Why you don’t have to fix every vulnerability

[mona]

Why you don’t have to fix every vulnerability

 

 

Not every vulnerability results in high risk, here are a few scenarios in which immediate changes are not necessarily needed.

 

Let that vulnerability sit for a bit

The word “vulnerability” typically comes with a “must fix now” response. However, not all vulnerabilities should be treated equally because not all of them pose a risk. It all depends on what the data represents. In fact, some vulnerabilities are OK to deprioritize, depending on associated threats and the value of the asset at risk.

For example, a lock on a 20^th floor window of a building is not as important as one on the ground level, unless the contents of the room are so valuable that a thief would take the effort to access such an unreachable place.

Scans reveal thousands of vulnerabilities across all assets – networks, applications, systems and devices – but they do not show which ones could lead to a damaging compromise if not fixed immediately. It is not about ignoring vulnerabilities; it is about prioritizing how you apply your resources to remediate them.

Bay Dynamics provides some examples of vulnerabilities that are OK to put on the back burner.

 

 

Vulnerability: Weak firewall

Why?: The network is air-gapped so there is no threat from the outside. When secured networks are isolated from unsecured networks, outside criminals cannot exploit vulnerabilities on unsecured networks to get inside the secured ones.

However… don’t get a false sense of security because your system is air-gapped. It means that it is inaccessible from the perimeter, but still can be vulnerable in other ways, such as through USB ports (as was demonstrated by StuxNet).

 

Vulnerability: No endpoint data loss prevention protection

Why?: The PC has no CD or communication (USB) ports so it does not need endpoint data exfiltration protection. Without a CD or communication port, individuals inside an organization cannot directly move sensitive corporate information to an exterior device.

However… keep in mind that there are other channels of data exfiltration that can still be exploited, such as Bluetooth file transfer, which are often not blocked.

 

Vulnerability: Lack of data encryption

Why?: The application only contains public marketing materials and does not require protection. Information that has already been made public, if compromised, would not cause severe damage to the organization. The value at risk is low so it doesn’t need to be encrypted.

However…you better be sure that only public information is available, and not any proprietary content, such as descriptions of future product capabilities. Again this all depends on what kind of data is being available as to how high the priority should be.

 

Vulnerability: A third-party vendor user is accidentally given access to a database that solely contains public marketing materials

Why?: While the user should not have been given access since he doesn’t need the database to do his job, the database does not contain highly valuable information so therefore it’s not a high-priority vulnerability.

However…however, even though it is a low priority, since third parties present a higher risk, their access should be reviewed regularly and removed where not required.

 

Vulnerability: A Bluetooth flaw allows anyone to access information on a smartphone

Why?: The smartphone is a “burner” phone that contains no important information. It is designed to be thrown away after one use anyway.

However… keep in mind that whatever you do on that phone can be potentially exposed, such as contact phone numbers, contact text messages, two-factor authentication text messages, emails, etc.

 

 

Vulnerability: Most corporate networks are not encrypted

Why?: The physical access to network equipment is controlled so the network doesn’t need to be encrypted. This is as opposed to Wi-Fi, where all communication is typically encrypted because it is easy for anybody in range to access the signal.

However… remember to tightly manage access to the network by third-party vendors and unapproved devices, since internal access could provide a gateway to sensitive data access by unauthorized users.

 

Vulnerability: A lack of tight data access controls on a development platform

Why?: Being a development system, all data is masked or generated and therefore is of limited value. This is an example of a low priority vulnerability although it should not be completely ignored because the vulnerability can be exploited to gather intelligence about how best to compromise the production of the product.

However… even though the data is not sensitive per se, access should be limited to relevant users, as access to development environments can provide intelligence that will help bad guys access the production environment where real data is stored.

 

 

Don’t get overwhelmed

Conclusion: Almost all companies have limited resources to remediate threats and vulnerabilities. To avoid getting overwhelmed and buried by the thousands of vulnerabilities uncovered, organizations must prioritize the ones that actually pose a risk. That means starting with vulnerabilities with an associated threat, and then prioritizing by impact based on information and system value.

 

 

 

Source

[straycat19]

Good article but it doesn't go far enough.  Those of you who may have a few years on them, like me, and have been around computers for 49 years, know that software and operating systems didn't have monthly updates, sometimes not even yearly updates, and this continued on into the late 90s.  Viruses and hacks started becoming prevalent in the late 80s and early 90s.  What we view as system vulnerability today we viewed as user vulnerability because the system is only vulnerable if the user puts it in a position to be vulnerable.  As many of you may know from previous posts, I haven't installed an update in over a year, I run no AV software, no internet security software, or other type of security software other than a firewall and I don't update my drivers past what is offered by my motherboard manufacturer.  I go to any website I want, download and install any software I want, and do just about anything anyone else on the internet does.  I do run monthly scans with malwarebytes just to see if I have picked up anything.  Those scans, including the one I ran yesterday, found absolutely nothing on my system.  I have had no BSOD or any computer or software crash or any other type of abnormal behavior.  The mindset years ago was you only install any update, including version updates, if you were experiencing a problem with the OS or the software.  Like others I was on the 'have to get the updates' wagon until last June when Microsoft decided they wanted to control my computer, and then I called it quits.  I don't regret it.  I have had none of the problems others have had with bad updates, either for software or the operating system.  All the updates in the world will not protect a system from the user but a smart user can protect their system from the updates, which can be worse than the vulnerability they are trying to protect against.

[mona]

Quote

All the updates in the world will not protect a system from the user but a smart user can protect their system from the updates, which can be worse than the vulnerability they are trying to protect against.