CIOs and CSOs could do well to consider the monetisation cost and overall profitability of security risks when considering how to safeguard their organisations, according to the findings of a new report from IBM’s Internet Security Systems X-Force research and development team.
The 2008 X-Force Threat and Risk Report finds that despite there being many headline security issues in 2008, a number if these never amounted to mass exploitation.
This is in part due to the economics of IT security wherein criminal attackers out for profit, however, have considerations that the security industry does not always take into account, such as monetisation cost and overall profitability.
According to the report, the security industry currently prioritises threats almost entirely on the basis of technical measures of the risks that they present, while largely failing to capture the economic opportunity that a vulnerability presents to an attacker.
“The result of this new reality is that there have been several vulnerabilities this year that received very high Common Vulnerability Scoring System (CVSS) scores and raised widespread alarm within the security industry,” the report says. “However, they were not widely exploited in the wild. In most cases, these vulnerabilities did not fit well into the current business models of computer criminals.”
While CIOs and CSO shouldn’t ignore less obvious money-spinning risks, more careful consideration of the way that vulnerabilities fit into the business models of criminal organisations will help better prioritise IT protection and patching efforts, the report says.
The report suggests that enterprises should assess individual risks using a quadrant with low to high opportunity on the x axis and high to low monetisation and exploit cost on the y axis. Any risk that falls into the high opportunity and low cost square, such as SQL Injection, is a prime risk.
“If the security industry can learn to recognise vulnerabilities that fit into the top right quadrant of this graph, it can do a better job of determining when emergency patching is most needed in the face of immediate threats, when widespread exploitation of a vulnerability will take a long time to emerge, and when it is unlikely to ever emerge,” the report says.
According to Craig Lawson, senior security consultant, IBM Internet Security Systems, CIOs should ensure they have a vulnerability management program in place consisting of protection, discovery, patching and reporting.
“For example, not many users think to update or patch their Web browser and that's a prime avenue for exploitation at the moment,” he says. “So if every CIO did one thing, upgrade the Web browser and its add-on components to the latest and greatest version of IE/Firefox etc, they would have a significant increase in their security posture.”