Perimeter
10/8/2012
01:04 PM
Eric Cole
Eric Cole
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Risk Management: Asking The Right Questions

In order to make sure an organization's security is properly aligned with risk, it is critical that organizations focus on asking the questions that really matter

One of the main questions we often get asked by organizations is a simple one: WHY? Why do some organizations get compromised and others don't. If we asked this question 15 years ago, the answer would be much simpler. Organizations that were compromised in the 1990's often had obvious vulnerabilities that were not being fixed. One client incident we worked on had unpatched systems, all systems had public IP addresses with default installs, and no security devices in place. The answer to "why" was pretty obvious. Today, answering the question is more difficult.

Organizations are spending significant amount of money on security and still getting compromised. The reason is they are not focused on fixing the highest priority risks to their organization. Before an organization spends an hour of their time or a dollar of their budget for security, they should be able to answer three questions:

1) What is the risk?

2) Is it the highest priority risk?

3) Is it the most cost-effective way of reducing the risk?

We studied several organizations that have been compromised and compared them to organizations that are successfully defending their organization. The difference between the two groups became clear when we looked at their security roadmaps.

In the organizations that have been compromised, when we looked at their security roadmaps and asked the three questions for each item on their roadmap, they could not answer it. For organizations that had proper security, they were able to answer these three questions for each item on their twelve month roadmap.

If you want to see how well your organization is aligned with security, ask these three questions for each item in which you are investing resources to improve your security. If you can answer the questions, you are doing the right thing and if you cannot answer the questions, you are behaving like organizations that have been breached.

Dr. Cole is an industry-recognized security expert with over 20 years of hands-on experience. Dr. Cole has experience in information technology with a focus on helping customers identify the right areas of security by building out dynamic defense solutions that protect organizations from advanced threats. Dr. Cole has a master's degree in computer science from NYIT and a doctorate from Pace University, with a concentration in information security. Dr. Cole is the author of several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible, and Insider Threat. He is the inventor of over 20 patents and is a researcher, writer, and speaker. He is also a member of the Commission on Cyber Security for the 44th President and several executive advisory boards. Dr. Cole is founder of Secure Anchor Consulting in which he provides state of the art security services and expert witness work. He also served as CTO of McAfee and Chief Scientist for Lockheed Martin. Dr. Cole is actively involved with the SANS Technology Institute (STI) and SANS working with students, teaching, and maintaining and developing courseware. He is a SANS faculty Fellow and course author. Dr. Cole is an executive leader in the industry where he provides cutting-edge cyber security consulting services and leads research and development initiatives to advance the state-of-the-art in information systems security. Dr. Cole has 20 years of hands-on experience in information technology with a focus on building out dynamic defense solutions that protect organizations from advanced threats. He has a Master's degree in computer science from NYIT and a Doctorate from Pace University, with a ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8802
Published: 2015-01-23
The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

CVE-2014-9623
Published: 2015-01-23
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state.

CVE-2014-9638
Published: 2015-01-23
oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

CVE-2014-9639
Published: 2015-01-23
Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

CVE-2014-9640
Published: 2015-01-23
oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.