Year: 2017

India is hosting the 92nd Annual Conference of World Association of Detectives (WAD) and a Roundtable Dialogue on Anticorruption Partnership during 10-14 October 2017 in Shangri-La, New Delhi. It is an impressive assembly of global leaders in Cyber Security and Corporate Intelligence who will discuss and develop tools to deal with internal and external corrupt practices, and launch a well-coordinated corporate campaign against corruption to support agenda of good governance of the Prime Minister of India. World Association of Detectives (WAD) is a global alliance of investigators and security professionals from around the world. WAD aims to promote and maintain the highest ethical practices in the profession of private investigation and security service, and to establish and further a mutual feeling of trust, goodwill and friendship among agencies throughout the world. WAD has members from more than 80 countries across the world, where India has one of the largest representations of 71 members. Coincidently, Kunwar Vikram Singh who is the current Global President of WAD, is also from India. He joined WAD more than 30 years back, and was elected President at its 91st Annual Conference held at Bucharest, Romania last year. Kunwar Vikram Singh is the founding Chairman of Lancers Network Ltd. which is South Asia’s leading Risk Consulting firm, operating in the high-on-risk countries of the region and the other parts of the world including Europe and CIS countries. Equipped with a highly experienced operational team drawn from the financial sector, armed forces, police, security services and industry professionals; the company has developed a reputation for providing quality driven, customer focused and highly successful actionable intelligence solutions. He is also the founding President and Chairman of Central Association of Private Security Industry (CAPSI), a leading organization for security professionals in India which has emerged as an ‘elite association’ nationally and internationally. It is an association of renowned security professionals managing the world’s largest workforce of 7 million guardsmen and women engaged in providing private security cover to the nation. The unique bouquet of experience and entrepreneurship has taken CAPSI to new heights, especially after the enactment of the Private Security Agencies (Regulation) Act 2005. Mr. Singh is also the founding President and Chairman of the Association of Private Detectives & Investigators (APDI), a preeminent national association of professional investigators in India. In addition to free-lancers, other investigation personnel as well as students are offering their involvement with APDI to better understand the constant changes in investigation issues and solutions. The members of the APDI work in compliance with the code of ethics of the Association. A majority of members of APDI are also members of WAD and the Association is actively involved in the hosting and organization of the upcoming WAD Annual Conference in India. SecurityLink India spoke to Kunwar Vikram Singh about the World Association of Detectives and the WAD 92nd Annual conference to be held in New Delhi. Some excerpts: SecurityLink India: Kindly give a brief about the global entity WAD. Kunwar Vikram Singh: World Association of Detectives (WAD) is the foremost international association of private investigators, security professional and security service organizations which was founded in 1925. It is the world’s largest and oldest association of its kind. It was formed as a joint venture by the combined membership of the World Association of Detectives, and the International Secret Service Association which was founded date back in 1921. The purpose of the establishment of WAD were primarily to promote and maintain the highest ethical practices in the profession of private investigation and security service; to grant membership to only those individuals whose personal and professional backgrounds and business affiliations are based on the precepts of truth, accuracy and prudence; to eliminate unreliable, incompetent and irresponsible members of the profession; to foster and perpetuate a spirit of cooperation among its members and with all those engaged in law enforcement; and to further and establish a mutual feeling of trust, goodwill and friendship amongst agencies throughout the world. WAD is registered in Colorado, USA. SecurityLink India: How was WAD conceptualized? Kunwar Vikram Singh: All nations, around the globe, have their own internal intelligence organizations such as RAW, CBI, FBI, KGB, or CIA and so on. However, their investigations and related activities are focused and dedicated to the government, government organizations and the safety of the country. Especially during those days, the private corporates and economic leaders across the globe who generally generate finance and employment, and who have the major contribution in making the nation’s economy, did not avail adequate facility and infrastructure to protect them. They lacked proper assistance and support in procuring intelligence either about the rivals or about the internal and external frauds caused especially in banking and financial sectors, or about any other private crimes for that matter. That caused huge economic losses to them and consequently to the respective nations. That conspicuous vacuum germinated the seeds of organizations like WAD. Retired police officers and intelligence professionals all over the world conceptualized and set up a pan-world organization called WAD to work together and exchange relevant information to settle the issues and help establish an environment of ease of doing business. Over the period, the flavor of the crime has drastically changed. For example, corporate, cyber, IPR crimes, financial frauds etc., were not there earlier. Several banks, companies and corporations have failed owing to internal frauds. For last three conferences, I impressed upon them to start a certificate course for young people who may even not essentially be an investigator. Several other professionals such as chartered accountants, lawyers may also opt for this field and become an investigator, as they are the experts of finance and laws respectively. Today we need huge number of young investigators, but that needs training and training facilities which are available only for the government personnel. – Kunwar Vikram Singh Global President, WAD  Today the world has shrunk and become one village. People have multiple operations in various countries including import, export, banking and all kinds of…

India is well on the way to digitisation helped along by consumer adoption of mobile devices and technologies, availability of high speed internet, and a strong push from the Government. Unfortunately, this comes at the cost of cybersecurity. With the country becoming a favourite target of cyber criminals, it is imperative that Indian enterprises and institutions secure themselves against cyber attackers who are becoming smarter and bolder with days. Although most business organisations have made some provision for security, it usually exists as a complex maze of vendors and solutions that rarely integrate or even communicate with each other. Managing overall security in such an environment is challenging, expensive and not fully effective. What Indian organisations need to aim for is an integrated security solution that is open, automated and simple. Perceptions Despite escalating threats, confidence in security technology is riding high in Indian organizations. In 2016, 69 percent of CISOs and security operations professionals in India said that their security infrastructure is very up to date and is constantly upgraded with the best technologies available; in the previous year, this figure stood at 61 percent. Note that the number is also significantly higher than the 58 percent of respondents in the global Cisco 2017 Security Capabilities Benchmark Study who said the same thing. Only 26 percent of respondents from India, compared to 37 percent globally, said that they replaced or upgraded their security technologies on a regular cadence but were not equipped with the latest and greatest tools. Constraints Despite being equipped with the right solutions to detect threats and minimize their impact, security professionals in India find it a challenge to fulfil their agenda. Contrary to the global situation where budget is the primary constraint, in India, budget is no longer a key issue, having slipped to the joint 8th position in 2016, from 2nd place in the previous year. In 2016, the biggest barrier to adoption was organizational culture and attitude to security, closely followed by compatibility issues with legacy systems, and certification requirements and competing priorities in equal measure. Lack of knowledge about advanced security processes and technology was in fifth place. In 2016, 30 percent of security professionals in India said that organisational culture and attitude to security was the biggest barrier to adopting the latest security technology and processes. This is sharply up from the 2015 figure of 21 percent, when organizational culture issues ranked a low 9th among 10 obstacles. Incompatible legacy systems came 2nd, named by 28 percent of respondents. Last year, this was the top barrier, named by 36 percent of security professionals in India. Globally too, incompatible legacy systems were voted the 2nd biggest barrier in 2016 after budget constraints. Although they realize the importance of securing the business, Indian organisations seem to view security as an  impediment to business growth, which creates some amount of resistance to adoption. The presence of a large number of disconnected legacy security solutions makes it hard to implement a cohesive security policy. Having to meet the certification requirements of so many solutions is another challenge. Last but not least,organisations find it hard to stay abreast of the rapid advancement in security processes and technology. Ironically, too many point solutions can increase an organization’s vulnerability to attack if they don’t communicate and integrate with each other. Unfortunately, most security professionals in India, like their counterparts in other countries, have a tendency to juggle products from many vendors. This opens up gaps in time and space that cyber criminals can exploit, and prevents organisations from presenting a seamless defense to attack. A sizeable majority of companies – 56 percent of the total – use more than 5 vendors, and 69 percent use 6 or more products; these proportions are very similar to the global figures, which stand at 55 percent and 65 percent respectively. However, when it comes to using a very large number of vendors and products, Indian organisations are ahead of their global counterparts – about 19 percent use 21 or more vendors and almost 30 percent of companies have at least 26 security products, compared to 10 percent and 17 percent respectively, globally. A cause for concern is that the strong security infrastructure of Indian organisations is not translating into strong governance. The reasons include incompatibility of solutions, unavailability of trained staff, and a lack of knowledge about the latest advances in security processes. Only 63 percent of alerts are investigated, of which 39 percent are deemed legitimate. Finally, only 47 percent of legitimate alerts are remedied. This is only marginally better than the global performance – globally, 56 percent of security alerts are investigated, of which 28 percent are legitimate. Only 46 percent of legitimate alerts are remedied. The following hypothetical example illustrates the seriousness of the issue. If an organisation in India records 5,000 alerts every day: It investigates 3,150 alerts (63 percent) and ignores 1,850 (37 percent). Of the 3,150 alerts that are investigated, about 1,229 (39 percent) are found to be legitimate, while 1,921 (61 percent) are not. Of the 1,229 legitimate alerts, the organization remedies only 578 (47 percent) and does not remedy the remaining 651 (53 percent) alerts. It is worrying that approximately 1 in 3 security alerts go uninvestigated. Organizations must introspect to understand what types of alerts are ignored and why. Do these alerts signal relatively trivial threats that might only spread spam, for instance, or do they pertain to much more serious issues such as a possible ransomware attack or critical damage to a network? Clearly, there is a need to raise the level of investigation. However, given the large number of alerts a typical organization receives every day, it would not be possible for an already burdened security team to investigate them all manually. The solution is to use automation and properly integrated security solutions to probe and analyse a greater area of the threat landscape. The fact that Indian organisations ignore so many threats each day creates doubts about their…

The brutal murder of seven year old Pradyuman Thakur at Ryan International School, Gurgram has left the Nation shocked and horrified. While the entire country is sharing grief with Pradyuman’s family, parents are raising concerns about the security and safety of their children in schools and other academic organisations. Frequent similar cases of security and safety lapses substantiate that institutions are not able to carry out due diligence in their premises on their own, and they need the assistance of expert agencies/ individuals to guide them in this endeavour. Security Sector Skill Development Council (SSSDC) has sought to engage with the Central Board of Secondary Education (CBSE) to educate school management and administrators to provide them with the objective and expert based school safety and security principles, and help them become ‘a designate safe and sound school’ as enumerated in CBSE safety guidelines. SSSDC works under the aegis of National Skill Development Council (NSDC) and Ministry of Skill Development & Entrepreneurship (MSDE) in the security domain. Maj. Gen. K. Sakhuja (Retd.), CEO, SSSDC said, “The Council is responsible for standardization of security training across the country. It has the expertise in training ‘security risk management auditors’ for both physical and electronic security systems. The auditors so trained are professionally competent to identify the gaps in security and advise the stakeholders on optimum solutions. They are fully aware of the statutory guidelines enumerated in Government directives, thereby contributing in the national focus of crime prevention.” The Council offers to help schools in identifying security gaps, upgrading their safety and security mechanisms and systems, and creating, updating and exercising emergency preparedness and crisis management plans. This is done through security audits, deployment of security guards through PSARA licensed private security agency, training and assessment of presently employed security guards under Recognition of Prior Learning (RPL) program, and psychometric testing of the deployed workforce, if necessary. “SSSDC has devised a two day special audit module for security auditors whereby experienced security personnel will be taught about specialized ways of dealing with safety and security of school children,” said Kunwar Vikram Singh, Chairman, SSSDC. The Ministry of Human Resource Development, Govt. of India has issued a comprehensive set of guidelines vide D. O. letter No. 10-11/2014-EE.4 dated 09.10.2014 (Annexure-1) regarding preventive mechanisms and procedures for institutionalizing a system to ensure safety and security of children in schools. From time to time the CBSE Board has also issued instructions to the affiliated ones to implement and sensitize the schools towards ensuring the safety and security of students during school time and while in transit to school and back home. It is a fundamental right of a child to engage and study in an environment where he/ she feels safe, and is free from any form of physical or emotional abuse or harassment. As the children spend most of their time in school, the concern of parents about their safety in schools is obvious. Growing incidents of child abuse are increasing their anxiety day by day and they are more concerned about the physical safety, and mental & emotional health of their children. The onus for safety and security of children in school campus solely lies upon the school authorities. Schools should strive to promote a better understanding amongst their teachers and staff on the laws protecting the safety, security and interests of the students, and devise means to take immediate remedial and punitive action against such violations. The staff members should be educated to recognize their protective obligation towards students and to ensure safety and well-being of children in schools. The Board has recently reiterated to all schools affiliated with CBSE to strictly adhere to all the guidelines issued by MHRD and Board from time to time. Any violation/ lapses with regard to safety and wellbeing of children in school campus would invite appropriate action including the disaffiliation of the school as per the provisions under Affiliation Bye-Laws of the Board. Guidelines Get the security/ safety audit done of their premises and personnel from their respective local police station, and follow the security related advice for the safety of school children. This may be compiled and reported online on CBSE website www.cbse.nic.in within 2 months of receipt of the circular. Install CCTV cameras at all vulnerable areas/ points in the school premises and ensure they are functional at all times. They must get the police verification and psychometric evaluation done for all the employed staff. Ensure that supporting staff is employed only from authorized agencies, and proper records are maintained. Constitute a parent-teacher-students committee to address the safety needs of the students and to take regular feedback from parents in this regard. The access to school building by outsiders should be controlled and visitors monitored. Provide training and development for staff to address their responsibilities to protect children from any form of abuse. The school shall constitute separate committees for redressal of public/ staff/ parents/ students grievances; internal complaints committee on sexual harassment, and committees under POCSO (Protection of Children from Sexual Offence) Act, 2012; and details of the these committees along with contact details shall be displayed prominently on school notice board and conspicuously on the school website for information of all stakeholders. After the unfortunate incident of the death of Pradyuman, many schools have approached us to help them carry out security audits of their institutions. Since SSSDC supervises and guides the government approved institutes where security guards are taking trainings today, we decided to collaborate with the CBSE to help schools strengthen their safety and security apparatus Kunwar Vikram Singh Chairman, SSSDC  

Safeguarding outdoor assets in a reliable and cost-effective manner often comes down to a single requirement – accurate intruder alerts and timely information about the unfolding event. While there are many technologies available for outdoor security, smart cameras with video analytics have emerged as the solution of choice for detecting intruders in real time outdoors. Yet the best technology will be handicapped if the alerts generated cannot be trusted. Repeated false alarms can eventually condition security operators to ignore real intrusions, undermining trust in the perimeter security system. In most cases the shortsighted response is to single out the security force as scapegoats, which ignores the real problem – alert fatigue. After responding to hundreds of perimeter breach alarms that turn out to be nothing more than small animals or windblown branches, even the most conscientious security guards lose confidence in the system and start to ignore its warnings. There is no longer any reason for this situation to exist. This design guide relates how smart video security technology, when properly deployed according to best practices, can cost-effectively protect outdoor assets with high accuracy and low nuisance alerts to help security forces stop intruders before they act. Start with the best detection: Use smart thermal cameras Viable outdoor security must start with a sensing system that is accurate, 24-hours per day. For this reason, conventional wisdom asserts that smart thermal cameras are the best system for detecting intruders outdoors. This is because thermal cameras see heat rather than light, so they are a perfect ‘human detector,’ and will ignore headlights, reflections off water, and other light-based activity, expanding their usefulness from their traditional role as night vision cameras to 24-hour intrusion detection solutions. Smart thermal cameras with built-in video analytic software offers several advantages: They detect in the dark with no need for costly artificial lighting. They work 24 hours/ day. They ignore reflections, shadows, moving headlights, direct sunlight, and other light-based phenomena that can trigger alarms in a visible camera detection system. Because humans give off heat, thermal sensors are far more effective in spotting a person than visible cameras. They detect body heat as far away as 600 meters – a third of a mile. A single thermal camera can protect an area the size of a football field. Proper physical design makes them immune to the effects of weather and other environmental factors. In the past, the higher price for thermal technology limited their use in commercial applications, but as costs continue to fall, many organizations are now able to choose thermal cameras as the foundation for their outdoor detection applications. Geo-registration and detection accuracy Smart thermal cameras are designed to detect movement, but outdoors, everything moves. A smart camera must be able to tell the difference between small objects such as leaves or debris and a person entering a secured area. One of the best ways for a camera to make this determination is through ‘geo-registration’ which provides the actual location and true size of all pixels in the camera’s field of view. Consider how human vision works: Our eyes give us depth perception – we can tell which object is close and which is far. But a ‘one-eyed’ camera can’t, unless it’s geo-registered. For example, a small animal near the camera will look much larger than a man at 300 meters away. (Figure 1) A smart camera needs to ignore the animal at right while alerting on the distant person, even though the animal will cover more of the camera’s field of view. The same approach applies to blowing trash, clouds, and other moving things which are always present outdoors. With a camera that is geo-registered, such non-security related movement will be ignored and will not send alarms. Essentially, geo-registration enables a three-dimensional capability for a smart thermal camera. From this information, geospatial analytic rules can be used to eliminate movement based on size while still detecting human-sized intruders under all conditions. Geo-registered analytics in action: From-to Zones Motion zones are often used by video analytic systems to detect the movement of objects and to send an alert to notify security that an intruder has been detected. By default, any object moving within a motion zone triggers an alarm. However, when used for outdoor applications, motion zones can lead to an abundance of nuisance alerts because they lack the discriminating intelligence to recognize the difference between ‘unimportant’ movement caused by the natural environment and ‘relevant’ movement that represents a security threat. Cameras that are geo-registered can create more intelligent rules called From-To Zones, an important tool for reducing nuisance alerts while maintaining a high probability of detection. Targets detected in a From-To Zone will only trigger an alarm when a specifically sized object – such as a person – moves from one zone into another defined area of the camera’s field of view. Correspondingly, objects that are not detected coming from one zone into the other are ignored. From-To Zones are a very powerful method for reducing unwarranted alarms. Importantly, they can be configured to detect zones that are geo-registered to the ground. This means From-To Zones will only alarm when a person’s feet have been in the ‘From’ and then enter the ‘To’ area, while ignoring detections that only show a part of a person such as their head. This is particularly useful when the security area includes a fence, and you only want to detect pedestrians who have crossed over the perimeter into the security zone. To see how From-To Zones work in the real world, consider an application where you need to detect pedestrians approaching the perimeter, but are not concerned about people leaving the building. With From-To Zones, the camera will only trigger an alert when intruders move towards the facility – ignoring everyone else, and greatly reducing unnecessary alarms. For another example, consider a windy perimeter around an active construction site where trash blows around the scene. Inevitably, the trash will collect along the fence and grow in size…

The security landscape continues to evolve in new and complex ways. This evolution brings change on many levels, which offers an opportunity for improvement rather than an interruption or a distraction. This concept has never been more important as you face today’s combination of new technologies, escalating security threats and the need to derive greater value from the access control infrastructure while solving increasingly complex system integration challenges. Upgrading from older, legacy technology to a new access control standard is a significant initiative. However, recent advancements have made this transition easier. Organizations can now move from solutions to more dynamic access control technologies that provide greater value. Adopting a new technology standard allows organizations to take advantage of enhanced functionality and a higher level of security. Access control is moving to more integrated systems with multi-layered security that can include multiple facilities. Today’s more dynamic solutions allow organizations to embrace new levels of convenience and utility. Organizations need not only support the requirements of today, but must also look ahead to the needs of tomorrow. The initial motivation to adopt a new standard of access control may be to improve security or to consolidate multiple locations under a single standard. Now is the time to use advances in access control to build a foundation for addressing unanticipated change and evolving security threats. Strong organizations will take full advantage of the opportunities that upgrading to a more modern solution affords. Reasons to upgrade Data privacy As a result of new legislation or regulatory requirements, an organization may be required to increase its security. Similarly, if a company acquires a new client needing a high level of safety, there may be requirements to improve access control. New building tenants may also trigger the need for greater building or campus security, either to protect the parent organization or to comply with the tenant’s requirements. Implementing new, more dynamic access control technologies provides many benefits over maintaining older, more static ones. Organizations are facing an environment of evolving threats, and the challenges of maintaining the security and privacy of identity data are ever greater. Growing demand for a higher level of security and the convenience of using mobile devices for access control is driving change and spurring innovation. The unfortunate reality is that sometimes it takes an unexpected event or security breach to prompt an organization to upgrade their access control system. By making the right steps in moving toward a more reliable, upgraded access control standard, organizations can meet the need for security and privacy with confidence, leveraging investment well into the future. User convenience The freedom to move access control to phones, tablets, wristbands, watches and other wearables offers choice and convenience to end users, along with new and more convenient ways to open doors and gates. Today, smart devices are always on hand. Users do not have to maintain and carry multiple cards or keys. In parking garages or at driveway gates, for example, the longer reach of the Bluetooth smart communications standard makes it possible to drive up to the gate without having to roll down the car window and reach out to activate a reader. Some smart device sensors, most notably the gyroscope and accelerometer, enable gesture detection. This offers an additional benefit for access control – the ability to open doors from a distance by performing intuitive gestures. This provides an extra layer of authentication for added security. It is predicted that there will be nearly 155 million smart wearable devices in use by 2019. These truly ‘always-on’ devices are even more natural candidates for access control applications because of the ready-to-use convenience of a wearable device. Flexibility Organizations need a platform that is flexible enough to support multiple applications for managing not only physical access (e.g., buildings) but for managing logical access (e.g., computer/ software login, time and attendance, etc.) as well. Organizations that want to add new applications such as time and attendance, secure print management, biometrics, cashless vending and more, will need to issue an associated card to users. This requirement can be used as an opportunity to migrate to a contactless wearable or smartphone that combines access control with these or other functions, enabling employees to carry a single device for many purposes. Administration of these functions should be centralized into one efficient and cost-effective system to enable organizations to create a fully interoperable, multi-layered security solution across company networks, systems and facilities. In the future, they can migrate to the convenience, editability, and security of carrying digital keys and credentials on smartphones and other mobile devices. Data privacy, user convenience and flexibility go hand in hand Organizations have been tasked with keeping up with a variety of technology changes that impact the physical access control (PACS) infrastructure. These changes include accommodating two-year PC refresh cycles, 18 month average mobile device lifespans and policy changes surrounding the move to ‘Bring Your Own Device’ (BYOD). Additionally, there is increased network access via mobile devices due to the rapid growth of tablets, laptops and smartphones. Legacy security solutions often use proprietary technology that is static, providing little or no possibility for functional enhancement, or the ability to offer higher levels of data privacy. This inability to adapt makes them easy targets for attack. Often, legacy technologies are anchored to obsolete software, devices, protocols and products, making it difficult for the access control infrastructure to facilitate change. Built on breakthrough technologies, the latest high frequency access control systems ensure security is independent of hardware and media. This makes it much easier for organizations to support new functionality and higher levels of data privacy. They also enable the provisioning of secure identity credentials to smart devices, offering organizations the choice to use smart cards, mobile devices or both. Additionally, they offer functionality for access control beyond the door, which may include secure print release, network access, time and attendance or cashless vending. Upgrading your access control technology: A solid investment If you continue to invest in outdated…

A recent article by Taylor Armerding of CSO Online explores the current state of the Common Vulnerabilities and Exposures (CVE) program managed by MITRE. He expands on the creeping belief that the CVE, the old-guard vulnerability ‘dictionary,’ is falling behind and leaving security teams and technologies that rely on it open to risk. And although MITRE is taking measures to close the gap – including dedicating more resources to vetting and assigning CVE identifiers to vulnerabilities – the response among some experts is that these will not be enough to rectify the outdated model. MITRE has certainly made strides to bolster the system, logging 6,592 new vulnerabilities with CVE IDs in the first half of 2017 alone – compare that to 6,431 CVE IDs logged in all of 2016. From January to June of this year, MITRE has published on average 1,133 new CVE IDs each month. That’s a 210 percent increase over the 536 new CVE IDs per month average of 2016. While increasing the number of vulnerabilities catalogued by the CVE system is generally good (many technologies use CVE IDs and some baseline vulnerability management programs rely on them almost entirely), it still doesn’t solve the issue of prioritization. Enterprises already have hundreds of thousands – even millions – of vulnerabilities in their organization. Assigning more CVE-IDs doesn’t directly lead to better security or even signify that more vulnerabilities exist today than in the past – it means more efforts are being dedicated to discovering, analyzing and cataloging vulnerabilities. Combined with a technology environment in a state of constant proliferation, this inevitably means more CVEs and vulnerabilities in general. Currently, organizations are overwhelmed with too many vulnerability alerts to manage proficiently, so many of them are looking to advanced vulnerability management programs to help them better prioritize. In a recent report on vulnerability prioritization, Gartner analyst Craig Lawson points out that the lofty goal of ‘patch everything, all the time, everywhere’ is not only rarely fulfilled, it’s causing friction between IT security and IT operations. Focusing on the right vulnerabilities Vulnerability teams, however, don’t need to patch everything all the time. The same report states, “Only a small number of vulnerabilities go on to be exploited in real-world attacks.” This means vulnerability management programs should be structured to help teams zero in on the vulnerabilities most likely to be used in an attack – a smaller portion than all CVEs. Exploited vulnerabilities only make up a single digit of CVE-ID vulnerabilities published each month. (The spike in March 2017 in the chart below represents the vulnerabilities leveraged in the Eternal Blue exploit, famously used in WannaCry and NotPetya.) Vulnerabilities with a published proof-of-concept exploit (but inactive) represent a slightly larger portion, but still total less than 100 vulnerabilities published per month. With this information, security teams can: Focus resources on the vulnerabilities that are actually exploited in the wild first, as those are the ones that pose imminent threat to the organization. Employ mitigating controls (e.g., intrusion prevention systems, network segmentation, application controls, privileges management) to prevent lower priority vulnerabilities from being exploited when those vulnerabilities can’t be patched in a reasonable period of time, or when there is no patch available. To help classify vulnerability risks even further, the Common Vulnerability Scoring System (CVSS) was developed over ten years ago to help organizations prioritize vulnerability remediation. It is a reasonable approach to vulnerability remediation in theory; however, implementation was never fully realized because of the lack of vendor resources. So, only base CVSS scores have been used and have proved insufficient for prioritizing vulnerability remediation. Unfortunately, this is the method many vulnerability management programs rely on. For all of its shortcomings, CVSS scores don’t consider the organization’s unique environment, the current threat landscape and other situational factors. For example, a vulnerability with a ‘high’ CVSS score may not be exploitable in a particular network if the surrounding architecture and security policies provide sufficient defense. Similarly, a CVSS high-severity vulnerability on a low value asset is less of a priority to fix than a CVSS medium severity vulnerability on a business critical asset. Cyberattackers frequently leverage vulnerabilities carrying a medium severity CVSS score, perhaps because they know many vulnerability management programs are only capable of fixing CVSS critical vulnerabilities, never making it to the lower ranking items on their to do list. The 2016 Verizon Data Breach Investigations Report also points out that successful exploits from the previous year targeted a large number of vulnerabilities with CVEs assigned more than five years ago – presumably, that organizations never got around to fixing. How Skybox is improving vulnerability prioritization At the Skybox Research Lab, our team of analysts daily scour more than 30 security data sources and investigates more than 700,000 sites, including in the dark web. With this research, the Lab provides insight to active and available exploits, vulnerabilities being packaged in ransomware, exploit kits and other tools in use by various attackers. The Research Lab has its own vulnerability catalog, which includes CVE vulnerabilities. But roughly 10 percent of this catalog also covers vulnerabilities with no CVE ID, including many on technologies in the IoT domain. This gives Skybox users a more complete scope of the vulnerabilities that could threaten their security. With the added intelligence of how vulnerabilities are being targeted in the wild, the Research Lab provides much needed context to improve prioritization in terms that put vulnerabilities posing an imminent threat at the top of your to do list. By focusing on vulnerabilities with active or known exploits as well as vulnerabilities that are exposed in your network (no mitigating controls in place), organizations can more effectively use existing resources to minimize the risk of a breach. However, this should be augmented with gradual risk reduction over time of the other vulnerabilities in the network i.e., through mitigation or patching, which could turn into threats over time. While both CVE and CVSS provide relevant information to vulnerability management programs and technology, they fall…