This preview shows page 1. Sign up to view the full content.
Unformatted text preview: r the latest threats and are
able to advise o n precautio ns necessary to be sure systems aren’t co mpro mised during installatio n,
develo pment, testing, and deplo yment. What Needs to Be Protected and How Much Is Enough?
A wo rldwide study by P ricewaterho useCo o pers and Chief Security Officer magazine revealed that
mo st f irms do n’t even kno w what they need to pro tect. Only 33 percent o f executives respo nded
that their o rganizatio ns kept accurate invento ry o f the lo catio ns and jurisdictio ns where data was
sto red, and o nly 24 percent kept invento ry o f all third parties using their custo mer data.A.
Matwyshyn, Harbo ring Data: Info rmatio n Security, Law , and The Co rpo ratio n (P alo Alto , CA:
Stanf o rd University P ress, 2009). What this means is that mo st f irms do n’t even have an accurate
read o n where their valuables are kept, let alo ne ho w to pro tect them. So inf o rmatio n security sho uld start with an invento ry-style auditing and risk assessment. Techno lo gies map back to specif ic business risks. What do we need to pro tect? What are we af raid
might happen? And ho w do we pro tect it? Security is an eco no mic pro blem, invo lving attack
likeliho o d, co sts, and preventio n benef its. These are co mplex trade-o f f s that must co nsider lo sses
f ro m thef t o r reso urces, systems damage, data lo ss, disclo sure o f pro prietary inf o rmatio n,
reco very, do wntime, sto ck price declines, legal f ees, go vernment and co mpliance penalties, and
intangibles such as damaged f irm reputatio n, lo ss o f custo mer and partner co nf idence, industry
damage, pro mo tio n o f adversary, and enco uragement o f f uture attacks. While many f irms skimp o n security, f irms also do n’t want to misspend, targeting explo its that
aren’t likely, while underinvesting in easily prevented metho ds to thwart co mmo n inf iltratio n
techniques. Hacker co nventio ns like Def Co n can sho w so me really wild explo its. But it’s up to the
f irm to assess ho w vulnerable it is to these vario us risks. The lo cal do nut sho p has f ar dif f erent
needs than a military installatio n, law enf o rcement agency, f inancial institutio n, o r f irm ho using
o ther high-value electro nic assets. A skilled risk assessment team will co nsider these vulnerabilities
and what so rt o f co untermeasure investments sho uld take place. Eco no mic decisio ns usually drive hacker behavio r, to o . While in so me cases attacks are based o n
vendetta o r perso nal reaso ns, in mo st cases explo it eco no mics largely bo ils do wn to Adversary ROI = Asset value to adversary – Adversary cost.
An adversary’s co sts include no t o nly the reso urces, kno wledge, and techno lo gy required f o r the
explo it, but also the risk o f getting caught. Make things to ugh to get at, and lo bbying f o r legislatio n
that impo ses severe penalties o n cro o ks can help raise adversary co sts and lo wer yo ur likeliho o d o f
beco ming a victim. Technology’s Role
Technical so lutio ns o f ten invo lve industrial strength variants o f the previo usly discussed issues
individuals can emplo y, so yo ur awareness is already high. Additio nally, an o rganizatio n’s appro ach
will o f ten leverage multiple layers o f pro tectio n and inco rpo rate a wide variety o f pro tective
measures. P atch. Firms must be especially vigilant to pay attentio n to security bulletins and install so f tware
updates that plug existing ho les, (o f ten ref erred to as patches). Firms that do n’t plug kno wn
pro blems will be vulnerable to trivial and auto mated attacks. Unf o rtunately, many f irms aren’t updating all co mpo nents o f their systems with co nsistent attentio n. With o perating systems
auto mating security update installatio ns, hackers have mo ved o n to applicatio n targets. But a
majo r study recently f o und that o rganizatio ns to o k at least twice as lo ng to patch applicatio n
vulnerabilities as they take to patch o perating system ho les.S. Wildstro m, “Massive Study o f Net
Vulnerabilities: They’re No t Where Yo u Think They Are,” BusinessWeek, September 14, 2009. And
remember, so f tware isn’t limited to co nventio nal P Cs and servers. Embedded systems abo und, and
co nnected, yet unpatched devices are vulnerable. Malware has inf ected everything f ro m
unpro tected ATM machinesP . Lilly, “Hackers Targeting Windo ws XP -Based ATM Machines,”
Maximum P C, June 4, 2009. to restaurant po int-o f -sale systemsR. McMillan, “Restaurants Sue
Vendo rs af ter P o int-o f -Sale Hack,” CIO, December 1, 2009. to f ighter plane navigatio n systems.C.
Matyszczyk, “French P lanes Gro unded by Windo ws Wo rm,” CNET, February 8, 2009. As an example o f unpatched vulnerabilities, co nsider the DNS cache po iso ning explo it described
earlier in this chapter. The disco very o f this weakness was o ne o f the biggest security sto ries the
year it was disco vered, and security experts saw this as a majo r threat. Teams o f pro grammers
wo rldwide raced to pro vide f ixes f o r the mo st widely used versio ns o f DNS so f tware. Yet s...
View Full Document
This document was uploaded on 01/31/2014.
- Winter '14