Your low priority vulnerability is a hacker’s potential goldmine
We all worry about the high security or severity software updates and patches issued for security or safety reasons.? These get IT security permission to triage them quickly and installed in a reasonable period of time.? But what about the low priority patches??
Well, you should worry about those too, and a lot more than you probably do already
Detail
In the real world, high priority vulnerability alerts get airtime and the IT security people can often get budget to triage, test and install these updates reasonably quickly.? We encourage our insureds to do this as quickly as possible, and ideally within a week-14 days.? This still leaves a window of opportunity but the risk is manageable since there is heightened attention around the security vulnerability.
But what about the lower priority vulnerabilities??
Unfortunately, there Is no such thing as a low priority vulnerability.? Any gap is exploitable – and it is clear that hackers will seek any hole to get access, and then decide how to exploit it.? And, unlike their highly-rated cousins, these low priority breaches may not be patched for a much longer while, and in some cases, the vendors may decide that upgrades may only be beneficial at major update time (or even on new release).?
We know that hackers have a good look at the target before having a go. ??We know that they tend to have been in the environment for a long time before they strike. In cases where IP theft is more Important than say ransom, they absolutely have no interest in being discovered, and prefer to maintain the lowest of profiles.? If a hacker sees that you have done good work on the high value patches, they will draw one set of conclusions.? But they will be less disposed to go elsewhere if they see that, despite the good work on the high level patches, the lower priority patches are late, absent or being systematically ignored.
Management is an activity – security is a state
Situations like these require active and mature risk management.? The lower order vulnerabilities are the ‘sleeper’ cells of cyber security.? The apparently innocuous gaps they present can be exploited and, since the use cases of the vulnerable technology cannot be pre-determined or controlled, the significance of the patch will be easy to underestimate.
You need actively to manage this situation, and:
-????????? ?understand your environment and the patch / vulnerability status of the systems, services, hardware, firmware and software you deploy;
-????????? Understand the ‘patches outstanding’;
领英推荐
-????????? Establish the costs of their implementation;
-????????? Consider in your context whether there are other steps you can take (e.g. process, physical, people) to mitigate these risks; and
-????????? Do the cost-benefit analysis and make sure your Board is involved.
Why this matters
-????????? A vulnerability is a vulnerability;
-????????? It is difficult enough to get system and/or management time for the high priority risks – these will pose an additional challenge, but are an important element of your security;
-????????? Hackers are patient and persistent;
-????????? Unless you know what you are looking for, and have the tools to do so, you may miss the subtle traces left by the hackers;
-????????? Doing the bare minimum (even if the patches are critical) is not enough;
-????????? Prevention is cheaper than cure – your shareholders will not forgive you for failing to plug gaps in your defences, however important.
We would be delighted to assist you to work out your approach to this issue.? Please get in touch. #astaaracyber #resilienceandrecovery