Cyber Insiders - Magazine - Page 12
Context
is
crucial
to
understanding risk
Organisations must adopt a
strategy
of
security
prioritisation if they are to
be effective. To do this, they
must realise that not all
company assets and data
are equal. Attack vectors in
isolation do not provide
sufficient context of business
risk:
Asset A is a system that is
determined to be affected
by critical vulnerability that
includes a publicly available
exploit. The vulnerability is
rated 10 using a CVSS score
(Common
Vulnerability
Scoring System).
Asset
B
is
a
system
determined to have no
vulnerabilities and is fully
patched. However, it is used
by a member of the Google
Cloud DevOps team to
manage cloud resources via
the Google Cloud CLI.
While
each
system
represents an attack vector,
the lack of context prevents
the security team from
understanding the risk posed
by each. If we add the
following
context,
the
associated risk becomes
more apparent:
Asset A is located in an
isolated network segment on
the corporate network and
does not contain a local
administrator account and
has no access to email or
any sensitive data.
However, it does contain a
legacy
Microsoft
Access
database which stores the
serial numbers associated
with
decommissioned
printers.
Asset B is a laptop used by a
remote member of the
Google Cloud DevOps team.
Due to the nature of their
work,
they
have
been
provisioned with an Identity
& Access Management (IAM)
role that contains sufficient
permissions to provision,
modify and delete resources
within the Google Cloud
environment. As part of their
daily activities, numerous
service account keys are
being stored on the laptop.
Attack path management is
a process that supports
identifying such obscured
risk. Using the over simplified
example
provided,
the
organisations security team
would understand that a
compromise of the asset B
provides significantly more
risk than that of asset A.
In fact, asset B is part of an
attack path that would
permit lateral movement not
only between the laptop and
the
Google
Cloud
environment, but potentially
further privilege escalation
and lateral movement within
the cloud environment.
Page 01