Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem.

Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing more on building cybersecurity networks to be more powerful and secure.

In this article, we will be identifying a few of those vulnerabilities associated with cybersecurity in an organization and their impact on the business. Also, we will deduce a methodology for managing vulnerabilities in an organization and experiences with customers in implementing this methodology.

Common cybersecurity threats

Let’s walk through a few of the cybersecurity-related vulnerabilities that impact organizations the most.

Phishing

Phishing is the most widespread cybersecurity vulnerability that impacts more than 85% of organizations around the world. In phishing attacks, users are tricked into downloading malicious links that are sent to them through email. The email sent looks like a legitimate email with all the necessary information available in it. Thus, users are tricked into either opening an attachment or clicking a harmful link included in the email.

The most common type of phishing attack is email phishing. Over time, attackers have formulated other methods as well, including smishing, vishing and search engine phishing. In smishing, malicious links are sent through SMS over a phone, whereas in vishing phone calls are made to trick users. Search engine phishing is the most recent methodology where attackers create fake websites and ranks them on search engines, which compels the user to enter crucial information, resulting in robbing end users.

Ransomware

Ransomware is one of the most common types of threats that impacts hundreds of organizations on a daily basis. In ransomware attacks, organizations’ data is encrypted by attackers so that it cannot be accessed by anyone inside an organization. To unlock the data, attackers demand heavy ransoms thus resulting in huge loss of money, as well as disruption of their services.

Organizations usually tend to pay these ransoms to cyber attackers as they don’t have the resources to recover from a ransomware attack. In some cases, even after paying the ransom organizations are unable to retrieve their data.

Malware attacks

Malware attacks are malicious programs designed to cause harm or damage to an organization’s infrastructure, system, or network. The origin of malware is usually public Wi-Fi, spam emails, downloading malicious content, and clicking on pop-up ads. Once malware is released into the system, it can compromise all the critical and personal information available on the organization’s servers and systems.

Malware can be classified into one of the following categories: virus, trojan, worm, adware, spyware, malvertising. Malware is sometimes difficult to detect in the system and can change the system settings and permissions, spy on user activity, and block critical programs on users’ computers.

Distributed denial of service (DDoS)

In a distributed denial of service (DDoS) attack, an organization’s online services are made unavailable by flooding it with internet traffic from multiple sources. Cyber attackers target all the critical resources of bank or government websites to ensure end users are unable to access information available online on these websites.

Amazon Web Services (AWS) and GitHub were some of the latest victims of DDoS attacks. The common type of DDoS attacks includes UDP flood, ICMP (ping) flood, SYN flood, Slowloris, ping of death, HTTP flood, and NTP amplification.

Password theft

Another major threat that organizations face is employees using weak or common passwords. With most organizations using multiple application services these days, reusing easily guessed passwords can lead to compromising data.

Also, passwords can be compromised when users enter their credentials unknowingly into a fake website. Thus, it’s of utmost importance to use unique passwords that are hard to guess for each platform to ensure the security of the data.

Impact of cyberattacks on an organization

One of the worst outcomes of a cyberattack is the drop in revenue as an organization must pay a hefty price to recover data from threat actors — and restore normal business operations. In 2018, a social media giant lost more than $13 billion in value after a data breach affected 50 million of its users. The company said attackers were able to exploit a vulnerability in a feature known as “View As” to gain control of people’s accounts. Their stock fell as much as 3% on the stock exchange.

Customers who have their personal information leaked tend to feel less secure providing sensitive information to the breached organization in the future — let alone, continuing to do business with the company. Loss of trust and faith equates to reputational damage for an organization. A major American retail giant lost the credit card information of more than 40 million customers in 2013 due to a data breach, which resulted in reputational damage and a loss of $18.5 million.

Depending upon the intensity of the cyberattack and the type of information compromised, organizations may have to pay an actual settlement and face legal consequences to compensate for the loss. A multinational American tech company suffered from one of the largest cyberattacks in the history of the internet. They were hit with multiple breaches in 2014 and 2016, which impacted more than 1 billion user accounts. The breach included names, email addresses, phone numbers, birthdays, etc. The tech company currently has several lawsuits against them and an ongoing investigation in U.S. Congress.

Cyberattacks can bring business to a halt by causing outages, thus causing a risk to business continuity. Users could be locked out of a system preventing them from accessing critical information. It would also lead to trading disruptions, like the inability to perform online transactions. In 2020, the National Stock Exchange of one of the island countries in the southwestern Pacific Ocean had to shut down operations following an extended DDoS attack on its network provider.

Threat modeling methodologies and technologies

Threat modeling is a proactive strategy of identifying potential vulnerabilities and developing countermeasures to either mitigate or counter those vulnerabilities to prevent systems from cyberattacks. Threat modeling can be performed at any stage during development — though it is recommended to perform it at the beginning of the project. In this way, threats can be identified and rectified sooner.

Multiple methodologies can be utilized for performing threat modeling. Choosing the correct technology depends upon what type of threats are to be tackled in the system. We’ll walk through five of the most popular threat modeling technologies used these days.

1. STRIDE

STRIDE is one of the most mature threat modeling techniques, which was adopted by Microsoft in 2002. STRIDE is an acronym for the type of threats it covers:

• S — Spoofing occurs when attackers pretend to be another person. One example of spoofing is when an email is sent from a fake email address, pretending to be someone else.
• T — Tampering occurs when information or data is modified or altered without authorization. The data can be tampered with by modifying a log file, inserting a malicious link, etc.
• R — Repudiation refers to the ability of an intruder to deny any malicious activity due to a lack of evidence. Attackers always want to hide their identity, so they hide their wrongdoings discreetly to avoid being tracked.
• I — Information disclosure is exposing data to unauthorized users that reveals information about the data that can be used by attackers to compromise the system.
• D — Denial of Service is overloading services with traffic to exhaust resources thus resulting in the crashing of a system or shutting it down to legitimate traffic.
• E — Elevation of Privilege occurs when attackers gain unauthorized access to information by gaining additional privileges in the system.

2. Common Vulnerability Scoring System (CVSS)

CVSS is a standardized threat scoring system used for known vulnerabilities. It was developed by the National Institute of Standards and Technology (NIST) and maintained by the Forum of Incident Response and Security Teams (FIRST).

CVSS captures a vulnerability’s principal characteristics while assigning a numerical severity score (ranging from 0-10, with 10 being the worst). The score is then translated into a qualitative representation which could be Critical, High, Medium, and Low. This helps organizations assess, identify, and effectively operate the threat management process.

3. VAST

Visual, Agile and Simple Threat (VAST) is an automated threat modeling technology based on ThreatModeler. VAST offers a unique plan so that the creation of threat model plans doesn’t require any specialized security subject matter expertise.

Implementing VAST requires the creation of application and operational threat models. Application threat models use a process flow diagram to represent the architectural aspect, while operational threat models are created from an attacker’s point of view based on a data flow diagram.

4. PASTA

Process for attack simulation and threat analysis (PASTA) is a seven-step risk-centric methodology developed in 2012. It assists organizations in dynamically identifying, counting, and prioritizing threats.

Once cybersecurity experts define a detailed analysis of identified threats, developers can develop an asset-centric mitigation strategy by analyzing the application through an attacker-centric perspective.

5. Attack Trees

Attack trees are charts displaying the path that show how an asset could be attacked. These charts display attack goals as the roots with possible paths as branches.

Attack trees are one of the oldest and most widely used threat model technologies. Earlier attack trees were used as a standalone methodology, but recently they are often combined with other technologies such as STRIDE, PASTA and CVSS.

Organizations must decide which threat modeling framework best suits their needs. Different methodologies are better for different situations and teams. Understanding the available options and the benefits and limitations of each can help with making an informed decision and improve the effectiveness of threat modeling efforts.

Conclusion

Managing threats is an evolving process. The main way to ensure a threat-free environment is to regularly test security infrastructure, utilizing the right tools and methodologies for threat management and inculcating a culture of knowledge and information within all employees. If these points are taken care of then an organization is doing its best to protect data and secure its system from any harmful attacks, vulnerabilities or threats.

As per recent trends, cyberattacks have increased on a monthly basis by 37% since the COVID-19 outbreak. As more employees are working from home or hybrid, businesses will need to have robust cybersecurity and digital strategies that account for changing working practices and exposure to new threats.

Let our team of cybersecurity experts help you stay ahead of threats and attacks against your organization. Learn more about IBM Security’s Threat Monitoring, Detection and Response services.