Vulnerabilities {v}

If you would like to stay in touch sign up for our Newletter below!


What are Vulnerabilities?

Vulnerabilities are weaknesses within your control system. No control system is 100% perfect, 100% the time, you can have all the IT Security Countermeasures in the world, but if your Users handover their password and username to any person on the other end of a telephone line claiming to be from the IT Helpdesk, you have a weakness/vulnerability within your system.

The Vulnerability Ratio is a measurement of how effective, or more precisely how ineffective, your control system is at eliminating the threat that your countermeasure was implemented to protect you against, for example, if your implemented countermeasures are 100% effective against your threats, with no weakness, then your Vulnerability Ratio would be zero.

The reality is however there is no perfect countermeasure control system, if for example you were calculating the Risk to your organisation from a specific Trojan, delivered via the Web, you would do the following calculation:

Valuation at Risk = $10,000,000{VaR}

Threat to the Organisation = 100%{t}

Counter Measure Score = 51 {cms}

This is assuming that you have rolled out an Anti-Virus application that can detect the Trojan you are attempting to protect against and have Firewall rules in place to stop the Trojan penetrating your network, and finally, you have patched your system to close the vulnerability on the operating system that the Trojan would typically attempt to compromise to install itself.

If you have completed all of the above steps your countermeasure score is very high, in our case, calculated at 51. If we had no weakness in our system, therefore no vulnerabilities, we would calculate our risk as the following:

Vulnerabilities = 0%{Vu}

RISK = (( 0%{Vu} x 100%{t}) / 51 {cms} ) * $10,000,000{VaR}

RISK = 0 * $10,000,000{VaR}

RISK = 0

In other words our Countermeasures have effectively eliminated ALL Risk against this specific Threat, the Trojan. Given that we have rollout an Anti-Virus program that can detect the Trojan, blocked the Trojan ports on the Firewall and patched the operating system for the vulnerability it had against the Trojan, this is not an unreasonable conclusion. However enterprises get compromised everyday across the globe, the reason being they have weaknesses or Vulnerabilities in the IT Control System.

If, for example, one of your network segments had a dozen servers on it that were not included in the Patch updates, because they were “forgotten about”, think, test servers, old development servers, migrated servers that were not switched off, etc, and consequently they also did not have the latest Anti-Virus definitions push to them, you have found your Vulnerability, your weakness in the IT Control System.

How do you calculate your Vulnerability Ratio?

The Vulnerability Ratio can be calculated measuring the effectiveness of the control implementation. In our Trojan example, we rollout our three specific controls to mitigate the risk of the Trojan:

1. Anti-Virus Application

2. Firewall Rules to Block Trojan Ports

3. Operating System Patching

To measure the effectiveness of these controls we need measure the success criteria of each control. For example, for the above three IT Controls we might have the following success criteria:

Anti Virus IT Control Success Criteria

1. Application Installed on All Servers

2. Application Running Anti-Virus Definition Database 3.x or Higher.

Firewall IT Control Success Criteria

1. Trojan Ports 4299, 4300 and 4301 are blocked on all boundary Firewalls

Operating System Patching IT Control Success Criteria

1. All O/S have Patch Number CVE-2012-xxxx Applied

Now we know the success criteria we can measure how effective our IT Control System is by assessing how well we have implemented our success criteria, by validating that we have implemented these controls within our environment. That is to say, check your servers and Firewalls, and validate they have the required controls in place.

Obviously in large corporate environments validating every control manually would be a near impossible task; fortunately there are a number of tools on the market that will automate this task for you, something like Tripwire, which is specifically designed for this functionality would be a recommendation.

| IT Risk Management | IT Risk Measurement | IT Risk Formula | IT Risk Calculations |

Please read our "Terms" before making a comment.

blog comments powered by Disqus
To The Top