March Madness, the annual college basketball championship, is here! Whether that means gearing up for the basketball tournament or getting ready to face spring and summer seasons, this is the beginning of a very busy time for a lot of people and organizations. The problem is, it's a busy time for hackers as well. The CIA/Wikileaks revelations have vendors scrambling to patch products. This time of year brings a high volume of identity theft via stolen W2s and other tax records. Let's face it, there is no "off season" for bad actors. So while you’re distracted by the madness within your organization, they are ready to take advantage of your lack of focus and exploit your weaknesses.
I may be (am) a bit of a sports junkie so March Madness for me is filled with brackets, bets and basketball. However, thinking about this year's tournament, I see several similarities between the tournament and the overload of vulnerabilities hackers are using to exploit our networks. For example:
A Large Field of Players:
There are hundreds of basketball teams in the U.S. vying to get to "the big dance" and there are hundreds of thousands of vulnerabilities in existence worldwide trying to get into your network. How they get into the tournament is based on their record, conference and other determining factors. Vulnerabilities are the same. They get into your network based on your configuration of applications, devices and other network based solutions.
There is a Ranking:
Some teams are better than others – that's why they receive higher seeds in the tournament and go up against perceived weaker teams. Vulnerabilities are the same and are based on their CVSS score, which helps to prioritize which ones should be patched ahead of others.
However, sometimes the underdog gets a win. As I mentioned before, your network is made up of a collection of applications, devices and solutions that is unique and unlike any other in the world. Because of this, vulnerabilities are going to be more or less detrimental to your organization versus someone else’s. You need to understand which vulnerabilities are most important to you based on a combination of CVSS ranking and your own network weaknesses in order to prioritize and patch.
The Top Seed has a Known Path to Success:
In the majority of tournaments, the brackets are set where the top seed (aka the best team) starts by playing the bottom seed. While this may seem like an unfair advantage, it's the benefit that comes with being the best. While I love a good upset and I'm usually cheering for the underdog, typically you can take a look at the bracket and see exactly how the top seeds will make their way to the championship.
Applying this same concept to your network, you can do the same thing with vulnerabilities and their attack paths. When you can see into your network and know what applications, identities and devices are connected to each other, you can also see what path a vulnerability might take if it’s able to breach your network. This can also help with prioritization because you’ll be able to tell how many steps it would take for a hacker to reach your privileged information and plan for that. For instance, if a vulnerability in Microsoft Word would take five steps to reach the information in your payroll system, but a vulnerability in Outlook would only take three, which one would you prioritize?
Only One Team can Win:
During the tournament, all eyes are on the championship trophy. During a breach, all eyes are on your privileged data. While in the tournament, only one team will go home with the championship – but in real life you can fight back to prevent data loss. Breaches are going to happen. However, we can fight back against these bad actors and minimize data loss if we know:
- Which of the vulnerabilities are the biggest threat to our network
- What path they could take once they are inside our network
- How many high risk vulnerabilities we are dealing with
As you settle in to watch this year's tournament, I hope your favorite team does well and your bracket fares better than your friends. However, when it comes to your network, I hope you’re taking the time to analyze and prioritize your vulnerabilities and properly rank and patch them. Basketball is just a game, but losing privileged data within your network has very real consequences.