Defense Cybersecurity Group: The Fifth Risk in Vulnerability Management
Centralizing both the protection and creation of knowledge is crucial for a successful vulnerability management strategy. Your connection to the internet inherently exposes your cyber environments to risks. Michael Lewis, an economist and financial journalist, identifies the ‘fifth risk’ as an unseen danger: the knowledge that is never created because the groundwork for it has been neglected. Similarly, the greatest threat to an organization’s information security isn’t the existence of vulnerabilities—because vulnerabilities are inevitable—but the absence of a system designed to systematically detect them.
Detecting Vulnerabilities
In today’s industry, risk detection, discussion, and assessment often rely on vulnerability scanning services. During a vulnerability scan, an appliance reaches out to specific IP addresses on your network, requests information, and receives different types of data depending on the scan. This information is then compared against a database of common vulnerabilities and exposures provided by the U.S. government, allowing the appliance to produce a list of vulnerabilities. These vulnerabilities are typically ranked on a scale from 1 to 5, with 5 representing the most severe risks.
This process might seem straightforward, but not all vulnerability scans are the same. Scans can be external or internal, authenticated or unauthenticated. Understanding the different types of scans your IT department conducts is essential for accurately evaluating your organization’s risk perception. External scans identify vulnerabilities outside of a company’s firewall, including the DMZ, while internal scans assess risks within it. Authenticated scans involve full login access to an organization’s devices, whereas unauthenticated scans provide a more limited dataset.
Many companies struggle to choose the right combination of vulnerability scans. Even when the scans are conducted properly, the identified risks are often not methodically addressed due to the overwhelming amount of data produced. For example, when I became the CISO of a small technology company several years ago, I conducted an unauthenticated external vulnerability scan. Across just three locations and two small data centers, the scan revealed over 60,000 vulnerabilities. The sheer volume of data can paralyze IT departments and administrators, leading to limited scans, or even withholding results from management. Developing a plan to address such a large number of risks is challenging, and many organizations struggle with it.
To navigate the challenges of vulnerability scanning in corporate environments, I use three approaches: 1) Encouraging Straight Talk, 2) Slow and Steady Progress, and 3) Responsiveness.
1) Encouraging Straight Talk: Effective vulnerability management requires creating an IT environment that encourages the open exposure of risks. Punishing the discovery of vulnerabilities is the quickest way to ensure these risks remain hidden. Encouraging open communication and enabling IT staff to perform comprehensive scans ensures your organization is aware of its cybersecurity weaknesses.
2) Slow and Steady Progress: Once vulnerability scanning begins, addressing risks must be methodical and deliberate. Accept that vulnerabilities are inevitable, and focus on identifying and addressing the most serious risks first. Strict timelines can sometimes be counterproductive, so prioritize consistent effort. For example, during my first year as CISO, I systematically addressed external risks ranked 5, then 4, and finally 3. We accepted the risks of all 1s and 2s in our documentation. By tackling the most pressing vulnerabilities first, the company made significant progress toward mitigating the 60,000 identified risks, even though many remained by the end of the year. The IT department also systematized their approach to the remaining lower-level vulnerabilities.
3) Responsiveness: Typical risk remediation timelines require addressing the highest-level risks within roughly 72 hours, lower-level risks within two weeks, and so on. However, remediation timelines don’t always align with the severity of vulnerabilities. Being responsive and flexible allows you to address risks as appropriately and timely as possible. For instance, some low-level risks (2s) might be fixed within a day, while some high-level risks (5s) might take months of creative problem-solving. Some vulnerabilities may need to be reimagined as capabilities; for example, an open camera on an employee’s Chrome account might register as a risk but be essential for remote work. It’s important to let IT specialists use the tools they deem most appropriate, as mentioned in point 1.
Ultimately, vulnerability management is an ongoing process. Steady pressure on the process is crucial to success. Encourage IT teams to be candid, and take actions that consistently improve your security and reduce your risks over time. If you make incremental improvements each month, you will see a significant enhancement in your company’s information security within a year.