Microsoft was one of two companies to announce zero-day (previously unknown) flaws that could compromise security. Photo by Mohammad Rezaie on unsplash.com.
Written by Insecurity of Everything: A Cybersecurity & Business Column, Kate Fazzini and John Shegerian
Last week, two significant zero-day vulnerabilities were announced by Microsoft and Atlassian. They have similarities: they both are remote code vulnerabilities. They have differences: Microsoft’s is called “Follina,” Atlassian’s has no alias yet.
Vulnerabilities, if you were to surface every one at once, come in packages of hundreds or thousands. So when there’s a new one, how can business owners know which they should prioritize and which are likely irrelevant to their posture? Yes, there are lots of federal, state, local and otherwise affiliated guidelines that can help you triage these vulnerabilities, but if you’re working on a host of other problems, you might not have the time to consult them, and if you do, that information may be outdated, too generalized or not applicable to your stack.
As a result, many security leaders develop a shorthand to figure out how much attention to give zero-day flaws and others that suddenly seem as if they need a lot of attention. Here are a few simple questions that can help you determine how hard to push your tech team to mitigate a vulnerability that makes headlines:
Remote or local? Can the vulnerability be exploited only if a malicious individual has access to your network internally? Insider threats are a very real problem, but from a volume perspective, vulnerabilities that allow access remotely vs. from an internal vantage point are much more likely to be exploited.
A little or a lot? Is your environment saturated with or completely reliant on the software, application, operating system or platform affected by the vulnerability? Or is it totally absent, minimally used or used for purposes that aren’t critical? One scenario may be an emergent situation; the other is business as usual.
Active or dormant? Is the vulnerability being actively exploited? There are a few ways to tell, the easiest is by consulting the vendor’s or other trusted entity’s report on the flaw — DHS has a frequently updated list of actively exploited bugs, called the Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog. There are tools for engineers available at this site that can allow you to cross reference open exploitations with any vulnerability in your environment.
The freakout factor: This is the most human of the signs a vulnerability may be serious. Do you have any security people in your network? Are they actively complaining about a weekend ruined by a particular new flaw? Did this issue show up in the blogs of ZDNet and Bleeping Computer, maybe even Ars Technica, only to then migrate to headlines in non-trade, mainstream outlets? It’s a known fact in the infosec community that if a vulnerability hits The Wall Street Journal, it’s already too late and you will need to start pulling together a deck about how you are fixing it.
For the Microsoft and Atlassian vulnerabilities, questions one and two are answered unfavorably; three is relative to your environment and the fourth factor was at about a 7 out of 10 until patches were issued. Also remember, Microsoft and Atlassian, with their ubiquitous corporate applications, don’t often release information about a vulnerability before there is a patch for it … unless it’s being heavily exploited. Indeed, the Department of Homeland Security added both to its list of actively exploited vulnerabilities. For the Atlassian flaw, DHS recommended all government agencies to put all relevant Atlassian products behind a VPN.
The takeaway is that not all vulnerabilities are created equal… and asking the above questions for each can help drive an effective response plan.
Kate Fazzini is CEO of Flore Albo LLC, an adjunct professor of cybersecurity at Georgetown University, author of Kingdom of Lies: Unnerving Adventures in the World of Cybercrime and has served as a cybersecurity reporter for The Wall Street Journal and CNBC.
John Shegerian is co-founder and Chairman/CEO of ERI, the nation’s leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company. Business Journal readers can visit eridirect.com/insecurity-of-everything-book/ to receive a free copy of John’s new book, The Insecurity of Everything.