Share with Your Network
Cybersecurity is an emerging hot topic even among professionals who don’t work for either Security or IT. This is a change. For what had seemed like ever, cybersecurity woes were the sole concern of CISOs and their teams, as well as the IT professionals tasked with patching vulnerabilities throughout the enterprise. The typical enterprise stakeholder didn’t have much to do beyond an occasional update or to complete, usually begrudgingly, required security training. But with the truly staggering proliferation of increasingly sophisticated and aggressive cybersecurity threats in recent years (both at home and in the office), keeping the enterprise secure is fast becoming everyone’s focus.
In the spirit of Cybersecurity Awareness Month, we want to help you Do Your Part:#BeCyberSmart by keeping people abreast of the latest lingo floating around the cybersecurity space. Because the more you know (where’s a shooting star gif when you need one?), the more empowered you’ll be to anticipate and navigate the next threat.
5 cybersecurity terms defined
1. Principle of Least Privilege (POLP). In today’s largely zero-trust world, access to systems and data runs on a need-to-know basis. And informing this approach to managing permissions is the idea of least privilege; granting any user, program, or process only the bare minimum privileges necessary to perform their job. Not only does this principle minimize attack opportunities, but it helps keep users in their swim lanes.
For example, C-level execs or board members don’t need full access to their company’s vulnerability management platform. Instead of running the risk of overwhelming or confusing them, savvy Security leaders grant access to comprehensive, intuitive dashboards that serve up just the KPIs these stakeholders care about. With a self-service environment, executives and leadership can access exactly what they came looking for, without Security and IT having to be roped in.
Bonus: If you really want to impress your cohorts, brush up on a related term—access creep.
2. Democratized security. The security industry is quickly evolving to meet the heightened demands of today’s risk landscape, and making strides to simplify and automate security operations so that more people can be active participants without unnecessarily leaving the enterprise vulnerable (see No. 1).
Here, Cisco is leading the charge. The recent acquisition of Kenna Security signals a significant shift in enterprise security operations. Instead of a chosen few acting as gatekeepers of a complex and intricately layered threat and vulnerability management environment, Cisco is leveraging Kenna’s risk-based vulnerability management capabilities to create an intuitive, predictive experience so more authorized stakeholders can safely access the data they need and better collaborate to drive down risk.
3. Risk score. Basic vulnerability scores have long been used to help provide a rough framework for teams to prioritize their environment’s vulnerabilities. But because most scoring systems, especially the Common Vulnerability Scoring System (CVSS), assign a “Critical” or “High” rating to between one-third and one-half of all listed vulnerabilities, prioritization based on vulnerability scores alone produces inflated fix lists that make it harder to reduce risk profiles. This is a particularly wasteful approach given that only 2-5% of observed vulnerabilities in a given environment are likely to be exploited, and even the best-resourced organizations can only manage to patch 10% of all their observed vulns. Talk about inefficient.
Thankfully, industry innovators zeroed in on the missing ingredient that would make vulnerability scores meaningful and actionable: context. By folding in external threat and vulnerability intelligence, exploit data, and the company’s own appetite for risk, teams can leverage smarter and more accurate vulnerability prioritization. Shifting to a risk-based vulnerability management approach empowers Security and IT teams to effectively reduce and manage cyber risk, align around data-backed marching orders, track and report progress, and save time, money, and effort.
If you’re looking for a deeper dive into risk scores, check out the recent blog Vulnerability Scores and Risk Scores: What You Need to Know.
4. Attack vector. IT environments are more complex than ever, with mobile and IoT devices, as well as a spike in remote work, causing attack surfaces to grow. And as they do, so do the potential channels for cybercrime. These channels are called attack vectors, and threat actors use them to try to gain access to or attack a network or infrastructure. Understanding how criminals leverage attack vectors will help you better safeguard against future attacks.
The most common attack vectors can be divided into four categories:
- Access control, passwords, and lack of two-factor authentication (2FA)
- Social engineering, phishing, and inadequate training
- Cloud and SaaS data storage, and leaky S3 buckets
- IT systems, OS vulnerabilities, servers, IoT in the workplace
For more on these attack vectors and how to secure them, check out The 4 Attack Vectors You Should Be Watching Now.
5. Supply chain security. Conversations around supply chain security are on the rise, and unfortunately for today’s enterprises, SolarWind-style attacks are only expected to increase. Supply chains are becoming increasingly complex and digitized, making them an attractive target for bad actors. These attacks are especially sinister since organizations have limited influence into their suppliers’ security, and yet when a link in the chain is compromised it can have devastating consequences for every organization in the ecosystem.
But there is hope. Partners and suppliers are feeling the same urgency you are, priming the pump for constructive conversations and proactive action. We’ve put together a guide to help secure your supply chain now.
Cybersecurity is a journey, not a destination
The speed of change is accelerating, making effective cybersecurity a constant moving target. And current cybersecurity training efforts aren’t cutting it. In fact, over 61% of workers who reported having received required cybersecurity training recently failed a simple 7-question threat awareness quiz. There is clearly room for improvement.
Accepting the ever-evolving nature of security will help create a culture of learning and investment. Already, companies are adopting more hands-on and active cybersecurity training programs. And leveraging opportunities like Cybersecurity Awareness Month raises risk awareness and provides a chance to question the status quo and reassess your security operations. Because now, cybersecurity is everyone’s problem.
Ready to rally your company around risk? Explore Kenna Katalyst, an on-demand educational series designed to kickstart your risk-based vulnerability management program.