researchHQ’s Key Takeaways:
- Skipping configuration in favour of vulnerability assessments risks overlooking the fundamentals and exposes enterprises to greater risk.
- The prioritisation of competing initiatives should revolve around securing the confidentiality, integrity, and availability of data.
- Vulnerability assessments check an organisation’s software against a constantly evolving list of known vulnerabilities.
- While vulnerability patching is essential, it is often basic and rapidly falls out of date.
- Misconfigurations are responsible for the majority of data breaches, making them the most significant information security risk.
Vulnerability assessment is a necessary component of any complete security toolchain, and the most obvious place to start for anyone looking to improve their security. Ironically, starting with vulnerability assessment can actually degrade an organization’s overall defense by shifting focus from the cause of most outages and breaches: misconfigurations.
Misconfigurations – Not Very Cool, But Extremely Important
Sophisticated, high-profile attacks get the most attention, in part because they are terrifying and in part, let’s admit it, because they are cool. Transmitting a binary across air-gapped systems using fluctuations in temperature caused by CPU usage is cool. Logging into a system where the username and password haven’t been changed from the defaults, or are on a post-it note hanging hanging from the monitor, are not cool. One of these vectors is far more likely to happen to you than the other. Given limited resources, you would do better to invest in the far more likely risk.
To put it in everyday terms, skipping configuration integrity to jump straight to vulnerability detection is like taking classes on how to wrestle alligators and driving there with your seatbelt unbuckled. While you might fare much better in an encounter with an alligator, you’ve increased your overall risk of mortality by missing the fundamentals.
Integrity, Availability, and Confidentiality – Not Just for Campaign Slogans
“Putting the fundamentals of information security front and center provides the means to prioritize competing initiatives and make misconfigurations a top concern.”
The significance of configuration integrity and vulnerability assessment should both be measured by their ability to increase information security. The three components of information security are data integrity, availability and confidentiality. A loss of data integrity means it has been corrupted; availability means it can no longer be delivered to the appropriate user; and confidentiality means that it has been made available to an incorrect user. Putting the fundamentals of information security front and center provides the means to prioritize competing initiatives and make misconfigurations a top concern.
Making a List and Checking it Twice
What does vulnerability assessment catch? A software vulnerability means that a particular crafted input to a program can result in a loss of information security, from low severity denial of service attacks to business-rattling data leaks. Vulnerability assessment is one way to improve information security by comparing the software you have to a list of software that is known to have vulnerabilities. (Getting the list and executing the comparison is complex, but at least the idea is straightforward.) The list of vulnerable software grows over time as security researchers experiment with new ways to make programs do something they’re not supposed to. Once a program is known to have a vulnerability then the provider issues a patch, users update, and they are no longer subject to that vulnerability.
At least in theory.