"He who defends everything defends nothing." - Frederick the Great
Identifying vulnerabilities is, at best, only half of the battle. The discovery of vulnerabilities is critical to mitigation; however, vulnerability discovery divorced from risk-informed thinking is functionally useless.
Modern enterprises consist of tens of thousands of systems and services. Assume that ACME Corp. is an enterprise that has 100,000-networked components. A vulnerability rate of 1% of these systems leaves 1,000 systems at risk. Is that a lot? It depends.
Rather than think of the situation in terms of real numbers, which is generally meaningless, it is important to consider not how many systems are vulnerable but rather what is the risk of compromise. Absolute numbers have their place but mean very little in operational environments.
Risk can be conceptualized as a function of likelihood and consequence. To put it another way; it is the chance that a system will be compromised and an assessment of how significant would that compromise be.
This is important thinking because not all vulnerabilities are equal. That’s why the real number of 1,000 vulnerabilities is useless.
If ACME Corp.’s network has vulnerabilities deep in the architecture – past multiple firewalls, intrusion detection/prevention systems, a solid SIEM, on an encrypted database, which is protected by solid PKI integration – it is very unlikely that an attacker will susseccfully exploit a vulnerability and actualize an attack causing consequential outcomes. On the other hand, if I am a person of significant interest, my endpoint is totally unprotected, and I’m running a really out of date OS – I am going to get popped.
This matters because organizations operate under constraints. No matter the size, this is true all of the time. And in circumstances of constraint, operators need to pick and choose. The one time that the total real number of risks is important is when a pairwise analysis is required in order to prioritize mitigations, which have financial, technical, and human resource costs in addition to their consequence and likelihood driven score. But the process by which this is done requires a deep understanding of network, application, and system security. It also requires knowledge of quantitative and qualitative risk analysis, criminal psychology, and threat intelligence analysis. That is why no thoughtful approach can divorce the technical from the analytical and still be successful.
Those who do not understand this type of thinking are at a true disadvantage. Sadly, much of today’s industry practices embolden people to use a tool they don’t understand and print out a report of vulnerabilities that they have not analyzed. As practitioners, we believe that informed thinking matters if for nothing else then it ensures operators can make increasingly optimal choices under their constraints. "This is what the tool told me" is simply not an answer anyone should be proud to give.
We are proud that the Entrepy Academy teaches this kind of technical and analytical thinking. To give a taste of the excellent professional education we will be turning up, we will be running active defense and active offensive community events starting in October. This hands on training will be available to the public for a low cost as our way of giving first to the community. Immersive and lab-based, all of our individual modules will culminate in a massive region-wide Capture The Flag (CTF). Stay in touch with us to learn more about what we'll be putting in our community and how we will be training up thousands of exceptionally well qualified information security professionals. We are confident that our approach will separate our graduates from the chaff.