Know what it takes to create a VRM program that’s ready and able to stand up to the current state of affairs and find a step-by-step guide for creating a sustainable and scalable vendor risk management program from the ground up.
In 2019, cyber incidents will be the second most important global business risk. The more cyber incidents that continue to happen on a global scale, the more critical it is for users to understand how to classify the dangers that exist for both businesses and users. In this blog post, we’ll break down the basics and explore the difference between three key areas of cyber risk: vulnerabilities, threats, and exploits.
What Are the Differences Between Vulnerabilities, Threats, and Exploits?
A vulnerability is defined as a weakness that can potentially be exploited by an attacker to perform unauthorized actions within a network. To exploit an existing vulnerability, an attacker needs to have at least one tool that connects to a system weakness— the vulnerability then becomes what is known as the ‘attack surface’.
Vulnerabilities can either pose a significant risk or not — so not all vulnerabilities are a security risk. For example, the risk of a vulnerability can depend on the potential impact that it could have on the business, in relation to which asset it impacts. If the vulnerability is on a low-risk asset then it is much less likely of posing a significant risk. The risk is also dependent on the time a vulnerability has existed. A vulnerability which has been identified and quickly addressed poses much less risk than one that goes undetected for days, weeks, or even months.
It is also important to remember that vulnerabilities are not just software-based. Vulnerabilities can be found on software, hardware, network — impacting all assets across an organization. While vulnerabilities can come from many sources, complexity, misconfiguration, connectivity, software bugs, etc. Not surprisingly, the most common source of vulnerabilities is the human user, which poses a significant risk for organizations and their cybersecurity posture.
The prevalence of vulnerabilities is the reason it’s critical for businesses to put vulnerability scanners in place, which automatically sort through to identify which ones might be setting the system at risk. They can store this information in a vulnerability database, which the scanner will use to identify potential issues in the future. This information can help with future remediation of weak points within the network.
After bad actors identify vulnerabilities on a network, they implement exploits. Exploits use tactics, such as an application programming interface (API), to gain information they care about — like sensitive personally identifiable information (PII) or protected health information (PHI). For example, WannaCry and NotPetya shook the globe when they emerged in the last two years and brought about major business interruption around the world.
Lastly, threats reference a hypothetical event where a hacker utilizes a vulnerability. Typically, bad actors will start their attacks through an exploit, which will typically be involved with a threat. While nothing momentous might have happened when a threat emerges, it’s important for security teams to have an action plan in place. Based on the plan in place and particulars of the network, an organization’s cyber risk reflects how likely it is the cybersecurity threat will occur.
Vulnerability Management (commonly known as VM) has been practiced within organizations for years — IT teams know this is a best practice to defend their networks against bad actors or outside attacks. This is a robust space; there’s no shortage of solutions that users can turn to when they need help gaining visibility into their organization’s network. However, what happens when they want to gain visibility into the security posture of their key business partners and third party suppliers?
Many organizations are not monitoring third-party risk and also monitoring vulnerabilities — they are simply trusting their vendor’s security practices are robust enough to pass muster. When organizations across all industries follow this methodology, it can blindly lead to weak links in the supply chain, and ultimately, increased risk of a data breach or cyber incident within their own organization that is caused by a third party. A recent Deloitte survey pinpointed this flawed assumption as “62% of CEOs fail to hold their extended enterprise to the same standards as their own organization.” [Find out more]
This is an ever growing concern as the news is flooded with reports of breaches due to third parties that potentially damage brands and expose PII. However, it’s important to remember that vulnerabilities are also ongoing — not only are the “celebrity” ones in the headlines important, but vulnerabilities can also reappear even after being removed as you add new vendors, change your business environments, and more. In fact, Gartner states that 99% of breaches will come from vulnerabilities organizations have known about for one year or longer.
It’s critical to use tools like BitSight for Third-Party Risk Management to help your organization stay diligent and gain the visibility needed to monitor for vulnerabilities across your supply chain and on your own network.