When do you accept a vulnerability as an acceptable risk and what classifies is as acceptable?

[-]

Zealousideal_Good530@reddit

Many (all?) have said it’s not your concern, it’s about the money/priorities of those who own the risk (maybe a group, maybe the one who holds the budget). That is certainly true, however… as a professional, you can also look at what might be a risk and slip in a fix. Don’t look at me like that - I’m not a cowboy! For instance, DISA publishes guidance and there are various ways to measure how your systems measure up against this guidance. Sometimes systems are just slightly misconfigured and a small change will fix most of them, but break one of them. So push ahead with the fix, letting the system owners know this might happen and work with them to resolve. I do policy for around 500 windows machine and about 175 Linux machines, and it’s surprisingly easy to make a small change to remove a vulnerability with minimal (sometimes, but not always with zero) impact. The big stuff, definitely take note and try to understand impact before making changes (TLS 1.2 for older systems), but understand sometimes things break in the interest of security. Policy is generally uninspired I’ve found, and sometimes you have to work out how to implement with smaller effect (think separation of duties when admins are used to being Domain Admins). Remember you catch more flies with honey, and do in fact sweat the small stuff.

Reply

[-]

Here_for_newsnp@reddit

That's up to the owner of the company, it's their money on the line.

Reply

[-]

stratospaly@reddit

Whatever Management signs off on. He who pinches the budget gets the blame when said pinching is the flaw used to attack the company.

Reply

[-]

Efficient_Will5192@reddit

when management decides they don't want to pay to secure it.

Reply

[-]

CountGeoffrey@reddit

risk/impact matrix

Reply

[-]

Adziboy@reddit

From a sysadmin POV this is super easy. We do not accept or reject anything with regard to risk. Anything. You clearly write up a table that says what the vulnerability is and what the various fixes are, and what the impact of that change is - the cost, the time etc. include the probability of it happening and the impact. Then, you give it to whoever makes those decisions. This is almost never you. You might in a smaller organisation make those decisions but you should clearly have your managers written approval on it so they are still the one making the decision, technically. This means your day to day job remains the same still because you’ll have a risk like ‘user doesnt have MFA setup’ its a simple fix. If your entire switch estate is going EOL and it costs £1m to replace then thats nothing to do with you. Write up the risks, the cost, and someone else signs it off.

Reply

[-]

KindlyGetMeGiftCards@reddit

Firewall the device to hell and back, air gap the device, remove default gateway, ACL and or reverse proxy. In the example of log4j in the early says of a particular system and no patch, there was a firewall rule to block internet access to the device and removal of gateway setting done by the previous admin and which I had no idea about, took me a long while to work out as this were working but not 100% right. It was acceptable as the costs of replacing the system wasn't worth it and a patch would be coming in the future, which it did.

Reply

[-]

dLoPRodz@reddit

Risk management

Reply

[-]

tcpWalker@reddit

Prioritize the highest risks. Unless there's a security team. If there's a security team, they usually have a compliance directive that creates a set of priorities you need to meet for business reasons. Try to work with them to prioritize this list in a way that is in keeping with the actual highest risks. If a risk is high enough even if not on their list you make the business case for it. If you don't have time to address high risks, which you rarely do, make the business case for more headcount etc...

Reply

[-]

bakonpie@reddit

threat model an attack using that vulnerability. what defenses do you have in place to reduce the risk? can you reduce more with some creative but partial mitigations? whatever residual risk is accepted because likely said thing is critical enough to the organization that it can't be turned off. that's what you present to leadership.

Reply

[-]

sobrique@reddit

When no one wants to pay for the cost to remediate it. That's it really. All risks have a probability of occurring, an impact when they do. They likely have a cost of mitigation/avoidance - sometimes 'just' a different sort of risk. E.g. aggressively applying patches swaps an 'unpatched software' risk for a 'bad patch' risk. Stuff like a firewall exists to lower the probability and impact, by restricting who can exploit a vulnerability. In an ideal world they'd be irrelevant because nothing is able to be abused by bad actors anyway. But we know that's not how the world is, so we use firewalls to reduce a range of risks. Which doesn't really answer your question, but the problem is 'it depends'. If I've a non-internet connected subnet my 'acceptable risk' tolerance is _higher_ but there's a bunch of things that are so trivial to e.g. patch, turn off or require authentication that you might as well anyway. It's much more about your organisation and their policies and budget than anything directly within the 'sysadmin' realm.

Reply

When do you accept a vulnerability as an acceptable risk and what classifies is as acceptable?

Reply to Post

11 Comments

Zealousideal_Good530@reddit

Here_for_newsnp@reddit

stratospaly@reddit

Efficient_Will5192@reddit

CountGeoffrey@reddit

Adziboy@reddit

KindlyGetMeGiftCards@reddit

dLoPRodz@reddit

tcpWalker@reddit

bakonpie@reddit

sobrique@reddit