The dawn of music on television led to the rise of big bands with big personalities in the 1980s. One of the biggest acts of that era was a rock band called Van Halen. One legend about the band was that on tour they would demand promoters remove all brown M&Ms from backstage otherwise the promoters would give up all pay. Sounds just like a wild and crazy demand from a bigger than life band!
Their bombastic lead singer, David Lee Roth, explained that they required this to ensure that all the details of the contract were being followed to ensure their safety on stage.
In other words, missing the smallest thing (a brown M&M) was a signal to the band they needed to double check the diligence of the road crew.
When it comes to cyber security, often it’s the details that can lead to cyber incidents that cause financial damage to organizations.
A recent filing saw a company have its cyber insurance coverage rescinded due to a failure to implement multifactor authentication (MFA) according to its policy attestation. Not having MFA where you say you do is probably a bigger oversight than a brown M&M.
But what about the brown M&Ms? How can small oversights lead to risk?
We’ve been hearing of cyber insurance underwriters denying coverage to organizations who have devices with low-severity vulnerabilities exposed on their networks, like insecure TLS ciphers.
Cryptography 101: If you're not familiar, TLS is a protocol that encrypts traffic between computers. TLS is an upgrade from an older protocol named SSL. Ciphers are algorithms that computers use to encrypt traffic over TLS.
When it comes to patching and vulnerability management, many IT folks can’t get around to fixing all vulnerabilities. Low-severity vulnerabilities are often overlooked and not patched, especially those vulnerabilities that do not get exploited for malicious purposes. Often, IT folks cannot get the change approval to make the fixes or the fixes for the vulnerabilities go the bottom of a risk register or engineering backlog.
According to a BlackHat presentation from the Zero Day Initiative, a group that tracks risky vulnerabilities, another problem with patch management is that the vulnerability disclosure from the manufacturer is worded poorly and/or does not adequately convey risk. So if the manufacturer does not explicitly say "this vulnerability is bad, patch it now" many organizations will not patch quickly even if the bug is really severe.
In all these cases, the technical risk to the organization is seen as low, so the priority to fix is low.
For example, one low-severity vulnerability finding often seen on vulnerability scan results is an insecure TLS cipher vulnerability called SWEET32.
Most scanners will call this SWEET32 finding a low-severity vulnerability because, according to the researchers who discovered the vulnerability, someone would need to capture hundreds of gigabytes of data in order to decrypt the data. The likelihood of someone capturing that much data is low, so that means the likelihood a threat actor could exploit such a vulnerability is very low.
Meanwhile, if you look at the ciphers vulnerable to these sorts of exploits, many of them are old and have been replaced by newer and better ciphers. The impact to making a change to mitigate the vulnerability should also be low. However, going through and configuring servers to remove the vulnerability could be a time-consuming process that organizations will see as a low return on investment compared to fixing other security issues.
While it is possible that vulnerabilities can be classified as difficult to fix and possibly have little to no exploitability in your environment, an insurance underwriter may see these sorts of vulnerabilities as “brown M&Ms” and deny coverage. The idea behind that being “if we see these small vulnerabilities, then what else could be vulnerable in this network?”
And the insurance decision can then change the risk calculation for the organization's vulnerability management program.
In other words, while the technical risk to an organization from a low-severity vulnerability could be extremely low since the vulnerability will probably never get exploited, the business risk to the organization from a low-severity vulnerability can be extremely high because they may no longer be covered by cyber insurance for a major cybersecurity incident like ransomware or business email compromise.
Hopefully during your cyber insurance application and underwriting process your broker can advocate that these “brown M&Ms” are not a significant risk for your organization so you can secure coverage. However, ultimately your organization should try to remediate as many of the vulnerabilities as possible so you have fewer questions to answer.
How can organizations mitigate these “brown M&Ms” before they become an issue to cyber insurance?
Perform vulnerability scans on internal and external assets regularly and remediate issues as soon as practical. Organizations should prioritize fixing the exploitable vulnerabilities, but eventually all vulnerabilities should be addressed. The US Cybersecurity and Infrastructure Security Agency (CISA) publishes a list of known vulnerabilities that have been exploited in the past.
If patching or configuration cannot solve an issue, ensure to isolate those vulnerable systems from the rest of the network.
Organizations should ensure that their software and hardware vendors configure systems with secure settings. The vendors should ensure they are regularly updating underlying software. Organizations should not use end of life software or hardware which no longer receive updates from vendors.
Helm Information Security can help your organization find the brown M&Ms as well. Let us help you mature your organization’s cybersecurity practices so you can feel confident your risks are low. We can help with vulnerability scanning, Active Directory and AzureAD posture assessments, and other methods to help navigate cybersecurity challenges.
End note: I came up with this blog post based on a conversation I had about vulnerability management and cyber insurance, but it’s definitely not the first comparison to Van Halen’s "brown M&Ms" in cybersecurity. There are some other fantastic posts written by Shawn Tuma and Jonathan Care. Check those out as well!