Remediation Policy or Reconsider Mediation Entirely?

 

May 2013: the ‘WhiteHat Website Security Statistics’ study reported that at least one critical vulnerability, a flaw that would allow an attacker to compromise all or part of a website, was found on 86% of the sites tested.  The average time required to remediate these vulnerabilities was 193 days.

 

That very same month would historically see Ed Snowden extract highly controversial documents from NSA servers.

 

In the time since, the security landscape has globally come to resemble a battlefield: the rate of high-profile breaches has increased dramatically, the attacks are becoming more sophisticated and difficult to detect; and for a myriad of reasons, keeping pace with blackhat hackers can become untenable.

 

 

2017 has one whole quarter left, and yet we have already seen an alarming number of high profile, debilitating security breaches. From WannaCry to hacks on global elections, to the recent breach at Equifax which compromised the financial details for millions of Americans, companies are more vulnerable than ever. 

 

Researchers at the Ponemon Institute released their 12th annual “Cost of Data Breach Study” in which they estimate the likelihood of a security breach happening to your company in 2017 is as high as 1 in 4. Despite these alarming figures, it seems that more companies are taking active measures to reduce the fall-out from breaches, even if completely preventing them is impossible. The same study found that the average total cost of a data breach in 2017 is $3.62 million in 2017, which is a decrease of 10 percent from last year.  

 

 

 

Vulnerability remediation by any means is no insignificant task; however, relative to the extreme impact and severity of a data breach scenario, the efforts required by remediation are trivial in comparison.

 

In many instances, remediation serves as a helpful indicator of improper internal controls.  It provides an easy, fast indication of status and progression, and the year-to-year variance in number and severity of issues gives you a simple measurement for consistency.  There are countless spreadsheets that exist providing severity and criticality definitions to you.

 

The logical, obvious approach to resolution is to organize them based on severity from highest to lowest. Unfortunately, that approach would only rarely be an optimal one because it represents a disconnection from practicality and a misunderstanding of risk management.

 

Should you find yourself in a similar situation, rather than remediating based on individual vulnerability scores as it may seem logical to do, adopting a risk-based approach would put your company in a much better position.

 

 

 

Implementing a proper method that enables tasks to be easily identify and prioritized over other, less important concerns allows attention to be focused on the most relevant area possible.  Quantity asset values and the criticality of their services as they pertain to your overall business security objectives.  Determine what risk exposure your assets exist in, and mediate your task prioritization on the amount of risk eliminated from the most critical exposures.  Shodan is an awesome tool for providing an overall summary of your external security status.

 

Ensuring regular, thorough system auditing is paramount to avoid risking disclosures and is a necessity for any business, big or small.  Enlisting 3rd party penetration testing services, mandatory training in security best-practices for staff, having a solid information security policy in place, and enforcing any instances of non-compliance are effective solutions to regularly maintaining an acceptable security posture. 

 

Skilled attackers make sure their tracks are extremely well hidden; even discovering where you have been compromised can be a challenging task in and of itself.  Working with an external 3rd party can also help to ensure that your IT team can focus on critical tasks and your main business competencies while getting the support to ensure your data and systems are safe. 

 

Read more about CGS's Managed Services.

 

---

About the author:

Adam Roussel is an Information Systems Engineer and Data Security Specialist with over five years of industry expertise. Adam has lead audits of security posture and risk exposure across several industries, and provides technology consulting and vulnerability assessment and penetration testing, managed services and security services to both large and small businesses. Adam has a Bachelor of Science Degree in Information Systems Security. You can follow Adam on LinkedIn.