The Other Whistleblower...Vulnerability Risk Management

If I mentioned the word “whistleblower” these days in a conversation (especially in the US), how many people out of, say 1,000, would think of vulnerability risk management...even in the middle of the floor at RSA in February, or at any other infosec event?  

I’m willing to bet none.

But a recent episode at Blue Cross/Blue Shield Minnesota might have us all rethinking our “whistleblower” word association. Tom Yardic, a cyber security engineer at the health insurance company was so concerned about the volume of unaddressed vulnerabilities on the company’s network - and what he considered to be systemic neglect - he notified the CEO and Board of Trustees as a “last ditch effort” to bring attention to the security situation (“Cybersecurity Engineer Turns Whistleblower: What We Know Right Now,” Bruce Sussman, Secureworld, December 17, 2019).

According to the piece, which references a story published in the Minneapolis Star Tribune, Yardic said there were approximately 200,000 “critical” or “severe” vulnerabilities on the network, most of which were identified years earlier with patches readily available.  

Given the value of medical health records to cyber criminals - “Social Security numbers sell for $ card info goes for up to $110...full medical records can command up to $1,000 because they're an identity thief's dream... - the episode at Blue Cross Minnesota is particularly disconcerting.

But is it uncommon?

Certainly, companies don’t make a habit of advertising their vulnerability totals publicly, but few security professionals would be surprised to learn that a network servicing over 3,500 employees (Blue Cross Minnesota’s total) would have 200,000 vulnerabilities, so it’s not a stretch to assert this example is more typical than it is anomalous.  Further, reflexively indicting the cyber security team at Blue Cross Minnesota for negligent behavior is something that should be left to those in the media and government, entities with little appreciation for the challenges of security teams in today’s world, and specifically, those faced with battling the virtual vulnerability tsunami that results from today’s complex networks and countless software products and versions. (“More security vulnerabilities were publicly disclosed in the first quarter of {2019} than in any previous three-month period.”) 

Blue Cross Minnesota’s circumstance is likely driven less by negligence and apathy than exasperation.  Identifying 200,000 critical vulnerabilities is the relatively easy part. Confidently identifying the subset of those 200,000 that are meaningfully critical is, as Shakespeare put it, a horse of a different color.

With a hat tip to Bill Clinton’s campaign official James Carville, it’s about prioritization stupid.  Even those with no medical training know why emergency room doctors see the guy with chest pains before the one with the broken finger.  In that case, criticality is obvious. If there were 200,000 people in the emergency room lobby, however, the priorities would be somewhat less obvious.

So before we rush to judgement in the case of the Blue Cross vulnerability scandal, we should all probably take a peek out of our own glass houses.  Many CISOs are likely reading this story with interest...with empathy...and most importantly, with a “there but for the grace of God go I” sense of relief.

Most Recent Related Stories

Vulnerability Hype: “Panic Doesn’t Help”

Read More

Gold Nuggeting: A Critical Step in Vulnerability Remediation Prioritization

Read More

Working with data - Lessons from the field

Read More