Threat Thursday: How Do You Prioritize Risk?
Do you focus on the right risks, in the right order? When I cross the street, I look both ways. I take a quick glance at my feet when I step off the curb to the road. Then, I begin an eight-second walk to the other side with one eye on the car rolling up to the stop sign. You probably do something similar. These simple tasks, executed in any other order, could spell disaster. But we have the amazing ability to manage risk, apply judgment from previous experiences, and rearrange our priorities into the right order.
In business, deciding what risks, threats, and vulnerabilities to remediate is critical. In fact, 60 percent of breaches involve vulnerabilities where a patch was available but was not applied because it was not categorized as a priority.
Adopting a Risk-based Prioritization Program
One way to reduce potential risk is to have a vulnerability remediation plan in place. You probably have such a plan on the shelf, but the recent case of Zerologon is a good reminder to dust your plan off. In Chris Goettl’s article, What you need to know about Zerologon, he details the Zerologon threat, a critical elevation-of-privilege bug that infects Windows 2008 and newer versions. As a major potential threat, calls were issued to patch this critical bug immediately. The Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive that all Windows servers needed to resolve the vulnerability in three days.
Three days! We often cite the ideal time to strive for remediating vulnerabilities as 14 days, based on the average time most vulnerabilities are exploited. With only three days, this timeline is obviously more extreme—but when it comes to patching your systems, you're on the clock. The longer it takes to patch, the more vulnerable you are. In the future, review your own vulnerability remediation plan and adopt a more specific, risk-based prioritization process to address any future Zerologons.
Implement Three Intelligent Ideas
Another way to manage risk is to keep these three steps in mind:
- Research reliability. How do you know if your risks are reliable? An important exploit could turn out to be a critical one if you are only looking at one source of information. Where are you gathering your information? Do you have enough data on your patches to make accurate judgements? What are others saying about patches as they are implemented?
- Prioritize risk. How do you prioritize threats appropriately? What are your sources for prioritization? And how do you prioritize what comes first and second to patch based on your own unique environment and needs?
- Receive better insights. How do you continue tracking your potential threats? Are your endpoints secure and are your servers up to date? Are you in compliance? When things change over time, will you be able to monitor and manage those changes quickly enough? Will you be able to see issues clearly?
So many questions; we have some answers. At Ivanti, we are excited to discuss our recent innovations that help paint a better picture of your threat landscape in even clearer detail.
Join Us for More on Thursday, October 29, 2020
How to prioritize risk is one of the topics we’ll cover in our next Threat Thursday webinar, Thursday, October 29, along with analysis on October’s top threats. Join Ivanti’s dynamic cyber-duo and hosts Phil Richards, VP & CISO, and Chris Goettl, senior director, product management, security. We’ll also have a guest speaker this month, Ivanti’s own Adam Jones, senior director of IT. Adam will discuss Ivanti’s recent innovations that help research and prioritize risk you’ll want to know more about. Register now for the next Threat Thursday, October 29.