Vulnerabilities: The Weeds of Your Digital Terrain

RedSeal Blog - Vulnerabilities - The Weeds of Your Digital Terrain

In the warmer months when I’m not traveling I often get up early and wander my property pulling and spraying weeds. This is an endless and thankless task, yet a necessary evil to preserve my investment and maintain appearances. I am amazed how quickly weeds grow and by the places they find purchase. In just a few days, given the right conditions whole beds can be overtaken.

A few days ago I was meandering about my yard wondering why I don’t have a gardener when it struck me. My own personal battle for yard supremacy provides a great parallel to the efforts of cybersecurity professionals. It occurred to me that vulnerabilities are the weeds of the digital terrain. They are constantly popping up in the strangest places; you can never seem to get them all; and they can quickly get out of hand if you let your attention slip.

Just like weeds, all vulnerabilities are not created equal. Their type, and more importantly their location, are factors we need to consider. The poison ivy at the far end of the property where no one goes is a concern, but far less of one than the poison ivy on the kids’ play set. In the digital terrain, this is the equivalent of vulnerabilities on assets that don’t provide access to critical data verses those that do — whether directly or via pivot attacks. So, it’s not the type of vulnerability that’s important, it’s the exposure that vulnerability delivers to critical resources that is the true cause of risk. The common practice of focusing on CAT1 vulnerabilities is inherently flawed, since the severity of the vulnerability has little to do with the risk it causes for the organization.

People have been fighting weeds since the first crops were sown sometime around 9000 BC. We know weeds and have developed many tools to fight them, yet they persist. We pull them, spray them and set up lines of defense for them to cross. Sound familiar? This is akin to patching, firewalls, and micro segmentation.

I’m making two points here: first and most importantly I need a gardener, but also it is worth reminding ourselves that vulnerabilities aren’t going away anytime soon. Regardless of how much effort you put in, you’ll never have the necessary resources to patch them all. A better strategy is to prioritize what you patch based on the actual risk it causes for your organization. A CAT1 vulnerability isolated by firewall rules provides little risk, but that CAT3 vulnerability exposed directly to the internet may provide a beachhead that exposes your most important data and systems. To quote the old adage, we need to work smarter not harder. For cyber, that means moving from a patch-based methodology to one that focuses on risk.

How Small Businesses Should Invest in Cyber Security

The Telegraph| August 23, 2017

The deluge of cyber-attack stories in the news is becoming commonplace. Recorded cyber crime cost the UK economy £10.9bn in 2015/16; and unreported crime could cost magnitudes more. For small businesses alone, the average cost per attack is around £3,000.

Fortunately, the level of attention criminals are paying to cyber crime is more than matched by those fighting against them. But for SMEs with limited budgets, securing themselves can be a tricky job.

Cybersecurity Veteran Gord Boyce Joins RedSeal to Lead Commercial Business Unit

Former ForeScout CEO will Oversee Strategic Growth and Address Increasing Demand from Global 2000 Companies for Digital Resilience

SUNNYVALE, Calif. – August 23, 2017 – Today RedSeal, the leader in network modeling and cyber risk scoring, announced that Gord Boyce joined the company as Senior Vice President of a newly formed business unit to address demand in the commercial market. Boyce will lead a team of global sales, customer engineering and professional service resources, focused on driving adoption of RedSeal’s award-winning digital resilience platform.

“Gord rounds out our leadership bench with deep cyber industry expertise, and a tremendous track-record in sales,” said Ray Rothrock, chairman and CEO of RedSeal. “He understands the unique challenges of the high-growth security landscape, and we are thrilled to have his experience delivering enterprise-class platform value to the Global 2000.”

Boyce, a high-tech veteran, brings nearly 25 years of cyber industry experience to RedSeal. As CEO of ForeScout Technologies, he led the company to a global leadership position in the network access control (NAC) market. Prior to ForeScout, Boyce held several senior management positions within Nokia’s Internet Communications and Enterprise Solutions business groups.

“I’ve followed RedSeal’s growth for some time, and am excited to join this visionary company, and help enterprises around the world elevate their cyber security strategy”, said Gord Boyce. “Prevention and detection solutions are necessary, but clearly not sufficient. The RedSeal platform delivers what security and network teams – and their executives– needed yesterday: resilience and continuity.”

RedSeal – one of Red Herring’s Top 100 Global Companies for two consecutive years – posted more than 40 percent year-over-year growth in 2016,and CSO Online recently recognized its digital resilience platform as the top security tool in network security for 2017.

Boyce will be based in the company’s headquarters in Sunnyvale, Calif.


About RedSeal

RedSeal’s network modeling and risk scoring platform is the foundation for enabling enterprise networks to be resilient to cyber events and network interruptions in an increasingly digital world. RedSeal helps customers understand their network from the inside, out – and provides rich context, situational awareness and a Digital Resilience Score to help enterprises measure and ultimately build greater resilience into their infrastructure. Government agencies and Global 2000 companies around the world rely on RedSeal to help them improve their overall security posture, accelerate incident response and increase the productivity of their security and network teams. Founded in 2004, RedSeal is headquartered in Sunnyvale, California and serves customers globally through a direct and channel partner network.

Advice from Hackers at Black Hat

At the recent Black Hat USA conference, CIO asked 250 self-identified hackers for their opinion on security solutions. The answers are a good indicator for what works to protect your organization. Of all the technologies out there, the responders identified multi-factor authentication and high-level encryption as the two that are hardest to get past – 38 and 32 percent, respectively – making them the two best tools an organization can use to thwart attackers. The lesson? Your organization should invest in multi-factor authentication and strong encryption for data at rest and data in motion to make the attackers’ job much more difficult.

Another surprising revelation – more than 90 percent of respondents find intrusion prevention systems, firewalls, and anti-virus easy to overcome. This is because attackers use technologies to encode their payload (i.e. disguise their software so it isn’t detected). They also realize that it is much easier to ‘hack’ the weakest link, the human element. Let’s say an attacker shows up and tells the receptionist she has an interview. Then the attacker explains, with an exasperated look on her face, that she didn’t have time to swing by a print shop to print her resume. The attacker then asks the receptionist to print it. As human beings, we feel empathy and we want to help. The receptionist sticks the USB drive into a computer, finds the resume, and prints it – firing off the payload attached to the USB document.

Does this mean that the money and man hours spent on firewalls, intrusion prevention systems, and antivirus is wasted? The answer is no. These technologies help thwart the most basic and greatest number of automated attempts at breaking into your organization. The example I used above is called a social engineering attack. Attackers will put together payloads and either email them out, attach them to resumes and apply for jobs, or physically go to your location and drop USBs on the ground. In fact, 85 percent of those surveyed prefer these types of attacks because of how successful they are. Each of these attacks makes your perimeter security useless. CIOs and ISOs need to harden the internal security of their organization as well. They need to train their employees for these types of attacks, tell them what to look out for, and breed an environment where it is okay and even expected to challenge people.

Understanding your network and the actions that attackers take to compromise your environment will help your organization develop contingency plans. These contingency plans will help your organization maintain a resilient network. You can’t just protect your network and expect that to be enough anymore. The question all leaders in security should be asking is, “what do we do when an attacker gets in and how do we lessen the damage done to our organization?”

That is the beginning of building a resilient network.

Cybersecurity’s Ceiling

Dark Reading | August 14, 2017

Security spending and staffing are rising, but restrained resources are tempering market growth.

The IT security market is often painted as a non-stop growth curve with no end in sight. But many analysts who have studied market trends say despite recent increases in spending and hiring, the market paradoxically is being slowed by a shortage of resources.

In some cases, upper management is putting a cap on spending and hiring. In the recently published 2017 Black Hat Attendee Survey, most security professionals say they are increasing hiring and spending. Yet, some 71% of security professionals do not feel they have enough people to handle the threats they will face in the coming year. Fifty-eight percent say they don’t have enough budget.

Counting the Cost of Mega Cyber Risk

Computer Business Review | August 10, 2017

It’s clear that corporations want to buy insurance to reduce their exposure to losses from cyber-attacks, and insurers have responded to the need.  However, most buyers are dissatisfied – the coverage amounts are low, and the covered events are too narrow.  From the insurer’s point of view, it had to be this way, due to historic challenges with visibility into cyber risk and liability.

When everyone wants the same kind of policy, the insurer has to think about the systemic risk, and if that systemic risk is poorly understood, each individual policy has to stay small.  Think of everyone in a Medieval town wanting to buy fire insurance at the same time – individually, they all want the same thing, but the insurer can’t take on the combined risk without understanding whether the houses are all in the same town, or made of the same flammable material.

Defense Medical Communities Face Digital Resilience Challenges

Last week in Orlando, I attended the Defense Health Information Technology Symposium (DHITS) conference. This is one of the best attended, most cohesive trade shows I have been to in years. One of the eight break-out tracks was entirely devoted the challenges of securing defense health networks and the medical devices that connect to them. It was overdue proof that the Defense Health Agency (DHA) community is recognizing the importance of cybersecurity.

The seven cyber sessions were:

  • Risk Management Framework
  • Cybersecurity- Decisions, Habits and Hygiene
  • Are You Cybersecurity Inspection Ready?
  • Incident Response: Before, During and After the Hack- How
  • MHS Medical Device Integration and Security: Details Matter
  • RMF Requirements and Workflows for Medical Devices with the DOD
  • Security for Connected Medical Devices

Clearly, the defense health community is paying a lot of attention to medical devices as a source of vulnerabilities.  According to a DHA presentation at the conference, 80% of all successful cyber incidents can be traced back to poor medical device user practices, poor network and management practices, and poor implementation of network architecture.

Medical devices are easy to access on internal networks and device owners are not sure how to secure the devices or the networks.

Everyone tries to lock down the devices. There are thousands of devices in a large hospital. They can’t be 100% secure. They need networks that are digitally resilient, that find devices and non-compliant configurations. Only then can they mitigate the risk to defense health systems. Even though the Defense Health Agency is a new organization, it’s slowly taking over the IT responsibilities of various defense health organizations. As these networks are consolidated into a new network, Med-COI, there has been a tendency to focus on “getting the job done.” To avoid future issues, DHA needs to prioritize understanding what current risks they’re bringing into this new network.

The good news is that all the attendees I spoke with and who dropped by RedSeal’s booth agreed that these were challenges that needed to be addressed.

For more information on how RedSeal can assist with building digital resilience in the Defense Health community, please contact Matt Venditto at