Say what you will about cyber attackers. They are persistent, they are clever and there are a lot of them.
Case in point. The National Vulnerability Database catalogs Common Vulnerabilities and Exposures (CVE). The CVE system “provides a reference-method for publicly known information-security vulnerabilities and exposures.” In other words, this is where the world keeps a running tab of cyber threats.
In the most recent month, September 2022, the database recorded 2229 new CVEs. That’s more than three new cyber threats every hour. And it never stops. How are you going to deal with that volume of threats reactively?
A Typical Week
Here are some headlines from the last week of September 2022.
Critical Vulnerabilities Expose Parking Management System to Hacker Attacks
Critical Packagist Vulnerability Opened Door for PHP Supply Chain Attack
Novel malware discovered targeting VMware SXi hypervisors
MS SQL servers are getting hacked to deliver ransomware to orgs
Multi-platform Chaos malware threatens to live up to its name
You may be thinking that the answer to each of these threats is to react by deploying the appropriate mitigation. Perhaps. But what if those mitigations don’t work?
Mitigations for Your Mitigations
One of the mainstays of any cyber defense, and a very common mitigation, is the firewall. But what if your firewall is not only a mitigation, but also a threat. From an article last week on Help Net Security, “RCE in Sophos Firewall is being exploited in the wild (CVE-2022-3236).”
From the article, “CVE-2022-3236 is a code injection vulnerability in the User Portal and Webadmin of Sophos Firewall. If successfully exploited, it allows for remote code execution (RCE) on the targeted vulnerable installation.” Looks like your mitigation needs a mitigation.
Here’s another one from last week from Security Week: “Mitigation for ProxyNotShell Exchange Vulnerabilities Easily Bypassed.” Translation: the mitigation doesn’t work.
How do you keep up with all these mitigation vulnerabilities? For starters, stop trying to react to them. If you want to have any chance of staying on top of the threat landscape, you must do it proactively. And one of the very best ways to do that is with threat modeling.
An Essential Tool for the Proactive Toolbox
When you finally come to terms with the idea that you must be proactive about cyber threats, a great first step is to adopt threat modeling. That applies to both your applications and your organization as a whole.
Proactive cybersecurity using threat modeling not only intends to find threats before they occur, but it also strives to identify threats before the design is finalized, in the case of application development. You can’t get more proactive than that.
Threat modeling as a means to proactive cybersecurity is the complete opposite of threat identification through assessment, which is distinctly reactive. And the key differentiator is time.
When reacting to a newly-discovered cyber threat (i.e., a new CVE appears), time is of the essence. The exploit is in the wild and you may be vulnerable. On the other hand, with proactive threat modeling, theoretically there is no deadline. If you follow the principles of secure by design, you launch your application only after threat modeling has ensured a secure design.
One way to ease the transition to secure by design threat modeling is with a modern threat modeling platform like ThreatModeler. ThreatModeler is not only easy to use, but updates its CVE threat database in near-real-time, which means you can mitigate your mitigations, if need be.
If you’d like to learn more about how ThreatModeler is the ultimate tool in the proactive cybersecurity toolbox, reach out to us here. We’ll answer any questions you have.