Not All Security Risks Are Created Equally

Prioritize security risks to separate the wheat from the chaff of security risk alerts.

December 27, 2021

5 Min Read
Not Equal

By Lori Cornmesser


Lori Cornmesser

Information security risk is defined as a gap that could potentially be exploited, leading to financial or reputation loss. Companies may use several security testing products in addition to risk-assessment services to detect their security gaps. However, as systems become more complex, and attacks become more sophisticated, risks become more prevalent, and the sheer number of security gaps exceeds many organizations’ remediation capabilities. For example, if your team identifies 1,000 security gaps but can reasonably address only 100; where should it start? How should remediation proceed?

If you spread your resources across all potential risks, you won’t be able to address any issue adequately, leaving your organization more vulnerable to an attack. Risk prioritization is the best way to combat these problems. It helps companies whittle down a massive pile of risks to a manageable list that a security team can realistically address while keeping their organization secure. The prioritization component is critical. You don’t want to dedicate resources to security gaps that aren’t likely to pose severe threats to the business. Here are three time-tested tips for developing a risk-based, decision-making strategy to prioritize security gaps.

Think Like a Cybercriminal

When you consider some of the high-profile security breaches from earlier this year, there are helpful clues for learning how to prioritize security risk. For example, recall the Colonial Pipeline cyberattack, which shut down a top U.S. pipeline for several days and resulted in a $5 million ransom payout. An audit of the breach revealed that the attackers exploited a legacy VPN. The account was no longer in use at the time of the attack but could still be used to access Colonial’s network. So, how does that tie into prioritization? It’s a reminder that hackers are always looking for the lowest hanging fruit — i.e., the path of least resistance — to a victim’s network. Learn to think like a hacker and ask yourself, “What’s the path of least resistance to our IT ecosystem?” Besides the mistake Colonial made in not revoking the VPN credentials after a remote worker left the company, there are other common themes seen in major security breaches, such as:

  • Unpatched systems

  • Easy-to-guess passwords

  • Failing to use multifactor authentication (MFA)

  • Giving employees unnecessary access to sensitive areas of the network (e.g., admin access) rather than only what they need to perform their jobs (i.e., least privilege access)

Put Vulnerabilities in Context

Understanding the business context surrounding a risk can help your team anticipate potential attack paths, including those involving subsidiaries, suppliers and other connected third parties. Evaluating risks through the lens of business importance and attractiveness to attackers is one of the most vital yet neglected elements in security. It lets organizations know whether there’s a legitimate threat to a material business process.

Determining the business purpose and public exposure of an asset entails many factors. Typically, companies waste precious hours …

… manually evaluating several data sources, which slows the pace, given the size of the attack surface. Plus, it provides cyberattackers more time to find and exploit additional security gaps.

Sophisticated attackers build robust infrastructure and automation to find blind spots. To effectively defend against them, security teams also should leverage automation as much as possible. Look for context data in places an attacker could easily find, such as:

  • Device-related data such as IP addresses, subdomains, DNS records and company and product logos and names. This helps teams understand which organization or department owns the asset.

  • Public information such as company news stories, websites, regulatory documents and industry databases. These will provide clues about business connections, subsidiaries, partner companies — even which assets are exposed.

  • Third-party services. Vendor-provided or open-source intelligence solutions can include data feeds and sources of information for context. However, be aware that many third-party services are expensive and unable to deliver results in a timely manner.

  • Technical links. Technical links between machines, such as hyperlinks, gateways, usage of third-party code and resources and other tech relationships can also reveal business importance and attractiveness.

Finally, don’t ignore scalability. Efforts at classifying business context for prioritizing risks must scale to rapidly address all of the assets associated with an attack surface, which could be hundreds of thousands for some organizations.

Assign Scores to Risks

Scoring systems can be an effective way to analyze, sort and rank risks. For example, a low score of “0” could be assigned to a certificate about to expire on a rarely used Apache server. On the other hand, a high score of “10” could stem from sensitive business documents stored on an unpatched file server where exploitation complexity is low and asset discoverability is high. The priority score rationalizes marching orders for remediation, starting with the highest priority risks first. When prioritization works well, high-risk attack vectors can be clearly communicated between security teams and executive management. When this doesn’t work, even the vulnerability management team can’t explain why one risk is more prevalent and urgent than another, and conversations are purely technical rather than business-risk oriented.

Five criteria can help with risk scoring. These include:

  • The potential impact of an exploited asset — both technical and to the business.

  • Business context identifies assets with greater interest to attackers.

  • Exploitation complexity helps determine which gaps are easiest to exploit and are ideal for enabling an attacker’s path of least resistance.

  • Discoverability shows how easy it is to identify a vulnerable asset and how likely a sophisticated attacker will figure out that it belongs to your organization.

  • Remediation effort reflects the estimated level of effort required to fix the risk. Weighting these criteria with a scoring system will help accelerate the prioritization of risks to your enterprise.

The importance of prioritizing risks discovered across the enterprise attack surface can’t be emphasized enough. Most organizations are swamped by thousands, even tens of thousands, of so-called urgent risks. No one has the resources to remediate everything immediately, so a rational, programmatic and automated approach to prioritizing risks is needed to help isolate those that genuinely require urgent attention.

Lori Cornmesser is vice president of worldwide channel sales for CyCognito, a company focused on solving a fundamental business problem in cybersecurity: seeing how attackers view your organization, where they are most likely to break in, what systems and assets are at risk and how you can eliminate the exposure. You may follow her on LinkedIn or @CyCognito on Twitter.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like