By Mohammad Mobasseri, CEO at emt Distribution
CISOs around the world, across industries, are operating in an increasingly complex environment; the external threat landscape is becoming more aggressive and fast-paced, and companies’ attack surfaces are expanding rapidly, due to new ways of working. The work is being monitored, audited, and reported on, and the CISO is expected to be responsive, deal with the threats, and ensure that the risk is managed, often under a budget constraint.
The CISO knows that he is responsible for protecting the digital assets and is aware of the negative impact that a potential breach can have on image, brand, and revenue. This description will resonate with most CISOs, creating an immediate need to equip his organization with the resources to navigate. As the threats evolve so does the range of solutions that can be invested in to secure the digital assets.
And most security measures make sense. However, what most organizations overlook is how to get control of the root cause, namely the vulnerabilities. In a recent study, Gartner works with the assumption that through 2015, 80% of successful attacks will exploit well known vulnerabilities and will be detectable via security monitoring. Based on this claim, the CISO and the security team can get a head-start on their IT-Security efforts and ‘beat the cybercriminal’ by having access to and working with reliable and targeted vulnerability intelligence.
Therefore, the call out to the CISOs is: empower your organization and enable it to monitor and implement a targeted and efficient security approach that is driven by reliable intelligence. Ensuring that software vulnerabilities, and in particular the critical ones, are being handled should be at the top of the CISO agenda. Having said that, read on, to find out the three questions you should be asking yourself and your organization.
1. Am I enabling my security team to provide the most effective security?
Spotting vulnerabilities, determining their criticality and knowing what to do about them, is not a 1-hour task at the start of the work day – it’s a science that requires the dedicated attention of specialists and a reliable source of intelligence to ensure that:
- It is in fact a vulnerability
- The criticality is defined to enable prioritization
- The intelligence is customized to your organization to ensure efficiency
2. How are we dealing with the critical vulnerabilities?
Secunia research shows that nearly 20% of the vulnerabilities are ‘highly’ or ‘extremely’ critical, and 77% of the vulnerabilities being exploitable ‘from remote’ (meaning that the attacker is not required to have access to the system or a local network in order to exploit the vulnerability.
It covers services that are reachable by the Internet (including client applications used on the Internet). This means that you can save a lot of resources if you focus on the right vulnerabilities – the trick is to know which ones are critical, and when and how to deal with them.
3. How are we dealing with zeroday vulnerabilities and have we been exploited
Zero-day vulnerabilities belong to a special group of vulnerabilities where a patch is not available. It means that even though you have a vulnerability assessment solution in place they will not be identified – and this is where the vulnerability intelligence (VI) is essential. Your organization needs to make a work-around, maybe disable access to a certain program and so on.
In order to address all the questions above, you need to have a vulnerability intelligence solution in place. Whatever industry sector you operate in – whether Financial Services, Government/Private Sector, Energy & Utilities, Education, or Healthcare – your organisation must comply with privacy and data protection laws, regulations, and policies designed to protect confidential information.
Dealing with software vulnerabilities and in particular the critical ones is essential for your organization’s IT-Security and ability to meet compliance requirements. Vulnerability intelligence solutions such as those from Secunia, give you and your organization the power to make the remediation priorities – in due time.
