December Risk Roundup: Holistic approaches to vulnerability

by Aaron Kraus.
The Risk Roundup is our bi-weekly collection of curated content that relates to all things digital risk management. Members of the Coalition team have pulled together their favorite posts from the week that highlight relevant trends in cybersecurity and cyber insurance. Enjoy our TL;DR and useful snippets on topics we’re keeping a close eye on.

Modern businesses require a complex set of products and services to function, ranging from cloud service providers to open source software projects to fully-outsourced business functions. Any element of this chain can (and will) introduce vulnerabilities, so vulnerability management needs to evolve and consider this broadened scope.

1. Cloud service provider security mistakes

Transparency is crucial for any shared service provider, so a list like this is incredibly useful for any organization to assess the risk of moving to a cloud environment. Cost savings and technical capabilities are positive drivers of cloud adoption, but it’s important to remember that cyber risks are present in any system. Ignoring them is not an option; making smart choices, like a multi-cloud resiliency strategy, can help address these risks while allowing organizations to capture the benefits of the cloud.

View tweet here

2. Reluctant to spend money on cybersecurity = possible hack

Under-investing in any aspect of your business is unlikely to lead to success, and security is no exception. Security is particularly challenging because literally nothing happens when a security program functions as intended. So, if your risk mitigations are adequate, this means the risks have been mitigated, and justifying a security budget becomes a challenge. However, waiting for an incident to justify investing in security is not a wise choice: it’s the old problem of trying to get the toothpaste back into the tube.

View tweet here

3. Log4j necessitates better vulnerability management

This flaw in a popular logging module echoes the Heartbleed vulnerability: widely deployed software that is foundational to basic web application and internet communication functions caused virtually every organization in the world to hurriedly evaluate infrastructure looking for this vulnerability. As we saw with the Solarwinds attack, software organizations need to do a better job of managing their software bill of materials (SBOM), dependencies, and perhaps most importantly, vulnerability management. Ideally, this will help manage vulnerabilities introduced throughout the supply chain of the goods & services required to run a modern business.

View tweet here

4. Embrace the attacker mindset

View tweet here

This is so important; defenders need to know how attackers operate to develop a comprehensive mitigation plan.  – Tommy Johnson, Cyber Security Engineer

If you enjoyed this post, be sure to check our blog; the Risk Roundup runs Wednesdays in addition to more enlightening content we post related to the ever-evolving landscape of digital risk. Follow us on Twitter (@SolveCyberRisk), LinkedIn (Coalition Inc), and Youtube. If you have any suggestions for content that we should be adding to our reading list, let us know!