Press "Enter" to skip to content

Attackability as a measurement of vulnerability risk

Some research by Randori – the team examined “attackability” in the enterprise through the lens of Log4J exposure.    Quoting Dark Reading:  “Adversaries consider several factors when picking their targets, such as where the most initial damage would likely occur and what kind of impact the intrusion would have on the environment. Adversaries are more likely to target applications that would allow them to remain in the environment, so they would be less interested in systems that have a lot of security software that would detect the intrusion. Applications that grant access to other systems or give adversaries privileged access would be a more tempting target. 

VMware Horizon is considered the most attackable because, if compromised, it gives adversaries access to the rest of the network. Mobile device management platform Jamf and single-sign-on platform PingFederate are used by 1% to 2% of the enterprise market but are ranked second and third on the attackable list because of what adversaries would be able to do. next, Randori noted.” 

Two new attackers are back – Emotet’s botnet has re-emerged, focused on phishing emails in mass spam campaigns, and REvil’s TOR servers are back up, recruiting new affiliates.  

The continuing trend of government investment in mitigation – the US Department of Energy is providing 12 million dollars in funding to six university teams to develop defense and mitigation tools for the US energy systems to defend against cyber attacks.   

Finally, a fascinating profile of Bob Lord by NextGov, who is a new senior advisor at CISA after stints at Yahoo, Twitter, and the DNC.     Here’s what got my attention: He’s quote as “something of a digital Marie Kondo— the Japanese tidying expert—decluttering the DNC’s networks, excising old software and canceling extraneous vendor contracts.”

Why do we care?

That comparison to Marie Kondo particularly struck me.  Is a minimalist approach… optimal?   How much so?     How many services firms take this approach – that less is more?

The other highlight for me today was attackability.  Consider many of the multi-tenant tools used by IT services companies now – just like Jamf and PingFederate, they are highly attackable and remain tempting targets.      

Now combine the two – is less… more?   Can you serve your customers better with a lot fewer tools?       To really bend your mind today, consider the previous story – could you do that with more humans to ease your dependency on expensive ones?     

It feels like a lot of assumptions worth questioning today.