Why you need to teach your security team to think like criminals

According to Business Insider, "Chinese hackers may get all the notoriety, but their cyber-security exploits against American targets are chickenfeed compared with the damage done by organised crime." One reason for organised crime's preference for cyber attacks over physical activities is "you don't get shot and you don't get caught."

Like any business, criminals have limited resources to devote to their nefarious activities, whether physical or online, and they want to maximise their ROI. They want to achieve the greatest impact with the least effort.

To win against hackers, security teams also need to think about ROI and where to focus their scarce resources for maximum benefit. They need to be smarter about fighting attackers, and not bring a knife to a gun fight.

Even if when working for a small/medium business, the team responsible for security is going to need to establish or refine its vulnerability management programme to address these intensified threats.

However, applying every patch and security update right away to every device on the network is usually not feasible for several reasons:

  • There are just too many patches, security updates, and systems to keep up with
  • Thorough testing is required to patch business-critical systems and applications
  • Another group in the company may actually make the changes, and strict change control policies/update windows may be involved
  • Some patches have side effects, such as breaking functionality or requiring upgrades to other software

While they'll still need to do scans and pass audits, it's probably smarter to think like the attacker and use an ROI-based approach to determine where to invest time and effort. For example, a trap many IT pros fall into is to only consider the severity of the vulnerability in their prioritisation efforts. Common Vulnerability Scoring System (CVSS) is an open source standard used by many in the industry to give an idea of the severity of a vulnerability. A CVSS score of 7.0 – 10.0 is considered critical, with 4.0-6.9 being major and 0-3.9 being minor.

While these numbers may be important, there's a crucial point to make: for a vulnerability to be a threat, it's got to be exploitable in your network. For an attack to succeed, it requires an exploitable asset that an attacker can reach. And remember, attackers are opportunistic–they are looking for any system to use as a stepping off point into the network. They often target older systems with little business value in the hopes of avoiding having to work hard, but that they can still use to "sneak" into the network.

More often than not, it's these older vulnerabilities that provide the highest ROI for the attackers. They can use their existing tools and knowledge to find and compromise vulnerable systems, without having to break a sweat. So, security practitioners need to think like the attacker and prioritise patches accordingly.

Vulnerabilities don't stop being found, and the ensuing exploits against them are just a matter of course. For a successful vulnerability management program, you need to take an ROI-based view of vulnerabilities and attackers to quickly deal with incidents as you detect them on your network. Otherwise, attackers are always going to come out on top and achieve the highest return.

Patrick Bedwell is vice president of product marketing at AlienVault