With the rapid advances in technology and increased digitalization over the past decade, the volume of sophisticated technical vulnerabilities also increased.
As an information security manager in the aviation industry, I have to keep updated on the latest vulnerabilities or exposures discovered either through a subscribed threat intelligence service such as VulnDB or by receiving security advisories and alerts from the local aviation authority (i.e., the Civil Aviation Authority of Singapore). In some of the high-profile cases (such as log4j vulnerability), my customers will also check with me on whether our deployed solution or services contain products that are affected by the specific vulnerability.
According to US National Vulnerability Database (NVD) by the US National Institute of Standards and Technology (NIST), 超过23,000 common vulnerabilities and exposures (at the time of writing this blog) were discovered in 2022, 相对于大约20,000 common vulnerabilities and exposures in 2021. But given my finite resources and time, I cannot look into each one of these. 因此, I need to make sure that I focus on the vulnerabilities and assets that matter most and address my enterprise’s true business risk instead of wasting valuable time on vulnerabilities that are not likely to be exploited.
To determine which vulnerabilities to prioritize, a risk-based approach can be used. It helps eliminate guesswork for managing vulnerabilities and provides justification when presenting a change request to the Change Approval Board (CAB) for approval as part of the change management process.
实施基于风险的方法, the first step is to carry out a 风险评估 on each individual technical vulnerability discovered during the same period and ensure appropriate measures are taken to address the associated risk in a timely manner. The 风险评估 will consist of the three standard phases: risk identification, 风险分析和风险评价. And the four common type of risk response are risk acceptance, 风险缓解, 风险转移和风险规避.
例如, 2022年11月, Cisco released 19 security advisories that covered 35 vulnerabilities for a range of Cisco products. These include eight high-impact advisories concerning eight vulnerabilities addressing denial of service conditions, default credentials and secure boot bypass. 因此, for those Cisco products that are not used or relevant to my organization, I do not need to conduct a 风险评估. For those Cisco products that are used or relevant to my organization, I would need to conduct a 风险评估, and based on the risk rating of each technical vulnerability, the appropriate risk response will be chosen in accordance with my organization’s risk appetite or risk tolerance.
Risk assessment for technical vulnerability is meant to complement an organization’s existing comprehensive security 风险评估, 而不是取代它. In accordance with International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) standard ISO/IEC 27001 资讯安全管理, an enterprise should perform information security 风险评估s at planned intervals or when significant changes are proposed or occur.
视当地法律法规而定, it may be mandatory to carry out comprehensive security 风险评估s at certain intervals. 例如, 在新加坡, the owner of a critical information infrastructure must conduct a cybersecurity 风险评估 at least once a year in the prescribed form and manner.
In any case, 风险评估 should be a continual activity and part of day-to-day operations.
编者按: For further insights on this topic, read the authors’ recent Journal article, “Mitigating Technical Vulnerabilities With Risk Assessment,” ISACA期刊,第1卷2023.
