How much do you spend on testing vulnerabilities?

Testing vulnerabilities in your ISMS is a vital practice to ensure your system is adequate to protect your information. Every week we hear about security breaches worldwide and the increased exposure of the IT vulnerabilities we all face. We now pose the following questions.

• How much of your annual security budget is allocated for vulnerability testing?
• Do you have enough of the budget for properly testing vulnerabilities?

For Google, that amount was $1 million over just a few days in 2012 (for more details on this story click here).

There are many effective ways to test and evaluate your various systems’ vulnerabilities. Many organizations are now hiring outside assistance to do the testing. You can search ‘vulnerability testing’ and the results are thousands of individuals and businesses who do this, from freelancers on oDesk, to website penetration testing companies, to security consulting firms. Large organizations may take a different approach. Pwn2Own is an annual event at the CanSecWest security conference held each March. This year HP and co-sponsors Google are offering up over half a million dollars in rewards to challenge the public to crack their systems through unknown vulnerabilities. 

Over the past 3 years Google has paid out 501 bounties at an approximate total cost of $580,000. According to a study from computer science students at UC Berkeley, the vulnerability reward program (VRP) has patched 28% of Chrome’s vulnerabilities during that time (An Empirical Study of VRPs). 

In 2012 A French company of white hat hackers was able to gain access to a windows PC via Chrome in five minutes (albeit they worked on this for six weeks prior to the competition). As a result Google offered a separate “Pwnium” contest for specific Chrome exploits. A Russian university student was the first contestant to be able to exploit Chrome vulnerabilities and earned $60,000 bounty. The average salary for a security administrator in the US at the time was around $69,000. Not bad for a day’s work.

A vital part of information security is testing your security measures and continuously improving them. Having controls in place and complying with standards, is the first right step to having an effective ISMS and continuous testing and improvements is vital to a successful ISMS.

According to ISO/IEC 27002:2013 – Management of technical vulnerabilities (12.6.1) is an essential control. The Standards states the objectives as:

“Objective: To reduce risks resulting from exploitation of published technical vulnerabilities. Technical vulnerability management should be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. These considerations should include operating systems, and any other applications in use.”

To do this, organizations must embed a culture of risk management into its business. This is done through effective risk assessment and treatment coupled with sound business continuity management. Both of which require constant testing and tweaking. Google is certainly saying loud and clear that it believes in this. As stated early, the Pwn2Own competition and VRP cost them a fair amount of money (not in Google terms maybe), but in the long run this method could potentially save millions.

We understand that a million dollars spent on testing vulnerabilities is a lofty amount, but for Google it is a drop in the bucket. We wrote on testing physical security, which received a lot of positive response from our LinkedIn readers. The same holds true for testing vulnerabilities in your ISMS data security. How much money spent on vulnerability testing is appropriate for your business? 

The notion of continuous improvement and the willingness to expand resources on testing the effectiveness of controls is a must. The question we pose to you dear reader, how much is information security worth to your organization?

Comments are always welcome and appreciated (www.riskmanagementstudio.com / info@riskmanagementstudio.com).

{jcomments off}