Hackers Know Your Vulnerabilities, Do You?
Your organization should have a set of processes or even better a program that systematically reviews your risk. In banks and hospitals managing risk is mandated by regulation. Given the prevalence of nation state hackers and their willingness to exploit vulnerabilities, I argue that every organization should know where they stand. Let’s look at three components of managing risk: first, identify the vulnerabilities, second, calculate the risk impacts of exploiting these vulnerabilities and third, take action.
The following list is an excerpt from a book I recently read. It gives a great starting point for thinking about vulnerabilities. You can add to this list as is appropriate for your organization. As I mentioned before, the threats, i.e. Hackers likely know about these vulnerabilities and will seek to exploit them given a chance.
- Have you or your business ever been hacked?
- Have you ever found malicious code (such as viruses, trojans, or worms) or unauthorized software on your systems?
- Is your network being probed by outside entities?
- Do any of the members of your IT staff fail to maintain current industry certifications in their specialties?
- Are there more current software versions, including patches, available for your system?
- Do you store data “in the cloud”?
- Does your workforce use mobile devices such as smart phones, tablet computers, and laptops to conduct your corporate business?
- Does your business solely rely on passwords to control access to the network and information?
- Does your business conduct annual vulnerability scans of your network?
- Do you allow remote access to your network?
Touhill, Gregory J.; Touhill, C. Joseph. Cybersecurity for Executives: A Practical Guide (p. 36). Wiley. Kindle Edition.
In reviewing this list we can see its importance such as #1, ‘have you been hacked?’ If the answer is yes it is a good chance that your organization is seen as a valuable target. Similarly, #6, ‘do you store data in the cloud?’ Since this is still a developing area not all the vulnerabilities have been discovered. In fact, new exploits are attempted daily. Any use of the cloud should require extra attention. Implementing additional security measures will help in identifying vulnerabilities and hopefully mitigating risk.
Risk can be calculated using quantitative or qualitative measures. It is a view of the likelihood that a threat will overcome vulnerabilities within your organization. Every organization has some level of vulnerability. Identifying these vulnerabilities and applying the appropriate counter measure is a best practice.
Quantitative analysis involves assigning numbers such as a dollar value to the loss. Once the dollar value is assigned we then look at the probability associated with a threat exploiting a vulnerability and arrive with a series of numbers that we can rank and thus make decisions on how best to address each risk.
Qualitative risk would utilize some measure garnered from a predefined list of factors that could result in a low, medium or high identification for example. Using these factors we can determine which systems or files require the most attention.
Now that the vulnerabilities are identified and a risk metric is applied using either quantitative or qualitative measures, the last step is taking action. Your organization has four options: avoid, accept, limit, or transfer the risk. Each option is a strategy that could be employed based on the organizations goals.
Avoiding the risk can be quite costly and is often not used. It would be a something as drastic as removing the vulnerability altogether. In the case of USB interfaces on computers, these could all be removed to avoid the threats associated with these. The negative impact could prevent business from operating or at least require costly alternatives to meet the same objectives.
Accepting the risk does not change the posture of the organization. This strategy is used when it is determined that the corresponding loss does not outweigh the cost of other strategies. In the case of the USB, we would accept the risk on the end user device and possibly address any challenges that may seek to extend beyond the end point. In this case we sacrifice the end point.
Limiting the risk would be to implement a corporate policy that only certain types of devices may be plugged into a USB. This policy can be deployed within the operating system. It does not totally remove the threat, but it does require additional work and knowledge because the vulnerability has been changed.
Lastly would be to transfer the risk. This is done through something like an insurance policy. Perhaps we keep spare end points to replace a compromised device or we have a service contract to wipe and reload any devices suspected of compromise. The threat can still overcome the vulnerability, but we have a means to avoid the negative impact such as a financial loss.
Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risk management’s objective is to assure uncertainty does not deflect the endeavor from the business goals.
Every organization should have some documented method to deal with risk. This brief write up has provided a sample of how to address it in your organization.
Thomas Addison has more than 20 years of experience in the technology industry where he has spent time as an engineer, consultant and sales leader.