We regularly watch some of the treasure hunting shows on either NatGeo or the Discovery Channel. Of course there is always some hope each week by the explorers and searchers that they find the one “big thing” that validates their dig or expedition. Sometimes there is something; many times just bits and pieces but not much. We sometimes feel cybersecurity is like this — meaning, will we ever find the one big thing that really helps (1) establish “reasonable” conduct, (2) improves our cybersecurity posture, and (3) help better insulate ourselves from the regulators and the plaintiffs’ bar? Maybe we have but don’t know it yet, but I would suggest that maybe it’s time to consider the vulnerability assessment as the gold standard.
What is a vulnerability assessment?
Simply put, it’s like a health check for your computer network; it analyzes risks and vulnerabilities in your network, hardware, applications, websites, clouds and other IT assets. They give the IT teams and executives and others (like the board) with information to both assess cyber risk, prioritize risk, and better manage each, either totally or partially. It allows management to make the decision whether or not to buy cybersecurity insurance to even better control for the identified risks. Similar to an EKG test for your heart, a vulnerability assessment gives actionable information for the IT teams and assessors to better protect your company or organization’s IT infrastructure. The assessments are pretty comprehensive. Sometimes they are done by scanning software. Sometimes by people assessors. Sometimes they are further examined through the work of penetration testers. Many times it’s a team effort to get a great amount of data from a vulnerability assessment.
What is a vulnerability?
Many things could be considered vulnerabilities. Some of them are bigger in nature (and potentially more problematic) and some of them are lesser in nature, meaning they won’t automatically kill you outright but could cause you grief. Here are some:
An unpatched problem or flaw in your operating system or one of the programs you run regularly (sometimes called a “CVE”);
A configuration error in a server, leaving accessibility to the Internet, maybe without a password or encryption;
A weak password, or hard-coded passwords on IoT devices that cannot be changed;
Lack of employee training; and
Excessive about of privileges or rights given to your employees, or the “wrong employees” which could allow unauthorized access or even theft of critical information.
Obviously a large network could generate quite a few vulnerabilities, and it would be nice, but difficult to “fix everything.” That is why the IT teams then rank the vulnerabilities from critical to high, to medium to low. Critical ones get fixed first or at least get the most attention to paid to them. What would be a critical vulnerability? Hard to tell, but certainly a new zero-day vulnerability found in the wild and reported by US CERT or others to the public might be considered “critical.” Unfortunately with software flaws more abundantly found today than in other periods, “Patch Tuesday” could easily turn into “Patch Wednesday, Thursday and Friday” as well. As we note, unless your network is relatively small, or flat, or even mostly in the cloud, it probably would be be hard to fix every vulnerability in week one. But the more vulnerabilities you can fix in the shortest amount of time, theoretically at least, you are much better off than another company might be who takes a month to patch a CVE.
Regular Assessments are “Reasonable” in Today’s Environment
It would be great if cybersecurity could play on a relatively static playing field but the nature of the business is dynamic. It is always changing. Each week more software flaws get found or are discovered, hopefully by good guys like white hats and trusted advisors. But that is often not the case. First, we don’t know exactly how many bad guys are out there, but it’s safe to say a lot, perhaps outnumbering the good guys.. And they change their tactics constantly looking for a hole in the outfield to hit a line drive. Next, companies regularly add new software, new appliances, new employees, and new applications to help make their organizations more efficient or process data more effectively. All these things create more potential vulnerabilities, not less.
Given these facts, you then can imagine the utility of an annual vulnerability assessment when things tend to change weekly, if not daily. What about semi-annual assessments? Better. We know that in a resource constrained environment that might be pushing things, but the comfort that regular assessments give should help management and the board get over the added expense. We know clients that do vulnerability assessments quarterly and applaud them and their tenacity. We bet there are bigger companies that do them even more often.
Cyber risk today has never been a bigger problem. Cyber risk needs attention; it needs board oversight; it needs actionable information. Vulnerability assessments definitely provide that actionable information to allow all constituencies in the corporate governance structure. And they are more than “reasonable” in today’s regulatory and litigation prone cyber environment.