly due to what I call "vulnerability fatigue" following the hoopla around Meltdown and Spectre. With Apache Struts 2, however, the risk warranted the response, yet only a few organizations gave it a high level of executive attention.

After hearing about these issues from other CISOs, I walked away with two key takeaways:

  • Security teams should be prepared for top-down pressure that doesn't align with their evaluation of the risk. The best way to deal with it is to gather information that can help quantify and assess the legitimate risk. Interview participants suggested convening groups of technical experts, such as Linux experts for open source threats and chip experts for hardware vulnerabilities. This can help teams determine the real impact of a vulnerability so they can respond appropriately. It also helps them build out stronger processes and coalitions with other business units for when similar threats arise in the future. "As long as you have a proactive approach by having a vulnerability management program, having your metrics and having repeatable processes to deal with these things, it becomes a non-fire drill event moving forward," one participant said.
  • Effective communication is crucial for all stakeholders. Top executives rarely have the deep technical background necessary to fully understand the potential risk of a given vulnerability. This means CISOs and security teams must be armed with business context to translate the technical risk into business terms. This ensures the response is measured and appropriate based on real-world risk and not hype. Responding to high-profile vulnerabilities is an opportunity for security teams to build trust and show value.

Headline-grabbing vulnerabilities aren't going away, and it's clear they get the attention of the C-suite. The top-down response shouldn't pose more problems for security teams than the vulnerabilities themselves do. Teams need to manage perceived risks so they can focus on fighting real fires and not be distracted by the emergency flares thrown their way.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Robert Huber is Chief Security Officer at Tenable. He has more than 20 years of information security experience across financial, defense and critical infrastructure sectors. At Tenable, Robert oversees the company's global security teams, working cross-functionally to reduce ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19698
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.