Have you located your enterprise’s Tsar Bomb?
On October 31 1961, the Soviet Union tested the most powerful man-made nuclear weapon to ever be created or detonated -- the Tsar Bomba. This massively destructive weapon created a mushroom cloud that was about 67 km high, crossing the stratosphere and extending well into the mesosphere (about 50 km above our planet) at its peak - that is seven times higher than Mount Everest! The level of destruction caused by the Tsar bomb far surpassed its estimation and it was thereafter never used in the physical world.
Ever since, any object or event with such unparalleled ability to decimate everything in its path is often compared to the Tsar Bomb. When a human body sustains massive trauma, one of the first things paramedics on scene assess is the score of the patient on the Glasgow Coma Scale. It is a basic method to delineate and identify the core functionality of different parts of the brain and spinal cord, by scoring the patient’s ability to follow and respond to certain questions.
Basically, the paramedics prevent the detonation of an unidentified Tsar vulnerability in the patient.
Drawing a parallel to the digital world, destruction is unlike that in the physical world. The damage of a cyber attack is in the form of financial loss, reputational tarnish and regulatory repercussions which paralyses businesses. Also unlike the physical world, unfortunately, such Tsar ‘bombs’ are more than frequently present and used by cybercriminals looking to create panic and disrupt business continuity. They’re used to exploit weaknesses in a well-fortressed digital business, even those with a relatively good cybersecurity risk posture.
How is this possible when there are so many well-oiled cybersecurity measures in place to prevent such a catastrophe?
Have you identified the Tsar bomb in your organisation?
Did you know that out of the potential 1,50,000 currently identified vulnerabilities as per the NVD, less than 2% could be Tsar vulnerabilities, but how do we ‘score’ and rank these vulnerabilities specific to a business?
The missing link is the fact that there is no way for organisations to know which vulnerabilities could potentially become Tsar Bombs in future. This is where prioritisation of vulnerabilities becomes crucial.
Mathematically, the risk posed by a vulnerability is the product of its impact times the frequency. If you notice closely, both impact and frequency are dynamic quantities leaving the risk of each vulnerability open to interpretation. There is a need for standardisation - a common language for risk that is accepted and understood worldwide, yet attuned to the needs of your business irrespective of its industry, geography and scale.
To put it into context, RailYatri, a popular ticket reservation application, fell prey to a data breach where the cybercriminals exploited an un-encrypted server. This server was accessible to any user with the server’s IP address. Almost 7,00,000 users’ data was exposed involving approximately 43 GB of data, where sensitive information such as the customer’s name, contact details, GPS location information, UPI (Unified Payment Interface) ID and other authentication details were leaked.
In this industry, critical data is the user’s information and safeguarding personal information it is not only their first priority but their moral responsibility. Had there been a protocol to locate the server which was left un-encrypted on priority, it would have had alarm bells ringing in time to prevent the succeeding Meow Bot attack that ultimately led to this massive breach.
Every cybersecurity product or service generates a list of its own priorities, and each list has alarm bells ringing. It is human tendency to fix what’s easiest first and it often drives real (and sometimes, imagined) productivity but that may not necessarily be what’s most risky. At the same time, fixing the most critical vulnerability may not be the best idea either - because adversaries often prefer the route of least resistance. It is from here that the dilemma of prioritising stems from. What can you do?
Cybersecurity teams in enterprises should focus on patching what matters most because that is how they will be able to defend what’s most critical. These are some guidelines they can follow:
1. Focus on continuous vulnerability assessment:
The first and foremost activity is something very basic -- scan your enterprise and identify vulnerabilities across the public and internal digital ecosystem. Take a risk driven approach where you continuously quantify the risk of each vulnerability based on your industry, revenue, criticality, availability and geography and not perform point-in-time assessments only.
Remember, the risk of any vulnerability is its impact times frequency. So, higher the impact - in terms of financial loss, reputational damage or regulatory actions- higher the score and rank. Patching your organisation’s Tsar vulnerabilities have to be your first priority.
2. Generate your Tsar vulnerability with the help of automation and CVEs:
Your security team alone cannot take the onus of identifying, ranking, patching all vulnerabilities and do it in time to stop cyber-attacks. You can rely on Predictive Bayesian Network-based models to provide insight into the likelihood that a given vulnerability could be a potential Tsar threat based on parameters such as its past threat patterns, NVD data, MITRE ATT&CK rank, external threat intelligence and its business context.
3. Finally, track your progress.
Monitor the historical trend of your enterprise and your contemporaries. The advantage of a quantified risk-driven approach is that it allows you to track and assess your enterprise’s risk posture and maturity in real-time. It also identifies the cybersecurity services that are performing in accordance with their investment and those that need to be discontinued.
To summarise: just remember the 3Rs- Recognise, React and Recover. For this, take the example of Dr Reddy’s Laboratory data breach. As soon as they received an inkling of a data breach, they shut down their centres and isolated data servers to limit the damage. They followed the 3Rs, albeit after a certain delay but their automated cybersecurity protocols could handle the surge. There is definitely such a thing as being as fragile as a bomb. This is true in the physical world and more so in the world of cybercrimes, where a simple neutron in your business’ core could become the reason for your next data breach. Identify that neutron vulnerability and save yourself while you have time, translating your cybersecurity practice into meaningful risk management.
Vidit Baxi
Vidit Baxi is a co-founder of Lucideus. The views in this article are his own.