The Ultimate Unseen Vulnerability in Addressing Cybersecurity Threats: Communication

A breakdown in communication can turn a manageable vulnerability into a crisis. Without clear and effective dialogue between security teams, IT staff, management, and other departments, vulnerabilities can slip through the cracks. This breakdown often affects how organizations prioritize vulnerabilities as critical, high, medium, or low.


This content originally appeared on HackerNoon and was authored by blackheart

\ When discussing vulnerabilities in cybersecurity, the conversation often gravitates toward patching software, updating systems, and staying ahead of emerging threats. While these technical solutions are essential, there is an equally critical component known as communication. More specifically, the way we communicate about vulnerabilities and whether they are addressed. A breakdown in communication can turn a manageable vulnerability into a crisis. Without clear and effective dialogue between security teams, IT staff, management, and other departments, vulnerabilities can slip through the cracks, leaving organizations open to attacks. And this breakdown often affects how organizations prioritize vulnerabilities as critical, high, medium, or low, creating gaps in defense.

Understanding the Role of Communication in Vulnerability Management

The lifecycle of a vulnerability involves several steps—discovery, assessment, communication, and remediation. While many organizations excel in detecting and analyzing vulnerabilities, they frequently struggle when it comes to the crucial step of communicating the risks and urgency of each threat across different teams.

\ One such example I shall use, is receiving a vulnerability scan report. You are the overworked and underpaid patron of the IT realm. Your job is to translate all this sensual and exotic language to Hank the manager. Hank only cares about one thing and that is productivity and money. He is also in charge of the vulnerability management program and discusses remediations from the scan report with the director. These are two individuals who may or may not understand the technical details of the scan report. Or the urgency of some of the items listed that need immediate attention.

\ To bring my point into fruition, we all remember the Equifax breach of 2017 and how horrible it was for everyone involved. What also made things worse was a quote from the former CEO before the Senate Banking Committee. It outlined the reasons why the breach happened and who he felt was responsible.

\

:::info While Smith said he was personally "ultimately responsible for what happened" he also blamed a single unnamed person in the IT department for not updating, or "patching" one Equifax's "portals" after the credit reporting giant was alerted to the security gap in March.

"An individual did not ensure communication got to the right person to manually patch the application,” Smith testified before the Senate Banking Committee on Wednesday. He also said the company's scanning software, which looks for unpatched systems, didn't find the hole — all of this despite "investments approaching a quarter of a billion dollars in security,” Smith acknowledged.

https://www.nbcnews.com/business/consumer/former-equifax-ceo-blames-one-it-guy-massive-hack-n807956

:::

There is a lot to learn from the statement above. We want to look at key points from the statement of the CEO.

\

  • ==He blamed a single unnamed person in the IT department for not updating, or "patching" one Equifax's "portals" after the credit reporting giant was alerted to the security gap in March.==
  • ==An individual did not ensure communication got to the right person to manually patch the application.==
  • ==He also said the company's scanning software, which looks for unpatched systems, didn't find the hole — all of this despite "investments approaching a quarter of a billion dollars in security==

\ The CEO blamed multiple instances for failure in his statement, but the end result is a company is responsible for their patch management system. The success and failure will always be on the company’s shoulders, and it is up to management to make sure it succeeds. You can’t patch an asset without management’s approval. So, we ask ourselves, where did the failure happen? Lack of effective communication.

The Effective Difference Between Critical, High, Medium and Low Vulnerabilities

The security team may identify a vulnerability in the system that could be exploited by a threat actor. But if the urgency and potential impact are not effectively communicated to leadership, the issue may not receive the attention or resources it requires. If miscommunication leads the leadership team to believe it’s not a pressing concern, remediation may be delayed, leaving the organization exposed. All vulnerability scan outputs are the same, they have critical, high, medium and low vulnerabilities. The security team will dive into the results and send the feedback to management for the next steps. Remember, you cannot patch any asset without management approval and a process to follow.

\ I fell the issue with patch management is lack of effective communication. An example would be a manager may know that a critical vulnerability is serious but know how serious it actually is. The same goes for the high and mediums of the report. Keep in mind at any point, a threat actor can turn a medium vulnerability into a high or critical depending on the situation. A significant challenge in vulnerability management is determining how to prioritize responses to various threats. Most security frameworks categorize vulnerabilities into different tiers: critical, high, medium, and low. Each tier reflects both the likelihood of exploitation and the potential damage a successful exploit could cause. However, the effectiveness of addressing these vulnerabilities hinges on how well these categories are understood and communicated within the organization. The only way to change things is to update how we communicate Critical, High, Medium and low vulnerabilities to management.

\

1. Critical Vulnerabilities - financial loss, reputational damage, or regulatory penalties

A critical vulnerability is one that can be easily exploited, often remotely, and has the potential for severe damage. This might involve full system compromise, sensitive data theft, or a ransomware attack that could cripple operations. While technical teams usually understand the importance of fixing critical vulnerabilities immediately, the message may not always resonate with non-technical teams. Communicating a critical vulnerability must go beyond technical jargon. Instead, the risks need to be framed in terms that management understands, such as financial loss, reputational damage, or regulatory penalties.

2. High Vulnerabilities

High vulnerabilities are less urgent than critical ones but can still have a significant impact if exploited. These vulnerabilities may require specific conditions to be exploited, such as internal network access or particular user permissions. The gap in communication often arises when teams incorrectly assume that because a high vulnerability isn’t as immediately dangerous as a critical one, it can be put off for longer periods. However, if left unaddressed, high vulnerabilities can still be leveraged by advanced threat actors or as part of a broader attack chain. Instead, the risks need to be framed in terms that management understands, such as

\

3. Low Vulnerabilities

Low vulnerabilities typically have limited impact or require highly specific conditions to exploit. They might involve minor misconfigurations or small-scale issues that, while problematic, are unlikely to lead to a major breach.

Low vulnerabilities, if not communicated properly, can either be over-prioritized—leading to wasted resources—or completely ignored. Although they don’t require immediate attention, understanding how they could evolve in combination with other vulnerabilities is crucial. A minor issue today could become a serious problem if a new exploit emerges, or if it’s used in conjunction with other vulnerabilities to create an attack vector. Communicating this potential is key to avoiding future risks.

\ \ \ \ \ \ \


This content originally appeared on HackerNoon and was authored by blackheart


Print Share Comment Cite Upload Translate Updates
APA

blackheart | Sciencx (2024-09-17T21:23:39+00:00) The Ultimate Unseen Vulnerability in Addressing Cybersecurity Threats: Communication. Retrieved from https://www.scien.cx/2024/09/17/the-ultimate-unseen-vulnerability-in-addressing-cybersecurity-threats-communication/

MLA
" » The Ultimate Unseen Vulnerability in Addressing Cybersecurity Threats: Communication." blackheart | Sciencx - Tuesday September 17, 2024, https://www.scien.cx/2024/09/17/the-ultimate-unseen-vulnerability-in-addressing-cybersecurity-threats-communication/
HARVARD
blackheart | Sciencx Tuesday September 17, 2024 » The Ultimate Unseen Vulnerability in Addressing Cybersecurity Threats: Communication., viewed ,<https://www.scien.cx/2024/09/17/the-ultimate-unseen-vulnerability-in-addressing-cybersecurity-threats-communication/>
VANCOUVER
blackheart | Sciencx - » The Ultimate Unseen Vulnerability in Addressing Cybersecurity Threats: Communication. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2024/09/17/the-ultimate-unseen-vulnerability-in-addressing-cybersecurity-threats-communication/
CHICAGO
" » The Ultimate Unseen Vulnerability in Addressing Cybersecurity Threats: Communication." blackheart | Sciencx - Accessed . https://www.scien.cx/2024/09/17/the-ultimate-unseen-vulnerability-in-addressing-cybersecurity-threats-communication/
IEEE
" » The Ultimate Unseen Vulnerability in Addressing Cybersecurity Threats: Communication." blackheart | Sciencx [Online]. Available: https://www.scien.cx/2024/09/17/the-ultimate-unseen-vulnerability-in-addressing-cybersecurity-threats-communication/. [Accessed: ]
rf:citation
» The Ultimate Unseen Vulnerability in Addressing Cybersecurity Threats: Communication | blackheart | Sciencx | https://www.scien.cx/2024/09/17/the-ultimate-unseen-vulnerability-in-addressing-cybersecurity-threats-communication/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.