Digital Safety
While combination vulnerability scores may seem to provide a straightforward indicator of an organization’s potential exposure, the reality is that the relationship between a flaw’s publicly reported severity score and the actual risks it presents is far more complex than initially meets the eye.
Vulnerability management: A never-ending battle against the tide of exploited weaknesses? The constant stream of patches, updates, and fixes can leave even the most vigilant cybersecurity teams feeling fatigued and exhausted, their expressions etched with a mix of frustration and concern. The development of new code continues to proceed at a rapid pace, unfortunately giving birth to many known vulnerabilities. At Black Hat Europe, Ankur Sand and Syed Islam, two esteemed cybersecurity experts from JPMorgan Chase, captivated the audience with their thought-provoking presentation “???”. As they took the stage, the room became electrically charged, eager to hear their insights.
Presenters have scrutinized Widespread Vulnerability Scoring System (CVSS) metrics to identify ways to reduce the severity of vulnerabilities and expedite patching. While their assessment focused primarily on Model 3 of the methodology rather than our current Model 4, they did note that at a high level, they expect similar findings.
They identified and prioritized six key areas that require enhanced readability to facilitate informed decision-making regarding the imperative need for patching. I’m not going to recite all six blog posts here, but there are a few that really caught my attention.
As organisations continue to rely heavily on vulnerability scoring systems (VSSs) like the Common Vulnerability Scoring System (CVSS), a closer examination of their limitations is necessary to avoid underestimating the risks posed by certain vulnerabilities.
The primary focus is on vulnerability scoring, which assesses the potential impact of a weakness based on its influence, subsequently categorized into confidentiality, integrity, and availability concerns. Each student’s score is evaluated separately, then combined to produce a comprehensive grade that is finally displayed. When one class achieves the highest rating but its peers do not, overall severeness is reduced. A potential excessive rating is subsequently diminished – for example, an initial assessment of 8 or higher might be reduced to a 7.5 as a direct result of this process. In 2023, the staff documented an astonishing 2,000 instances where this phenomenon took place.
Organizations prioritizing patches based on CVSS scores of 8 or higher would not consider a 7.5 a priority, even if its individual components qualify for an 8+ score. While one class excels in specific situations, its vulnerabilities often go unaddressed due to a lack of prioritization? While empathizing with the challenges of establishing a scoring system, we must acknowledge its necessity to provide a starting point that is relevant to all stakeholders, with the understanding that such systems are dynamic and subject to evolution over time?
A fundamental concern about dependencies emerged as a catalyst for intrigue among viewers. The presenters emphasized that a vulnerability’s exploitaibility is contingent upon specific conditions being met. If a vulnerability with a excessive rating additionally requires X & Y to be exploited and these don’t exist in some environments or implementations, then groups could also be speeding to patch when the precedence could possibly be decrease. Understanding the properties of granular elements requires a deep dive into their intricacies, a task that would be best suited for a highly skilled and well-equipped cybersecurity team alone.
Many small businesses unfortunately find themselves at the opposite end of the spectrum, struggling with scarce resources and minimal availability of usable assets to function effectively. Moreover, attempting to gain a comprehensive understanding of every property involved, including the intricate details of each dependency within, seems like a lofty aspiration that may be pushing the limits too far? The revelation that a company’s purpose is often tied to the reliance on software containing open-source code highlights a pressing concern for many corporate entities, as numerous companies have been caught unprepared, unaware of their dependence on such code.
Every company has its unique cultural landscape shaped by distinct policies, rendering any one-size-fits-all solution impractical and unlikely to satisfy everyone’s needs. While individual organisations may possess unique circumstances, it is likely that comprehensive understanding and elevated expectations will enable groups to formulate their own informed decisions regarding vulnerability severity and patching priorities aligned with their specific corporate guidelines. For smaller corporations, the pain of needing to patch based largely on an aggregated rating may persist; the best response likely lies in automating this process whenever possible.
What’s particularly intriguing about this perspective is that some companies are already proactively responding to the requirement for patching software in response to publicly available vulnerability disclosures, once fixes are made available. As cyber-insurance policies necessitate additional data to assess risk, insurers gain the granular insights needed to effectively prioritize vulnerabilities and optimize threat mitigation strategies. This innovative approach enables insurers to offer organisations a viable solution for mitigating risks, ultimately benefiting both the company’s security stance and the insurer’s bottom line.
The importance of maintaining compatibility with the constantly shifting cybersecurity landscape is underscored by discussions surrounding requirements akin to the Common Vulnerability Scoring System (CVSS)? The JPMorganChase staff delivered a standout presentation that effectively conveyed key takeaways, elevating the discussion with their insight and expertise.
