Technologysrole technical so lutio ns o f ten invo

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: r the latest threats and are able to advise o n precautio ns necessary to be sure systems aren’t co mpro mised during installatio n, develo pment, testing, and deplo yment. What Needs to Be Protected and How Much Is Enough? A wo rldwide study by P ricewaterho useCo o pers and Chief Security Officer magazine revealed that mo st f irms do n’t even kno w what they need to pro tect. Only 33 percent o f executives respo nded that their o rganizatio ns kept accurate invento ry o f the lo catio ns and jurisdictio ns where data was sto red, and o nly 24 percent kept invento ry o f all third parties using their custo mer data.A. Matwyshyn, Harbo ring Data: Info rmatio n Security, Law , and The Co rpo ratio n (P alo Alto , CA: Stanf o rd University P ress, 2009). What this means is that mo st f irms do n’t even have an accurate read o n where their valuables are kept, let alo ne ho w to pro tect them. So inf o rmatio n security sho uld start with an invento ry-style auditing and risk assessment. Techno lo gies map back to specif ic business risks. What do we need to pro tect? What are we af raid might happen? And ho w do we pro tect it? Security is an eco no mic pro blem, invo lving attack likeliho o d, co sts, and preventio n benef its. These are co mplex trade-o f f s that must co nsider lo sses f ro m thef t o r reso urces, systems damage, data lo ss, disclo sure o f pro prietary inf o rmatio n, reco very, do wntime, sto ck price declines, legal f ees, go vernment and co mpliance penalties, and intangibles such as damaged f irm reputatio n, lo ss o f custo mer and partner co nf idence, industry damage, pro mo tio n o f adversary, and enco uragement o f f uture attacks. While many f irms skimp o n security, f irms also do n’t want to misspend, targeting explo its that aren’t likely, while underinvesting in easily prevented metho ds to thwart co mmo n inf iltratio n techniques. Hacker co nventio ns like Def Co n can sho w so me really wild explo its. But it’s up to the f irm to assess ho w vulnerable it is to these vario us risks. The lo cal do nut sho p has f ar dif f erent needs than a military installatio n, law enf o rcement agency, f inancial institutio n, o r f irm ho using o ther high-value electro nic assets. A skilled risk assessment team will co nsider these vulnerabilities and what so rt o f co untermeasure investments sho uld take place. Eco no mic decisio ns usually drive hacker behavio r, to o . While in so me cases attacks are based o n vendetta o r perso nal reaso ns, in mo st cases explo it eco no mics largely bo ils do wn to Adversary ROI = Asset value to adversary – Adversary cost. An adversary’s co sts include no t o nly the reso urces, kno wledge, and techno lo gy required f o r the explo it, but also the risk o f getting caught. Make things to ugh to get at, and lo bbying f o r legislatio n that impo ses severe penalties o n cro o ks can help raise adversary co sts and lo wer yo ur likeliho o d o f beco ming a victim. Technology’s Role Technical so lutio ns o f ten invo lve industrial strength variants o f the previo usly discussed issues individuals can emplo y, so yo ur awareness is already high. Additio nally, an o rganizatio n’s appro ach will o f ten leverage multiple layers o f pro tectio n and inco rpo rate a wide variety o f pro tective measures. P atch. Firms must be especially vigilant to pay attentio n to security bulletins and install so f tware updates that plug existing ho les, (o f ten ref erred to as patches). Firms that do n’t plug kno wn pro blems will be vulnerable to trivial and auto mated attacks. Unf o rtunately, many f irms aren’t updating all co mpo nents o f their systems with co nsistent attentio n. With o perating systems auto mating security update installatio ns, hackers have mo ved o n to applicatio n targets. But a majo r study recently f o und that o rganizatio ns to o k at least twice as lo ng to patch applicatio n vulnerabilities as they take to patch o perating system ho les.S. Wildstro m, “Massive Study o f Net Vulnerabilities: They’re No t Where Yo u Think They Are,” BusinessWeek, September 14, 2009. And remember, so f tware isn’t limited to co nventio nal P Cs and servers. Embedded systems abo und, and co nnected, yet unpatched devices are vulnerable. Malware has inf ected everything f ro m unpro tected ATM machinesP . Lilly, “Hackers Targeting Windo ws XP -Based ATM Machines,” Maximum P C, June 4, 2009. to restaurant po int-o f -sale systemsR. McMillan, “Restaurants Sue Vendo rs af ter P o int-o f -Sale Hack,” CIO, December 1, 2009. to f ighter plane navigatio n systems.C. Matyszczyk, “French P lanes Gro unded by Windo ws Wo rm,” CNET, February 8, 2009. As an example o f unpatched vulnerabilities, co nsider the DNS cache po iso ning explo it described earlier in this chapter. The disco very o f this weakness was o ne o f the biggest security sto ries the year it was disco vered, and security experts saw this as a majo r threat. Teams o f pro grammers wo rldwide raced to pro vide f ixes f o r the mo st widely used versio ns o f DNS so f tware. Yet s...
View Full Document

This document was uploaded on 01/31/2014.

Ask a homework question - tutors are online