Getting ahead of security vulnerabilities

Businesses are facing an ever-increasing volume of critical vulnerabilities. We asked Patrick Ragaru, CEO of Hackuity, why prioritising these risks has become more important than ever and how security teams can get ahead of the issue with risk-based vulnerability management (RBVM)

 

Business Reporter: Has risk prioritisation become more important in recent years? What has changed in the threat landscape?

 

Patrick Ragaru: Cyber-security risk prioritisation has become increasingly critical in recent years as cyber-threats have evolved faster than our defences. 

 

There are a couple of important factors at play here. First, widespread digital transformation has led to more complex IT environments. Most enterprises now have hybrid and multi-cloud setups and facilitate remote working. Third-party applications are a cornerstone of modern business, and many industries have also invested in IoT devices. All these factors contribute to a large and unwieldy network that is more challenging to manage.

 

It also results in a greater attack surface for threat actors to exploit – more than 25,000 CVEs were reported last year alone. Additionally, the increasing interconnectivity of systems means that a breach in one area can have far-reaching consequences across an entire network.

 

Alongside this, the nature of cyber-attacks has evolved, and an increasingly organised dark web means it’s never been easier for criminals to acquire vulnerabilities and malware. This means knowledge of new vulnerabilities spreads quickly, giving more groups the chance to exploit zero days before they are patched.

 

The rise of models like ransomware-as-a-service (RaaS) means relatively unskilled groups with limited technical know-how can launch sophisticated attacks that would normally be beyond their level. 

 

In this context, risk prioritisation is both a tactical and strategic imperative. Threats are emerging more quickly and hitting harder. Organisations must be able to allocate their resources effectively and focus on the vulnerabilities that pose the greatest threat to their critical assets.

 

BR: What are some common pitfalls in attempting to prioritise cyber risk?

 

PR: One of the most significant mistakes we see is the lack of a holistic view of the organisation’s assets and vulnerabilities. Businesses still tend to operate in silos across different departments, leading to fragmented and inconsistent risk assessments.

 

Businesses can easily overlook critical vulnerabilities without a comprehensive understanding of their entire digital ecosystem. Equally, they can assume a vulnerability deemed “critical” by the wider cyber-community inherently impacts their own organisation and thus waste valuable resources on patching what doesn’t affect them.

 

Another common issue is over-reliance on automated tools and algorithms. While these tools are essential in keeping up with the demands of a large and complex network, they cannot replace human judgment and contextual understanding. Depending on the specific assets and business operations involved, a low-risk vulnerability in one context might be high-risk in another.

 

Additionally, many organisations struggle with outdated or overly complex risk models that do not align with the current threat landscape. This misalignment can spawn both under and overestimations of the severity of risks, resulting in misallocated resources and efforts.

 

BR: What are the consequences of poor risk prioritisation?

 

PR: There are several detrimental results when risk prioritisation isn’t managed effectively. The most immediate issue is the increased likelihood of a successful cyber-attack. When critical vulnerabilities are not identified and addressed promptly, they become easy targets for attackers.

 

The longer a high-risk vulnerability sits untended, the more exposed the business is to threats like ransomware and data exfiltration, with all the operational disruption, financial loss, and reputational damage that goes with it. 

 

Ineffective prioritisation can also lead to resource drain. Security teams may spend considerable time and effort mitigating low-impact risks while leaving high-impact vulnerabilities unaddressed. This misallocation reduces their overall security posture and leads to inefficient use of the cyber-security budget.

 

Furthermore, poor risk prioritisation can have regulatory and compliance implications, particularly for highly regulated fields like financial services. Failure to comply due to inadequate risk management can result in hefty fines and legal consequences in the event of a breach. 

 

BR: CVSS 4.0 recently updated the risk scoring system. What impacts will this have on managing risks?

 

PR: The update to the Common Vulnerability Scoring System (CVSS) version 4.0 marks a significant shift in how vulnerabilities are assessed and prioritised. This update – the first in eight years – aims to provide a more nuanced and contextual approach to risk scoring.

 

One of the key changes in CVSS 4.0 is the enhanced consideration of vulnerability’s context. This means the same vulnerability might have different scores based on its operational environment, allowing for more tailored risk assessments.

 

The update also aims to improve the clarity and consistency of scoring, reducing the subjectivity and variability in how different assessors might score the same vulnerability.

 

This update should hopefully lead to some positive outcomes. For example, security teams will have a more accurate and relevant framework for assessing vulnerabilities, leading to more effective prioritisation. This will enable organisations to focus on mitigating the risks that present the greatest threat to their specific environments, enhancing their overall security posture.

 

BR: How can security teams best determine which vulnerabilities to prioritise?

 

PR: Determining which vulnerabilities to prioritise requires a balanced approach combining automated tools and expert judgment. Security teams should start by comprehensively understanding their organisation’s assets, including their criticality and the potential impact of a compromise.

 

Automated vulnerability scanning tools are essential for identifying existing vulnerabilities. However, these tools should be complemented with threat intelligence to understand the current threat landscape and the likelihood of different vulnerabilities being exploited.

 

Security teams should also consider the broader context of their organisation, including business operations, regulatory requirements, and the impact a breach would have on their reputation. This perspective helps in assessing the real-world implications of different vulnerabilities.

 

Finally, effective communication and collaboration across different departments are crucial. Input from various stakeholders, including IT, operations, and executive leadership, ensures that the prioritisation aligns with the organisation’s overall risk management strategy and business objectives.

 

The right combination of human expertise and automated efficiency will give organisations the best chance of keeping ahead of vulnerabilities in a highly volatile and fast-moving threat landscape. 

 

---

 

Patrick Ragaru is CEO of Hackuity

 

Main image courtesy of iStockPhoto.com