Vulnerability Hype: “Panic Doesn’t Help”
January 26, 2020
In a 2018 interview, former US Navy SEAL Robert O’Neil was asked about the infamous SEAL training technique in which their hands are tied behind their backs, and their feet tied together. They then jump into a deep pool. He said the first thing that exercise teaches you is “panic doesn’t help.”
The vulnerability management community would do well to heed that advice.
This month, normally impeccable cyber security journalist Brian Krebs reported that the recent Windows 10 vulnerability was so critical that it prompted an “unprecedented” warning from the US National Security Agency. Must be a doozy, huh? Well...
A couple years back, the NSA issued a similar warning for the BlueKeep vulnerability.
And remember when Meltdown and Spectre were going to end the world as we know it?
It’s like a drinking game where you’re asked to keep naming Beatles songs until you run out of answers. The list is seemingly endless.
Taken individually, and under the right circumstances, each of these vulnerabilities can be dangerous, and undoubtedly could form the foundation of a successful cyber attack. And the good news for cyber security and IT teams is that all you have to do to immunize yourself against any of these apocalyptic threats is patch. The answer couldn’t be simpler.
Just patch all your 10,000 Windows 10 machines, or your 1,600 Linux machines, or your 2,000 Apache servers, or…
And get it done quickly because the NSA said this is a really bad one, or cyber security consultant/experts (who’ve never had to patch so much as a bicycle tire) are warning that this one could bring down power grids, or technology reporters (who were writing stories yesterday about the latest GoPro camera) are hyperventilating about how this vulnerability will surely threaten the lives of young children and the elderly.
Sarcasm aside, patching is not the panacea many of the cliche-afflicted experts make it out to be. It’s time consuming for cyber security teams, requires well-trained, scarce resources, and most importantly, it breaks things. It sounds great on paper or on an expert roundtable at a cyber security conference, but patching is only part of the solution to the epidemic in vulnerability management.
Even if it were feasible to patch everything from a resource perspective (it’s not), it wouldn’t make sense. The risk of patching business-critical machines and potentially interrupting service is often much higher than the risk of compromise by a cyber attack. The challenge, of course, is understanding that risk tradeoff for not just one, but thousands of enterprise assets.
Such risk analysis must be:
1) comprehensive, accounting for internal and external factors,
2) meaningful, so the factors being taken into consideration actually impact risk and
One factor or vulnerability metric that should be ignored in such risk analyses? The number of vulnerability management press articles written about the vulnerability in question.
Ultimately, the objective is to limit patching activities to only the most vulnerable and critical assets, those in which the risk and cost of patching is exceeded by the actual cyber security risk to that asset.
So the next time some self-styled cyber security genius has their hair on fire about the importance of the P-word in vulnerability management, remember, they’re right...but that P-word is Prioritization.