Security: The case for vulnerability management

It’s been a bad year for IT security. The seemingly never-ending wave of increasingly virulent threats shows no sign of cresting. As crackers concoct new ways of threatening the very foundations of today’s technology, the CIO has only one chance to get it right.

A recent development in online malice quite literally has some CIOs reaching for their wallets. Known as a Ransom Trojan attack, it encrypts commonly used file types like Word, Excel, and jpeg images. When you try to open the file, you are instead presented with a demand for payment. As soon as you send the ransom to a Yahoo e-mail address or a PayPal account, you’ll receive the decryption code. That’s the hope, anyway.

The ransom is typically small, around a few hundred dollars; small enough that desperate victims will consider paying it quickly so they can put it behind them. Victimized companies are often too embarrassed to admit the attack has happened. Consequently they don’t report the crime. They instead write the experience off as the cost of doing business, and the hackers move on to their next mark.

Ransomware, as it has come to be known, spreads via e-mail attachment or, more ominously, as a link off of a seemingly legitimate Web site. Its maliciousness goes well beyond the usual Denial of Service type of attack, a battering-ram method that overwhelms a corporate Web site with requests until it slows to a crawl and eventually crashes. It represents a new escalation in a war that has no rules and no apparent end.

Ransomware has lots of malicious company. Viruses continue to mutate into new and more complex forms. This wouldn’t matter much if the impact of these attacks could be limited to a few hours a week of patching servers. But the effects of constantly evolving threats run much deeper. They divert scarce resources away from development and support activities and force the organization to spend money on things that do not contribute to profitability.

Raising security awareness

Although it’s always easy to toss some money at a problem and call it solved, security will never be such an easy fix. This issue is less about anti-virus software and firewalls than it is about simple human behaviour. Frankly, most employees aren’t even aware of the threat. That should scare the CIO more than any ransomware attack.

Human behaviours lie at the core of many security breaches. Until security awareness becomes as universal a skill as building complex Word documents and holding phone conferences, IT will continue to struggle to build a security-aware culture.

This evolved culture must be communicated in simple terms, and it must be fully integrated into existing employee training efforts. Start with these three core elements to make it simple for all employees:

• Risk is what can and will happen to a company’s technology assets in the event of a breach.

• Threats cause the risk.

• Vulnerability outlines what the threat agents will be taking advantage of.

Using a forgotten cell phone on the seat of an unlocked car as an example: thieves represent the threat, the risk lies in having the phone stolen, and the vulnerability is found in the unlocked door. No one element is responsible for the final outcome, but an understanding of each one, and its contribution to the final violation — the theft of the phone and the resulting loss of its use and exposure of personal data — can help employees understand their role in shutting the door on loss.

Notice that the solution is hardly technological in nature. Indeed, IT’s failure in driving greater security awareness lies in its historical reliance on technological solutions to these problems. Although anti-virus software and secure firewalls have a critical role to play, they are useless unless the humans on the front lines play their part as well.

While the external threats get all the attention, internal exposure from disgruntled employees, or simply from those who open e-mail messages from unknown senders, is a far more common scenario. By now, everyone should know that opening attachments from these sources is a recipe for disaster. Yet attacks that rely on this last bit of help from unwitting users continue to succeed.

The solution, then, is strategic in nature. Instead of looking at security as a never-ending series of tactical responses to tactical threats, the forward-thinking organization — and CIO — must take a broader view. A secure future originates at a management level, and manifests itself in a long-term commitment to proactively managing the security environment by educating the workforce.

Regardless, it is vitally important to review your IT environment with specialists who understand the potential threats you’re facing, and who have the experience to deal with them. Security is a discipline that often does not lend itself to a home-grown approach. Engage the best resources your company can find to help minimize the risk.

Integrated vulnerability management

In today’s technology environment, tactical management of security gaps must give way to integrated vulnerability management that assesses areas of risk, understands the potential impact on and costs to the organization, prioritizes responses in order of each threat’s perceived impact, and resources mitigation-focused work long before the threat actually materializes.

Vulnerability management recognizes that it isn’t enough to simply patch today’s known browser weakness. New vulnerabilities will arrive at IT’s doorstep tomorrow and beyond. IT must leverage its vulnerability management-savvy culture to maintain an effective security posture so that it can actively manage whatever threats emerge in future.

The key to achieving this is across-the-board training. Vulnerability management best practices must be integrated into all existing technology and process training programs. Standalone security training is inadequate on its own. IT communication processes must also prioritize security best practices at the employee level. Every message must reinforce the priority role played by each employee. Each potentially risk-exposing behaviour must be communicated along with the preferred secure behaviours.

Management must drive this initiative because no other individuals or groups within the organization have the power to modify organizational culture. Vulnerability management represents nothing less than a wholesale evolution in IT and business culture.

The entire organization must be brought on board if it is to succeed in reducing the company’s exposure to security-related losses. It will not happen overnight, and it will not be brought about under the umbrella of a single project. As such, it will require ongoing funding and, just as critically, consistent support from all C-level executives to ensure it does not fall victim to tactical cost-cutting efforts in future years.

The fundamental key to success lies in quantifying the cost of vulnerability. Unlike, for example, a software development project, vulnerability management initiatives don’t result in fancy new widgets. Rather, the outputs of any security initiative are typically little-understood by the average employee or leader. Their intrinsic value lies in their ability to prevent something onerous from happening. Consequently, they are difficult to sell in the boardroom, at least until the dollar impact of vulnerability is calculated.