Perimeter
10/8/2012
01:04 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Risk Management: Asking The Right Questions

In order to make sure an organization's security is properly aligned with risk, it is critical that organizations focus on asking the questions that really matter

One of the main questions we often get asked by organizations is a simple one: WHY? Why do some organizations get compromised and others don't. If we asked this question 15 years ago, the answer would be much simpler. Organizations that were compromised in the 1990's often had obvious vulnerabilities that were not being fixed. One client incident we worked on had unpatched systems, all systems had public IP addresses with default installs, and no security devices in place. The answer to "why" was pretty obvious. Today, answering the question is more difficult.

Organizations are spending significant amount of money on security and still getting compromised. The reason is they are not focused on fixing the highest priority risks to their organization. Before an organization spends an hour of their time or a dollar of their budget for security, they should be able to answer three questions:

1) What is the risk?

2) Is it the highest priority risk?

3) Is it the most cost-effective way of reducing the risk?

We studied several organizations that have been compromised and compared them to organizations that are successfully defending their organization. The difference between the two groups became clear when we looked at their security roadmaps.

In the organizations that have been compromised, when we looked at their security roadmaps and asked the three questions for each item on their roadmap, they could not answer it. For organizations that had proper security, they were able to answer these three questions for each item on their twelve month roadmap.

If you want to see how well your organization is aligned with security, ask these three questions for each item in which you are investing resources to improve your security. If you can answer the questions, you are doing the right thing and if you cannot answer the questions, you are behaving like organizations that have been breached.

Dr. Cole is an industry-recognized security expert with over 20 years of hands-on experience. Dr. Cole has experience in information technology with a focus on helping customers identify the right areas of security by building out dynamic defense solutions that protect organizations from advanced threats. Dr. Cole has a master's degree in computer science from NYIT and a doctorate from Pace University, with a concentration in information security. Dr. Cole is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of over 20 patents and is a researcher, writer, and speaker. He is also a member of the Commission on Cyber Security for the 44th President and several executive advisory boards. Dr. Cole is founder of Secure Anchor Consulting in which he provides state of the art security services and expert witness work. He also served as CTO of McAfee and Chief Scientist for Lockheed Martin. Dr. Cole is actively involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS faculty Fellow and course author. Dr. Cole is an executive leader in the industry where he provides cutting-edge cyber security consulting services and leads research and development initiatives to advance the state-of-the-art in information systems security. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.