It’s enough to set your spine tingling. Just a quick look at the long list of security flaws included in NIST’s common vulnerabilities and exposures (CVEs) database will show you how many ways there are for bad actors to creep into your IT environment. There are backdoors into widely-used application servers, code bugs that make it possible to spy on people through network-connected “smart” cameras, and home WiFi router weaknesses that make virtual private networks (VPNs) not so private.
Want to keep these scary cybercriminal monsters at bay? Just apply the appropriate patch for each of these vulnerabilities as soon as it’s released, and you’ll have nothing to fear. Right?
The problem with this approach is that the volume of newly-discovered software vulnerabilities is so great that trying to keep up can quickly become overwhelming. According to a recent Ponemon Institute survey, as many as 77% of IT security and operations professionals simply don’t have enough time to install all the patches that they should install. It’s disruptive to the business to take critical systems and applications offline in order to update software.
What’s more, not all of the vulnerabilities that are mentioned in the media, included in the CVE list or incorporated into a threat intelligence feed are actually relevant to every business. Only a small fraction (5.3%) of the vulnerabilities discovered by security researchers are actually exploited by real-world cybercriminals, though those that are tend to get used over and over again. Most — but not all — of these have high Common Vulnerability Scoring System (CVSS) scores. This means that there isn’t a perfect match between the metrics that security experts use to convey the fact that they think a vulnerability is serious and what actually poses a serious real-world risk.
Amidst all of this, how can you know which vulnerabilities matter most? Which ones could have the biggest impact on your business?
BTB to the Rescue
To give our clients — and defenders everywhere — a head’s up about what’s most important, we started a vulnerability alerts Twitter feed. Called btb_alerts, it was created on the basis of a joint effort by BTB’s security operations, advisory and RIOT LABS threat intel teams. Together, they’ve developed an internal scoring matrix that enables them to determine how they should react to the news that a new vulnerability has been discovered.
Naturally, our RADAR clients receive professional, hands-on remediation support whenever it’s warranted. But we make basic information about newly-discovered vulnerabilities available to the public, free of charge, for the greater good. We explain what the vulnerability is in simple terms that non-technical people can easily understand. We offer recommendations and explain why we’re doing what we’re doing to counter the threat.
Which Vulnerabilities Matter Most?
When we curate our list of alerts, we focus on things that will actually have an impact. We decide what to include on the basis of multiple factors:
- What’s involved in the exploit? (Is it information disclosure, privilege escalation or an attempt to spoof a victim’s identity?)
- How easy is it to exploit this vulnerability? (Attackers always prefer to do the least possible amount of work, for the biggest reward.)
- Does the attacker require physical access to your premises? Login access to an end user’s account? System administrator access?
- Is there victim involvement? (Would someone in your organization need to click on a link in a phishing email, for example?) How many steps would this take?
- How easy is it to mitigate this vulnerability? Is a patch readily available?
- Is this a zero-day (a vulnerability that was previously unknown for which no patch is yet available)?
- What software or hardware products are involved? How widely used are they? (A vulnerability in software that you don’t have won’t affect your organization
We do this because when it comes to cybersecurity, more information is not always better. What’s more valuable is relevant information – news that’s germane to our clients and the real-world risks they face every day. Our cross-functional team leverages decades of experience to help you understand what to watch out for.