With the rapid advances in technology and increased digitalization over the past decade, the volume of sophisticated technical vulnerabilities also increased.
As an information security manager in the aviation industry, I have to keep updated on the latest vulnerabilities or exposures discovered either through a subscribed threat intelligence service such as VulnDB or by receiving security advisories and alerts from the local aviation authority (i.e., the Civil Aviation Authority of Singapore). In some of the high-profile cases (such as log4j vulnerability), my customers will also check with me on whether our deployed solution or services contain products that are affected by the specific vulnerability.
According to US National Vulnerability Database (NVD) by the US National Institute of Standards and Technology (NIST), more than 23,000 common vulnerabilities and exposures (at the time of writing this blog) were discovered in 2022, compared to approximately 20,000 common vulnerabilities and exposures in 2021. But given my finite resources and time, I cannot look into each one of these. Therefore, I need to make sure that I focus on the vulnerabilities and assets that matter most and address my enterprise’s true business risk instead of wasting valuable time on vulnerabilities that are not likely to be exploited.
To determine which vulnerabilities to prioritize, a risk-based approach can be used. It helps eliminate guesswork for managing vulnerabilities and provides justification when presenting a change request to the Change Approval Board (CAB) for approval as part of the change management process.
To implement a risk-based approach, the first step is to carry out a risk assessment on each individual technical vulnerability discovered during the same period and ensure appropriate measures are taken to address the associated risk in a timely manner. The risk assessment will consist of the three standard phases: risk identification, risk analysis and risk evaluation. And the four common type of risk response are risk acceptance, risk mitigation, risk transfer and risk avoidance.
For example, in November 2022, Cisco released 19 security advisories that covered 35 vulnerabilities for a range of Cisco products. These include eight high-impact advisories concerning eight vulnerabilities addressing denial of service conditions, default credentials and secure boot bypass. Therefore, for those Cisco products that are not used or relevant to my organization, I do not need to conduct a risk assessment. For those Cisco products that are used or relevant to my organization, I would need to conduct a risk assessment, and based on the risk rating of each technical vulnerability, the appropriate risk response will be chosen in accordance with my organization’s risk appetite or risk tolerance.
Risk assessment for technical vulnerability is meant to complement an organization’s existing comprehensive security risk assessment, not replace it. In accordance with International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) standard ISO/IEC 27001 Information Security Management, an enterprise should perform information security risk assessments at planned intervals or when significant changes are proposed or occur.
Depending on local laws and regulations, it may be mandatory to carry out comprehensive security risk assessments at certain intervals. For example, in Singapore, the owner of a critical information infrastructure must conduct a cybersecurity risk assessment at least once a year in the prescribed form and manner.
In any case, risk assessment should be a continual activity and part of day-to-day operations.
Editor’s note: For further insights on this topic, read the authors’ recent Journal article, “Mitigating Technical Vulnerabilities With Risk Assessment,” ISACA Journal, volume 1 2023.