- One Good Read
- Posts
- 2023.40 - OGR weekly newsletter
2023.40 - OGR weekly newsletter
Olivier Reuland
October 06, 2023
Thought of the week
Security is just as strong as its weakest link.
Source: https://xkcd.com/2347/
How well do you understand your environment (people, process and technology)? Where are the biggest gaps in your understanding?
The original article of the month
People often dread risk management. It’s dull and subjective. It might be all true, but risk management has a fantastic value.
I see many clients prioritising the wrong problems, either because it’s shiny or because it was talked about in an article someone on the board read. If this happens to you, it is essential to regroup and understand if this is a risk for you, and if it is, where does it sit on the list (risk register anyone?). You should be able to explain where it sits in the queue, why, and when this will likely be addressed, if at all.
This month’s Threats, Risk and Co article goes through this in more detail, starting with identifying your risks.
Notable framework/regulatory change
CVSS 4.0 is just around the corner and is excellent news for many reasons. This scoring system, developed collaboratively, helps us compare and prioritise vulnerabilities. This new version includes improvements to help you and your team better assess your own organisation and prioritise the remediation of these vulnerabilities accordingly.
My top 3 are:
Improved granularity of the Base Score: CVSS 4.0 introduces new base metrics and values, namely Attack Requirements (AT) and User Interaction (UI): Passive (P) and Active (A). This provides finer granularity in calculating the Base Score, which makes it more accurate and reflective of the intrinsic severity of a vulnerability.
Emphasis that CVSS is not just the Base Score: Threat Score and Environmental Score are essential to understand the impact on your organisation. Scores will be annotated CVSS-B / CVSS-BT / CVSS-BE and CVSS-BTE, depending on whether they are just the Base score or include Threat and Environmental considerations as well.
New Focus on OT and harm on humans: CVSS 4.0 considers more than the traditional C/I/A triad of logical impacts. It also allows looking into such as harm to humans, which are increasingly relevant to IoT, ICS, and healthcare.
What do you look forward to with CVSS 4.0?
Question of the week
I asked the question about the “correct” pronunciation of “CISO” on LinkedIn. What do you think? How do you pronounce it?
Reply