Main Menu
Home / Uncategorized / Risk Management: Understand Vulnerabilities First

Risk Management: Understand Vulnerabilities First

It’s easy to see where an organization underspent or overspent in the evaluation and mitigation of risks ““ there’s almost always a point where, in hindsight, the right amount of control is discovered.

The solution, according to Peter Spier, is a mix between business minded and technical risk management. The balance helps create a solution that is both cost and needs effective.

By using a Common Vulnerability Scoring System (CVSS), an organization can identify “vulnerability access vectors, complexity, authentication requirements, and the potential impact to confidentiality, integrity, and availability.” However, having these security controls in place doesn’t make you invulnerable:

For example, suppose a database server is identified as being prone to one or more SQL injection vulnerabilities. It is isolated to a dedicated network segment with established access controls restricting communications to authorized internal hosts and the entirety of network assets protected by host-based and perimeter security controls including, respectively, both anti-virus protection and an intrusion prevention system. While the probability of exploit is arguably contained, the vulnerability remains.

This is one of the reasons why understanding vulnerability is essential: without understanding it is impossible to recognize what will and will not be effective in managing them, what risks will still exist, or what vulnerabilities were not addressed.

About Matthew Kabik

Matthew Kabik is the former Editor of Computer Aid's Accelerating IT Success. He worked at Computer Aid, Inc. from 2008 to 2014 in the Harrisburg offices, where he was a copywriter, swordsman, social media consultant, and trainer before moving into editorial.

Check Also

The Seven Activities of Project Closeout

People go crazy when a TV show like Firefly or Agent Carter gets canceled, because …

Leave a Reply

Your email address will not be published. Required fields are marked *