Not all vulnerabilities affect a business the same way across the board. Businesses should have a method for determining which vulnerabilities to worry about.
Vulnerabilities with the greatest protentional for significant financial impact are the vulnerabilities that should receive the highest level of concern and focus. Sometimes these vulnerabilities show up in the news but often these vulnerabilities require some diligent digging and alertness on the part of the business.
There is never just one kind or type of vulnerability to worry about. There are layers of vulnerability types that should receive regular scrutiny and focus.
What Vulnerabilities Should a Business Really Worry About?
Every business owner should be able to answer this question: what is the potential financial impact of a loss event that has taken advantage of X vulnerability? Being unaware of the financial impact or the existence of X vulnerability is a major problem.
Every so often a vulnerability exists at such level in ubiquitous technology, the whole world needs to sit up, take notice, and do something about it. Examples of this level of vulnerability are Heartbleed, Shellshock, BlueKeep, and the recent Log4Shell. These newsworthy vulnerabilities are the bare minimum of vulnerabilities to worry about. Generally, total potential financial impact to any business is massive.
Reading the history of the aforementioned examples may provide some important insight into the catastrophic losses resulting from not dealing with these vulnerabilities fast enough or ignoring them altogether.
If, however, a business’s total level of concern is regulated only the vulnerabilities so bad they make national or international news, then the business will overlook other critical vulnerabilities lurking in their midst.
For the sake of this article, think of vulnerabilities as a stack of risks that need mitigation, but instead of a level of the stack representing different levels of concern, the layers represent a shift in focus. As risks at the top-level of focus (vulnerabilities that make national/international news) are resolved, shift focus to the next level in so much as it’s needed.
Constantly move up and down the stack identifying and resolving vulnerabilities as they materialize. If a vulnerability can reasonably fall into any of the below types, then it is a vulnerability worth worrying about.
Vulnerability “type” | Examples |
News Level | Shellshock, Log4Shell |
Common Breach Vulns | Phishing, Stolen Creds |
Internet Exposed RCE | Buffer Offerflow, Command Injections |
High Risk (Other) | Risk of loss event > loss tolerance |
A process should exist for identifying, tracking, and resolving vulnerability types at each level. The process doesn’t have to be complicated but it should be repeatable and adjustable.
National and International News Level Vulnerabilities
Awareness of these vulnerabilities is as easy as subscribing to a few cyber security news sites. These sites post new and serious vulnerabilities on a regular basis. When what they are posting starts to show up in other major news outlets, Twitter, and/or Facebook, deal with the issue.
Often the solution to these vulnerabilities is a patch, but when a patch is not enough, pay attention to the recommended solutions and implement them as they make sense for the business IT environment.
Always be on guard for this type of vulnerability. A lack of alertness here could spell the end of the business.
Common Breach Vulnerabilities
Subscribe to a couple annual breach reports. The annual breach reports keep track of breach trend data and provide intelligence regarding the most common methods and vulnerabilities hackers use to gain access to sensitive data. Right now, the two most common are phishing attacks, and the use of stolen credentials purchased on the dark web.
Phishing and credential theft are so common, not already having controls in place is an issue. Phishing protection tools like Mimecast, and ProofPoint, plus authentication protection like multi-factor authentication are now base-line controls.
Know these common breach vulnerabilities and how they relate in the company’s IT provides good direction on which basic controls the business needs to implement.
Internet Exposed Remote Code Execution (RCE)
The vulnerability scan is still the most consistent method of detecting any RCEs that are exposed to the internet. The Remote Code Execution (RFE) vulnerability provides hackers the ability to execute code, and by extension commands, on a remote machine. These are generally 9-10 CVSS rated severity vulnerabilities.
Run regular scans to identify any external facing RCEs, then take steps to remove them – patching, turning off the service, decommissioning the server, etc.
The vulnerability scan is a mature commodity product. Smaller business should have no issues affording regular vulnerability scans. The issues come with dealing the with output of the vulnerability scan. Since vulnerability scans essentially search for the entire history of published vulnerabilities ranging from low to critical the amount of output can look like an immovable mountain.
One way to prevent “analysis paralysis” where the business does nothing about any vulnerabilities because the elephant looks so big, is to just focus on the RCEs that are a part of the scan output. Especially the RCEs that are on servers and services exposed to the internet.
Elimination these RCEs will go a long way to reducing the company’s overall risk.
High Risk (Other)
High risk vulnerabilities at this level of the stack are any vulnerabilities (or combination) creating a high probability of a breach with quantifiable losses exceeding loss tolerances and do not fall into one of the other layers of the stack.
The process for internal risk rating at this level is a little more complicated. It should include multiple measurements gathering information on security control effectiveness, value of information/data, location of vulnerabilities, etc., but at the risk of oversimplifying the calculation, it could look something like this:
probability % of event * potential loss = expected loss
Consider any expected losses exceeding the risk tolerance as significant, so any vulnerabilities feeding into the calculation are high risk vulnerabilities (regardless of CVSS or other industry score) and should get significant concern and focus.
When the expected loss exceeds risk tolerance, then other decision processes should kick in to determine what kind of controls are worth implementing to reduce the risk below the tolerance threshold.