Over the last few months, we at F5 have been putting out the message about the CVE-2012-1493 “SSH Key” vulnerability. Most customers have patched it, but some haven’t. If you didn’t get the message from this previous blog post, maybe it will help to be reminded that there are real reasons (business reasons) to secure your management networks: Money, Assets and Risk.
Money. By this I mean revenue, and for the modern organization, revenue can tie closely with service availability (uptime). Where availability intersects with security is usually a DoS attack, but every now and then a penetration will do the trick too. The Sony PlayStation Network breach and subsequent two months of downtime (which made half the teenagers I know miserable during the summer of 2011) is an example of service availability and the loss of revenue. One estimate suggests the cost of that particular breach was nearly $200 million. Other estimates are higher. Leaving systems unpatched when you’ve received proper warning costs money. Big money.
Assets. Assets are not just hosts, usernames and passwords. Assets are intellectual property, customer records and personally identifiable information. Whereas revenue from availability is easy to understand and tracks linearly, financial impacts due to loss of assets can be nebulous but also explosive. The long-term damage done to the RSA brand after last year’s theft of their two-factor seeds may exceed several years’ worth of income from that business. Ultimately, security is about protecting assets, and that includes locking down systems and applying patches.
Risk. After you’ve implemented access control to ensure availability (read: revenue) and tightened authentication to protect assets it’s time to consider whatever risk is left over. For CVE-2012-1493, some organizations may have left their systems unpatched because they’ve assumed upstream firewalls or network segmentation may be protecting them. While they may be correct at this moment, networks can change and holes get opened in firewalls. Closing the vulnerability is good security practice and mitigates the risk.
Think about money, assets and risk instead of protocols, algorithms and key distribution -- whatever it takes to be serious about securing your management infrastructure and making sure that CVE-2012-1493 is properly patched. When you zoom out from tech, the real business factors -- money, assets and risk – should be the motivation behind the security decisions that you make today.