# Counterintuitive strategy and vulnerability management

During World War II, the Royal Air Force lost many planes to anti-aircraft fire. The decision was made to reinforce vulnerable areas of the remaining aircraft. One answer was to look at planes that returned, count up the bullet holes, and reinforce those areas that had the most damage. That was the obvious answer, but not the strategic way to look at vulnerability management.

Hungarian mathematician Abraham Wald looked at all of the aircraft that had returned and made the suggestion that if a plane had made it back safely with bullet holes in the wings, it means those holes were not very dangerous. Counterintuitive strategy is reinforcing those areas that do not have any bullet holes. Why? The planes with bullet holes in those areas did not make it back.

## Applying counterintuitive strategy to cybersecurity

Oftentimes in cybersecurity, senior management aspires to reduce their vulnerability management score to zero for their entire enterprise. They want to patch all the things, place compensating controls in every location, and upgrade all of the software. This is not a sustainable model of protection in an environment where the only thing constant is change itself. Evolving ecosystems force cybersecurity professionals to prioritize vulnerabilities that affect mission-critical assets while balancing time and resources.

One of the best ways to accomplish this counterintuitive strategy is to administratively identify assets that are most important to the business, complete a tactical vulnerability assessment, and strategically examine the vulnerabilities on those assets. If you compare the whole number assigned to a vulnerability from a CVSS ranking, it would make sense to fix a score of 9 before you fix a 7.5. That would be the obvious solution.

To understand the rating of a 9 versus a 7.5, you have to understand the fundamentals of risk scoring. How does that specific vulnerability affect your mission critical asset? CVSSv3 is composed of 8 different metrics which is then combined in a mathematical equation that rates vulnerabilities on a scale of 0 to 10 with 10 being the most dangerous. One of the metrics feeding the CVSS score is attack vector.

For counterintuitive strategic remediation, pay close attention to the attack vector of a vulnerability. An attack vector is how an attacker gains unauthorized access to a computer or network and delivers a payload to achieve a malicious outcome. Is the attack vector a network-facing vulnerability which could be exploited by anyone on the Internet? Is physical access to a system required for exploitation? Remember the bullet holes....

Some attack vectors allow attackers to penetrate deeper into your network, install different kinds of malware, and gain access to sensitive data that results in a data breach. The result will bring your organization down. By pairing the attack vector of a vulnerability with the threat vector your organization faces, you move from an obvious solution to a strategic one, enabling you to reinforce those areas needing more protection.

The number of cyber threats is on the rise and cyber criminals are evolving to become increasingly sophisticated. To minimize cybersecurity risk, we have to evolve our vulnerability management from the obvious to the strategic.

Nadean Tanner is senior manager, technical education program at Puppet.