Reconsidering how we define "vulnerability" is more than a thought exercise. It could represent a sea change in how organizations manage risk.
For most of us in cybersecurity, the definition of "vulnerability" has always been fairly straightforward: "a flaw in code or design that creates a potential point of security compromise for an endpoint or network."
Outside IT circles, though, the word has a far broader meaning. According to the Oxford English Dictionary, vulnerability is "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally."
Has the cybersecurity sector done itself a disservice by not giving more consideration to this second meaning — and how it factors into the design of enterprise security architectures?
These questions arise as we consider two significant trends: the rise of ransomware attacks around the globe, and the resurgence of interest in the principles of zero trust.
Trust is a vulnerability
For ransomware to succeed, attackers must first gain an initial foothold and then find a way to move laterally within an organization by exploiting vulnerabilities and misconfigurations in systems such as Active Directory. In a typical organization, user access and privileges are granted based in part on the notion that one user is fundamentally more trustworthy than another, based on their role or standing in the organization.
If we take the view of John Kindervag — who first coined the zero-trust concept as a Forrester analyst in 2009 and remains a leading evangelist in his current role at On2IT— then we have to consider the notion that trust itself is a vulnerability.
In a 2017 blog post, Kindervag wrote: "Trust is no different from a vulnerability in Apache Struts. It's something we must address in our organizations and digital systems as much as any software vulnerability. And if we've learned anything from recent data breaches, it's that vulnerabilities are what are exploited, and all vulnerabilities must be mitigated."
Kindervag elaborated on his point of view more recently, during a May 6 panel discussion hosted by the U.S. National Security Telecommunications Advisory Committee (NSTAC). The session — moderated by my Tenable co-founder Jack Huffard — explored the challenges of adopting zero trust in both government agencies and private enterprises. Kindervag emphasized that the concept of trust comes from our drive to anthropomorphize the network, seeing "people" where we should be seeing "packets."
According to Kindervag, the goal is to eliminate the human emotion of trust in our digital environments. "Zero trust is a strategic initiative that helps prevent successful data breaches, meaning the exfiltration of sensitive information ... by eliminating trust in your organization," Kindervag said. "It is designed to prevent lateral movement. No matter which technology or vendor you use to deploy zero trust, the strategy always remains the same ... The technology will always change but the strategic objectives will remain in place for a long time to come."
What do we mean by 'vulnerability'?
At Tenable, we believe disrupting attack paths in order to foil lateral movement represents one of the best defenses against all manner of cyberattacks, from the commonplace to the most sophisticated ransomware. While we agree in principle with Kindervag's positioning of trust as an inherent vulnerability, we believe it's only the beginning of a sea change in how the cybersecurity industry at large defines "vulnerability." In our view, the meaning of "vulnerability" also needs to include factors such as:
- misconfigurations in Active Directory and cloud services, which often provide a primary attack path for ransomware actors;
- mismanagement of identities, which are vital IT assets that can be compromised;
- security gaps in the software supply chain in order to prevent the next SolarWinds-style attack.
For cybersecurity leaders, preparing for a zero trust journey is less an exercise in evaluating technologies and more an exercise in strategic thinking, requiring you to answer fundamental questions such as:
- What is your organization's core mission or value proposition?
- What are the workflows required to fulfill that mission?
- Who owns those workflows?
- How does data flow in the organization?
- Which are your high-value assets, the so-called "keys to the kingdom"?
- How does the organization determine who is granted access to these high-value assets?
- How often does the organization audit user permissions once they are set?
- How will you design a "protect surface" to secure your most critical assets?
Answering these questions requires full visibility and continuous monitoring of your entire attack surface, including IT, internet of things and operational technology assets, and the ability to assess the criticality of each asset to deliver on your organization's core mission. No zero trust journey can begin without first addressing these fundamentals of cyber hygiene.
Learn more
- Read the blog: Tenable and the Path to Zero Trust
- Download the report: The Tenable Research 2020 Threat Landscape Retrospective
- View the on-demand webinar: Tenable Research 2020 Recap and Defender's Guidance for 2021