Cybersecurity risk management is complicated. Threats, both known and unknown, are omnipresent. We are compelled to evaluate the likelihood of a threat exploiting a vulnerability in our organization and the possible impact the threat may have on our operations. When vulnerabilities are disclosed, leaders must act to lower their risk and ensure any residual risk is accepted at the appropriate level. In many cases, we may see the proverbial bullet coming and should not wait until it strikes us. Leaders may help address this risk by leveraging threat intelligence, enforcing patch management, and managing third-party risk.
Known vulnerabilities may create unacceptable or even existential risk to organizations if they are not addressed. In the past 12 months alone, significant vulnerabilities were publically reported that allow attackers to create devastating effects. For example, security researchers revealed earlier this month that hardware vulnerabilities known as Spectre and Meltdown could allow an attacker to read sensitive data on microprocessor chips. In September, Equifax disclosed attackers exploited a known vulnerability that exposed sensitive personal data on 143 million U.S. consumers. Last May, the WannaCry ransom ware targeted unpatched computers running the Microsoft Windows operating system around the world. As the potential impact of such attacks against known threats grows in scale and frequency, institutions should develop an effective program to identify threats and address any vulnerabilities efficiently and effectively.
Acquiring information about potential cyber threats early enhances decision-making and allows an organization to respond to evolving threats and vulnerabilities. Numerous commercial and government sources exist to inform organizations of emerging and known cyber threats. Threat intelligence sources may integrate with security appliances to continuously monitor and protect your network and computers from known threats. In addition, your security teams may receive ad hoc intelligence through feeds from industry sources and participate in information sharing groups.
Leaders should consider issuing policies that outline their expectations for the continual and ad hoc monitoring of threat intelligence sources. Where appropriate, funding may be required to leverage commercial intelligence sources. Understanding threats will help your team close gaps through patch management.
Effective patch management allows organizations to resist known attacks. While not easy, patch management is essential to mitigate software vulnerabilities and reduce opportunities for an attacker to exploit a flaw. A patch management program should prioritize risk based on the criticality of the asset to the organization, and then remediate the vulnerabilities within an acceptable timeline. For example, the current Payment Card Industry (PCI) Data Security Standard (DSS) requires organizations to prioritize patches for critical infrastructure and then install critical security patches within one month of release.
Leaders should consider issuing policies to require the use of tools to identify vulnerabilities in their technology and then ensure all systems and components are updated in a timely, prioritized manner. In addition, business agreements should address how third parties manage their vulnerabilities.
Third-Party and Supply Chain Management
Managing risk associated with third parties is essential for business resiliency. Your institution should evaluate risk during initial due diligence and before a system, software, or application is integrated within the organization to limit the potential for harm. When evaluating third-party service providers, agreements should ensure vulnerabilities are identified and addressed throughout the life of the business relationship. If managed service providers are used, organizations should define and enforce specific timelines and priorities in agreements to remediate vulnerabilities. In addition, leaders must ensure vulnerability management is addressed as part of the shared responsibility between the organization and a cloud service provider through well-defined roles and clear responsibilities.
To lower enterprise risk, it is necessary to consider vulnerability management in multiple life-cycles including: acquisition, asset management, and software and systems development. Where appropriate, polices should require leaders to account for vulnerability management across the organization and carefully consider the risk of exploitation and potential impact.
A clear threat and vulnerability management strategy must be an essential element of your risk management program. Leadership involvement, timely intelligence, explicit policies and standards, clear agreements with service providers, thoughtful investments in people, processes, and tools, and actionable metrics will help a leader manage this risk. Because known vulnerabilities have the potential to create strategic risk to the organization, threat and vulnerably management requires involvement at all levels of the organization. In all cases, risks must be known and accepted at the appropriate level. When a leader is able to see the bullet coming, his or her actions taken to address any known risks may be subject to scrutiny after a data breach.
FS-ISAC: The Financial Services Information Sharing and Analysis Center (FS-ISAC) is a member-owned, non-profit entity for cyber and physical threat intelligence analysis and sharing. See: https://www.fsisac.com/
FFIEC IT Booklets: The FFIEC provides actionable guidance on information technology management, operations, security, and other topics. See: https://ithandbook.ffiec.gov/it-booklets.aspx
NIST Special Publication 800-150: Guide to Cyber Threat Sharing. See: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf
NIST Special Publication 800-40: Guide to Enterprise Patch Management Technologies. See: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf
Jeffrey Julig is Vice President and Chief Information Security Officer (CISO) for SWBC. In this role, he leads a team of security professionals to protect SWBC’s diverse lines of business from internal and external cyber threats. Jeffrey is passionate about information security and privacy and belongs to numerous international, national, and local professional and community organizations. He has a Bachelor of Science degree in Cybersecurity from the University of Maryland University College and earned several of the information security industry’s most respected certifications, including the Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and Law of Data Security and Investigations (GIAC-GLEG) certifications. Jeffrey attended the Department of Defense Cybercrime Investigations Training Academy (DCITA) and is a certified digital forensics examiner.