Perimeter
10/8/2012
01:04 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%
Repost This

Risk Management: Asking The Right Questions

In order to make sure an organization's security is properly aligned with risk, it is critical that organizations focus on asking the questions that really matter

One of the main questions we often get asked by organizations is a simple one: WHY? Why do some organizations get compromised and others don't. If we asked this question 15 years ago, the answer would be much simpler. Organizations that were compromised in the 1990's often had obvious vulnerabilities that were not being fixed. One client incident we worked on had unpatched systems, all systems had public IP addresses with default installs, and no security devices in place. The answer to "why" was pretty obvious. Today, answering the question is more difficult.

Organizations are spending significant amount of money on security and still getting compromised. The reason is they are not focused on fixing the highest priority risks to their organization. Before an organization spends an hour of their time or a dollar of their budget for security, they should be able to answer three questions:

1) What is the risk?

2) Is it the highest priority risk?

3) Is it the most cost-effective way of reducing the risk?

We studied several organizations that have been compromised and compared them to organizations that are successfully defending their organization. The difference between the two groups became clear when we looked at their security roadmaps.

In the organizations that have been compromised, when we looked at their security roadmaps and asked the three questions for each item on their roadmap, they could not answer it. For organizations that had proper security, they were able to answer these three questions for each item on their twelve month roadmap.

If you want to see how well your organization is aligned with security, ask these three questions for each item in which you are investing resources to improve your security. If you can answer the questions, you are doing the right thing and if you cannot answer the questions, you are behaving like organizations that have been breached.

Dr. Cole is an industry-recognized security expert with over 20 years of hands-on experience. Dr. Cole has experience in information technology with a focus on helping customers identify the right areas of security by building out dynamic defense solutions that protect organizations from advanced threats. Dr. Cole has a master's degree in computer science from NYIT and a doctorate from Pace University, with a concentration in information security. Dr. Cole is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of over 20 patents and is a researcher, writer, and speaker. He is also a member of the Commission on Cyber Security for the 44th President and several executive advisory boards. Dr. Cole is founder of Secure Anchor Consulting in which he provides state of the art security services and expert witness work. He also served as CTO of McAfee and Chief Scientist for Lockheed Martin. Dr. Cole is actively involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS faculty Fellow and course author. Dr. Cole is an executive leader in the industry where he provides cutting-edge cyber security consulting services and leads research and development initiatives to advance the state-of-the-art in information systems security. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web