I just received one of my daily news reports about Cyber Security and it said something to the effect of such and such a Research group has found out that Application Security holes are at highest numbers ever and this number is expected to increase even further in 2016! Companies really need to focus on fixing the risk incurred by these applications. I thought, “Wow, Really”? I mean yet another highest number, highest risk, most vulnerable, more danger than ever before message. What a surprise it was to get yet another news feed about a Cyber Security vulnerability being the worst ever. (that last sentence is dripping with sarcasm – just in case you couldn’t tell). I really just want to shout and scream out that No It Isn’t the highest total ever! None of these items being touted as worst ever are really the worst ever. The simple reality is that we are still in our relative infancy when it comes to Cyber Security as a profession and as something to write about. Being in our infancy means that we are still finding lots of this things that we couldn’t find before.
None of these vulnerabilities appeared overnight. The vulnerabilities that we are now finding and that are generating these, at times horrific, reports about numbers of vulnerabilities have always been there. Not only have these vulnerabilities been there but here is a secret I will let you in on – there are many more that we still haven’t discovered! Companies, researchers, etc. now have the proper tools to discover concerning Cyber Security vulnerabilities in large numbers. These are items that in the past no one knew about even though they were there. As more and better tools come out we will find even more of the worst vulnerabilities ever.
Vulnerable OS, vulnerable Webpages, vulnerable coding, vulnerable hardware or firmware, these items have been around for decades and will remain around. So while it is great that we can now find these and do something about fixing and remediation of these vulnerabilities they aren’t new. Maybe newly discovered or newly recognized but they have always been there.
Why am I going on about something that is basically hype, and in some ways good in that it publicizes exposure to these items so that Cyber Security professionals can use them to raise awareness, funding and support for remediation? Because of the way the reports and news articles are written. In too many cases these articles raise awareness and hype of issues that are much lower risk than the ones the organization’s Information Security team are already working on. I have sat in many meetings where executive management has looked at the Chief Information Security Officer (CISO) and said “I know your team is really busy remediating core vulnerabilities across our Financial landscape but I read something yesterday about mobile devices being very vulnerable and I think we need to re-focus our resources…. the article really made this mobile risk sound like the most dangerous thing ever.”
Don’t get me wrong, I appreciate the awareness being generated but …. the WORST EVER …. no in most cases it really isn’t. There are lots of Cyber Security items just as bad or worse that most organizations need to fix and the decision on where the highest Information Security risk sits inside of the company should not be decided by reporters and vendors but should rest on the shoulders of the CISO and the experts they have hired to analyze and determine what risk items need immediate attention.