3 Tips for Identifying Your Organization’s Cyber Exposure Gaps
In part two of our six-part blog series on improving your cybersecurity strategy, we discuss the need for a holistic approach and provide three tips to help you answer the question “where are we exposed?”
Piecemeal security efforts often result in overlapping alarms and gaping security holes. Taking a holistic approach to a security strategy is a far more successful way of covering the entirety of your company’s attack surface.
In part 1 of our six-part series, we explained the four key questions that must be addressed for any security strategy to be truly holistic. The first of those questions is “where are we exposed?” It is the crucial question, and the most challenging to answer, as vulnerabilities are often hidden and hard to find.
Read the complete Cyber Exposure blog series:
4 Cybersecurity Questions Every CISO Should Be Ready to Answer
3 Tips for Identifying Your Organization’s Cyber Exposure Gap
5 Tips for Prioritizing Vulnerabilities Based on Risk
Metrics and Maturity: Benchmarking Your Cyber Exposure Over Time
How Do Your Cyber Exposure Practices Stack Up to Those of Your Peers?
Cyber Exposure: Taking a Holistic Approach to Vulnerability Management
Finding where the danger lies
Networks are continuously expanding in terms of numbers and types of internet-connected things and devices. The challenges in securing and monitoring the entire network are also growing at unprecedented speed. However, IoT devices are not the only hidden corners that provide opportunities for attackers. Cloud services and cloud environments, containers, industrial control devices, points of sale, HVAC, and anything not typically handled by the IT/SecOps teams contain significant openings for increasingly sophisticated threats to exploit.
According to our recent Vulnerability Intelligence Report, published vulnerabilities grew by 53% in 2017 over the year before, from 9,837 in 2016 to 15,038. Fortunately, only 7% of them had publicly available exploits. Less than 1% of them pose a significant threat, of course, but knowing where to focus efforts and resources generally delivers better outcomes than trying to blanket all vulnerabilities with equal vigor.
With 2018 on track to close with 18,000-19,000 new vulnerabilities, the smart action to take is to find your total attack surface, so you can identify the individual risks your organization faces. Mapping and finding your cyber exposure gaps is a much bigger challenge than many realize. It requires a deep understanding of the precise nature of the risk for each vulnerability. Having the right tools to make such detailed assessments is essential.
Conversely, simply knowing everything is vulnerable can be overwhelming when there is no clear way to stem the tide. That can lead to desperate measures and false assumptions.
However, getting and maintaining a handle on where the highest risks are is necessary to protecting your company’s brand and assets. It’s also vital to mitigating liability. Ultimately, liability rests with your company as even when a third-party cloud provider says you're not liable, the judge will invariably say that you are.
Three tips for understanding the full attack surface
We have three tips to help you answer the question “where are we exposed” in your own organization:
- Check all devices and services not typically handled by IT/SecOps teams. This includes BYOD (personal, bring your own devices) and BYOC (bring your own cloud). It also includes any device connected to the internet, such as printers, smart environmental control systems, industrial control devices, breakroom televisions and aquarium control systems.
- Trust but verify. Ask all providers, including cloud services, for the results of third-party tests and other proof of the security they offer. Then verify those findings. Also, deliberately look for the security holes you can find and layer security measures to address them.
- Map your total exposures and update regularly. Odds are that your total exposure map will be expansive, especially if your organization is large. Use visualizations to make this data more easily understandable. Only by knowing exactly where your exposures are can you begin to mitigate your total risks.
In part one of our six-part blog series on improving your cybersecurity strategy, we explored Four Cybersecurity Questions Every CISO Should Be Ready to Answer. In part three we’ll explore in more detail how to prepare your organization to answer the question “What should we prioritize?”
Learn more
Read the complete Cyber Exposure blog series:
- 4 Cybersecurity Questions Every CISO Should Be Ready to Answer
- 3 Tips for Identifying Your Organization’s Cyber Exposure Gap
- 5 Tips for Prioritizing Vulnerabilities Based on Risk
- Metrics and Maturity: Benchmarking Your Cyber Exposure Over Time
- How Do Your Cyber Exposure Practices Stack Up to Those of Your Peers?
Related Articles
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
Cybersecurity Snapshot: CSRB Calls Exchange Online Hack “Preventable,” While CISA, Others Warn About XZ Utils Backdoor Vulnerability
April 5, 2024Check out why the Cyber Safety Review Board has concluded that the Microsoft Exchange Online breach “should never have occurred.” Plus, warnings about the supply chain attack against the XZ Utils open source utility are flying. In addition, a report says ransomware attacks surged in February. And the U.S. government issues a comprehensive AI usage policy for federal agencies. And much more!
Cybersecurity Snapshot: U.S. Gov’t Unpacks AI Threat to Banks, as NCSC Urges OT Teams to Protect Cloud SCADA Systems
March 29, 2024Check out new guidance for banks on combating AI-boosted fraud. Plus, how to cut cyber risk when migrating SCADA systems to the cloud. Meanwhile, why CISA is fed up with SQLi flaws. And best practices to prevent and respond to DDoS attacks. And much more!
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
- Cloud
- Vulnerability Management