Threat & Vulnerability Management

Threat & Vulnerability Management
Do you believe that ransomware is inevitable?

Top Answer : During a CISO roundtable I heard people say that we simply have to accept that ransomware is going to happen. I don't believe that. We can approach these zero-days and malware in a lot of different ways. When I was an infrastructure guy, I couldn't say, "Oh, it's inevitable that these servers will be down, so production will be out for three weeks. It's just what happens in IT.” That would never be acceptable. And yet, we're accepting that the attackers are already in and moving around our network because of the way our networks are designed.


What is the future of cybersecurity and what changes are organizations making? Should the government implement more defined rules to protect businesses from cyber attacks?

What are organizations getting wrong when it comes to fighting back against ransomware?

Top Answer : No matter how security aware you are, no matter how smart you are, people are human and they make mistakes—that's an endemic problem in our industry. The other big pet peeve of mine is that all these companies invest so much in prevention and they forget about detection and response. It's 2021 and I just read a report a couple of weeks ago that the average time to discover a web vulnerability is over 200 days. That's appalling.

What Operational Technology (OT) vulnerabilities keep you up at night?

Top Answer : What you need to consider is the attack surface. Who's really going to hit these lab machines? With research, generally you'll be looking at state-level attacks. That's a big fish to fry. But at the actual individual machine layer, you're probably not going to get hit by a huge flood of attacks directed at them because there isn’t an easy way to monetize that. You're dealing with corporate espionage and state-level espionage. You're not getting the volume that you’d get with a bank or a credit card processor that's so easy to monetize.  Although if the last couple of years have taught us anything, it's that the whole industry has changed its strategy around monetization and now they're targeting all the low hanging fruit with ransomware and DDoS for bitcoin. So even that's becoming a false sense of security more and more every day.

what type of ciso are you ?

Top Answer : I had thought about adding a 7th choice - one that wasnt in the original article.  A Teflon CISO - the CISO who deflects any real ownership for risk when it materializes.  One that says "the business accepted the risk or perhaps the CIO accepted the risk, or perhaps they say they didn't have the budget.   Anyone know a Teflon CISO ?

What are the best strategies for testing your organization’s security posture?

Top Answer : Throughout my networks and applications, I prey on the psychological factor by creating intentional paths of least resistance. If my password policy is 12 characters, I will create a dummy account on there with an 11-character password—guess which one always gets hit first? I'll create a fake server, replay traffic to it from a copy of another server so it looks legit and I'll name it something really stupid like “HR data” or “credit data” that just trips the risk versus reward profile on any human being; they can't resist. I call those my digital minefields and I will place them all around my network, moving them around from time to time. I have confused and confounded many pen testers when I developed an automated system to do this at one of the universities that I was at. They would do a pen test on us and every time they scanned the network, it looked completely different. I told my team at the time, "Okay, just wait. In about half an hour, I'm going to get called into the CIO's office because they're going to get yelled at by Design of Experiments (DOE) who will claim that we're cheating on the pen test." Sure enough, half an hour later, I got called into the CIO's office: "They claim you can't operate like this, that things are always moving and you're purposely trying to evade their pen test." And I said, "Nope, this is exactly how the system was designed to function."

Related Tags
How does speed-to-market pressure affect security?

Top Answer : In a perfect world it shouldn’t, since security would not be an afterthought, but rather a part of the day to day normal way of working. In a non-perfect world you might look to compartmentalised those “quick’n’dirty” agile deliveries that every IT team are ask to provide… and then secure and import them later once it has been proven that they will live long enough to warrant it.

Can passwordless logins ever exist outside of web applications?

Top Answer : Passwordless logins with tokens do work but when you go with passwordless logins, what you rely on instead is something I have that can be stolen. The security of two-factor authentication (2FA) using your phone—as something I have—has already been broken.

Have your top 10 security threats evolved throughout 2021?

Top Answer : We are not seeing anything new in terms of threats but we're starting to see some of the user groups become more aware of what they should ask about before they do things. We have new drone assessments to establish whether there is any public data available on there and if we should be considering that. So from that standpoint, threats haven’t changed but there has been a change of focus.

Is AI the solution to vulnerability management?

Top Answer : The problem with vulnerability management sounds complex but it isn’t. From a data standpoint, there are only 200K known, unique vulnerabilities. The challenge is understanding which one is a known exploit, labeling the exploit as a remote code execution (RCE) and determining which one is trending or trying to do ransomware; that’s where AI models can help. The marketing term for it is “knowledge graph” but what you're really doing is indexing everything and ranking it all, like a search engine.  That's what we have done at RiskSense: We took what Google did 20 years ago with apps and authorities from a page rank perspective, and then re-implemented that for cyber today from a vulnerability and threat management perspective. For example, one metric is called Term frequency–Inverse document frequency (tf–idf) and measures how often or how rarely the term occurred.  So using that approach, we went back and looked at all exploit code that's committed to Metasploit and PRCs. Rather than taking the tags at face value, we studied those exploits ourselves and labeled them using Natural Language Processing (NLP). It used to take four days for an analyst to understand an exploit and label it; today we can do it in four seconds. That's a huge win for us. We run the models on a continual basis now and when a new exploit comes, we label it. If we don't get the accuracy then a human looks at it. It's a very typical live example.