Omer Carmi, VP of Threat Intelligence, Cybersixgill
When I was in elementary school, we had a routine fire drill. The alarm bells would ring, and we were expected to drop everything and run outside as quickly as possible. As a young child, this was frightening, even upsetting, and we initially took it very seriously. The drills continued through our school years, yet we responded in a much different way by the time we reached high school: The alarm bells would ring, we’d shrug, pick up our stuff and shuffle outside for what we knew was just another break from class. We’d become numb to the alarm bell ringing because we knew there was no fire.
When the cybersecurity community deals with every patch day like we dealt with school fire drills, it runs the risk of becoming numb to the severity of some of the vulnerabilities and blind to which vulnerabilities should be prioritized.
Statistics show that threat actors never exploit 94 percent of the disclosed vulnerabilities. That means IT staff is spending valuable time on CVEs that:
- Will never be exploited.
- Don’t apply to your organization or industry.
- Are completely misjudged at the beginning of their life cycles.
- Take away attention from the 6 percent of vulnerabilities that will be exploited.
CISOs should expand the scope of vulnerability management programs so they are better able to decide in real-time if a CVE is indeed one of the 6 percent that demands immediate attention.
Taking into account multiple criteria, including the potential impact of a vulnerability and the likelihood of its exploitation, can create a more balanced order of urgency for an organization.
Take, for instance, the recent hype about OpenSSL vulnerabilities earlier this month. Early indicators pointed to a complete apocalypse – some likened the scenario to HeartBleed 2.0. The media picked up on the sense of urgency, and reports of the expected severity traveled worldwide at record speed. All the alarm bells were ringing, but then the severity was downgraded from “critical” to “high.” That’s a perfect example of the fire drill mentality I’m talking about: it’s inefficient, and it depletes our valuable resources if we continue to listen to “the boy who cries critical.” It doesn’t mean we shouldn’t treat every vulnerability with extra care, it means that we should change the lens we use to examine vulnerabilities.
How can we move away from severity-driven patching cycles and change the fire drill approach to patching?
Constant patching creates the same feeling as Whack-a-Mole, where a new vulnerability pops up when you’re done patching an old one. Patch, watch for updates, patch, repeat. It never ends.
Let’s say a prominent software company sends out a release rating a CVE as critical, saying it should be immediately patched. Industry media will pick up on that and start ringing the alarm bells, probably reasoning that it’s better to be safe than sorry.
The problem with following the media’s lead is that most software companies base their patch announcements on the potential severity of the CVE (best characterized by CVSS), without considering the probability that this CVE will be successfully exploited. Remember, only 6 percent of vulnerabilities are actually exploited. If you base your patching on a severity-driven approach, you fail to distinguish between a fire drill and the real thing.
Software companies should get better at providing context for the CVEs they are warning us about and highlighting key risk parameters. It’s no longer enough to just offer a severity score. At a minimum, we should also know:
- Whether a CVE has already been exploited in the wild.
- How much chatter there is about this CVE in cybercrime forums.
- Are exploit codes for this CVE shared on the dark web.
- Are there other risk factors beyond severity that can help cybersecurity teams make a patching decision
- How critical are your assets which are vulnerable to this CVE?
And media outlets should examine their role in creating a fire-drill mentality by encouraging more attention given to risk-based parameters, not just severity.
Vulnerability disclosures will still dominate headlines and attention in 2023, because that is the only way to create awareness of new vulnerabilities across the cybersecurity community and the public. This process has a lot of merits in it.
But the culture shift away from what I call a fire drill mentality has to come from the inside of cybersecurity departments. It has to come from strong CISOs who understand that a high severity score without any context is not enough to set the alarm bells ringing, and the negative consequences it has.