Secure by design principles: foundations for building resilient digital services – step two

Secure by design is a set of principles that create a foundation for building a cyber-resilient organisation. The UK Government breaks these principles into 10 lifecycle steps, which will be analysed and discussed in a series of articles. This article will focus on step two of the lifecycle, sourcing secure technology products.

When you acquire new software, apps, or operating systems, you introduce potential vulnerabilities to your organisation. These weak points, known as attack vectors, allow hackers unauthorised access to your network. As your digital landscape expands, so do your risks. Software lacks inherent security; it is not baked-in to the final product. It is your responsibility to safeguard your organisation against these threats through insecure software.

There is currently no legislation enforcing responsibility onto vendors to design secure software solutions. This may be something to look forward to in the future, but right now the responsibility is with the customer.

Effective vulnerability management

Technology and software require regular updates and improvements. These are collectively known as patches. Patches can fix bugs which improve operational performance. They also often address a weakness in the software’s coding or make up. These weaknesses are known as vulnerabilities.

Organisations need to regularly identify vulnerabilities and implement patches to address them. An effective vulnerability and patch management program is crucial to safeguard the software and IT network within which it exists.

So how can you find vulnerabilities across your IT estate? Fortunately, there are industry recognised vulnerability scanning tools which can do exactly this. These tools scan your entire infrastructure and applications to find weaknesses. It can produce reports detailing the criticality of the vulnerabilities and guidance on how to resolve them.

The importance of context and prioritisation

It is not as simple as that though. You also need to understand the importance of the asset and where it is on your network. A server connected to the internet, hosting your organisation’s end user devices (EUDs), will be more important than a server with no internet connection. Prioritisation is a key aspect of an effective vulnerability and patch management program.

In the example above, the internet-facing server is a direct entry point for a hacker. It is therefore far more critical to be patched promptly. Applying this prioritisation lens over the vulnerability reporting allows an organisation to respond to vulnerabilities in an organised manner.

For example – the internet-facing server, Server one, may have a vulnerability with a common vulnerability scoring system (CVSS) of seven. Server two may have a CVSS of 10 and is non-internet facing. Assessing the CVSS scores alone would suggest that server two should be patched first. However, applying the importance of those servers and their purpose in the IT infrastructure suggests server one should be patched first.

Adding the lens of severity to strengthen prioritisation

The next key concept is severity. This is another lens which can be applied to strengthen the prioritisation strategy of your organisation. A severity rating combines the CVSS score of a vulnerability with the likelihood of it being exploited. An example of this is the exploit prediction scoring system (EPSS) which can completely alter the way in which organisations prioritise patching vulnerabilities. A simple equation helps to show this (please note this is just for illustrative purposes):

CVSS * EPSS = severity rating

1. 9.8 * 0.20 = 1.96
2. 6.4 * 0.85 = 5.44

(Note: EPSS ranges from 0.00 – 1.00)

Scenario one has a higher CVSS but a lower severity rating. This suggests that although the vulnerability is classed as critical, it is less likely to be exploited than scenario two.

Summary

Technology is not secure by design when purchased. It has vulnerabilities which need to be constantly identified. These then need to be prioritised and resolved on a timely basis to minimise the threats to your organisation.

So, what is the best way to start on this journey? Talking to a trusted partner that understands the complexities of this strategy and can help you take positive steps forward.

PKF Francis Clark have been delivering cyber security services to clients for many years and use a market-leading, industry recognised vulnerability scanning tool which provides severity ratings. That means it incorporates CVSS and EPSS data by default. PKF Francis Clark’s customised reporting provides absolute clarity on where to focus your time and attention.

If you’d like a conversation on our vulnerability management services, and how we can support your organisation’s cyber strategy and ambitions, please contact Phil Osgathorpe.