Thinking security: Vulnerability Doctor, Stat!
This is the 36th blog in a series about security and how security is about how you think.
Many thanks to my colleagues Ritva Kangasperko and Dr. Glen Newton for their contributions to this blog.
We’ve all seen this scene on TV medical drama shows – the ambulance pulls up to the emergency room door, a horde of doctors and nurses ready to jump on the urgent situation inside (with appropriate background music). The ambulance door swings open and the show cuts to a commercial.
But many people may show up at the doctor through a different scenario. You don’t feel well (something just doesn’t feel right) and you make an appointment at your general practitioner’s. When you get to his office, the nurse takes your blood pressure, pulse, “vital signs” and may run some simple tests. When you get to see the doctor, he takes the data from those tests and makes some decisions. He may ask for more tests or prescribe a treatment (a “fix”) for the issue that caused you to come in on that day.
But what happens with computers?
There is a similar process that occurs when your computer isn’t working right, or if there is a known problem in the industry (a disclosure about a problem or vulnerability). The process, is very similar to emergency-room triage process, is used by the industry (including Unisys) to determine the severity of the problem. Just as in the medical profession, where there is a hierarchy of what is more severe (unconscious, not breathing, bleeding, etc.) to what is not (bumps and bruises), there is a similar hierarchy and triage process for computer issues. It’s called the Common Vulnerability Scoring System (version 3) and has previously been the subject of a blog post (about version 2) at http://blogs.unisys.com/clearpath/word-of-the-day-cvss/.
What’s common about both areas is that there is a process in determining severity before moving to action. I’ve coined the following adage to help others understand that the process is most important: “Not everyone who arrives at an emergency room is severely hurt, not everyone screaming at you is mad.” What I mean is that many people show up at emergency rooms for different reasons. Some people go to the emergency room because it is close or it may be the only medical facility open in the middle of the night.
Similarly, calling a computer problem critical or a vulnerability doesn’t mean that it is critical or a vulnerability for every environment. And just because someone is screaming at you to get your attention or hyping a theoretical attack (including many with a cute name, such as “ROBOT” and “Heartbleed”), it doesn’t change the process. Every person and every problem goes through the same triage to determine the severity of what happened or what could happen. This process is ingrained in the people who work in the emergency room or doctor’s office, and the computer-related process is ingrained in all engineers who work with vulnerabilities.
As part of this process, we also have to consider the number of people or computers that have been affected or could experience the problem. One person having trouble breathing is one level of problem, but a cloud of gas over a community would be something much more serious. With computers, an issue that affects a very particular type of system or configuration would be one level of severity, while a virus or worm that could take over millions of devices would be much more serious (as with the botnets that infected DVRs, home webcams and the like).
Having a central spot to find out tons of information about these areas is crucial. Just as the CDC (Center for Disease Control and Prevention – https://www.cdc.gov ) is a center for all diseases that helps everyone learn about diseases (vulnerabilities for people), the U.S. National Institute of Standards and Technologies (NIST) National Vulnerability Database (https://nvd.nist.gov) is the central spot for information about computer vulnerabilities.
Now this information repository is not intended to make everyone paranoid about diseases and vulnerabilities. It’s about visibility. It’s what you do with the data to see if it really applies to you and your environment. Living in the United States, I have a very low probability (or none) of a disease that exists in Africa (since I’ve never been there). The same argument goes for computer vulnerabilities – a Microsoft vulnerability won’t apply if I’m running a distro of Linux. It all goes back to triage and process and how you THINK security. Those who are in this area on a daily basis (like the doctors in the emergency room) understand the process and how to think about applying to cure the malady at hand.