Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How To Create A Risk 'Pain Chart'
Oldest First  |  Newest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/29/2014 | 2:38:49 PM
Providing relatable value
This is great! For years now, Information Security has been progressing to the point where we can display extreme value to the business side of the operation. Not that we were irrelevant in the past, but I feel that we are getting the the point where non-security people can easily relate as to why security measures are so important.

In years to come I feel that this exercise will be quite prevalent and most likely already be ingrained in the minds of business owners. Educative repetition and relation analysis is the key.
JeremiahT680
50%
50%
JeremiahT680,
User Rank: Apprentice
9/1/2014 | 12:28:28 PM
Sandboxing data inside an encrypted application layer
If you sandbox each record or entity within and create an interface in your own coding language the perhaps you could create so many layers or barriers to cross that the intrusion would be detected and prevented.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
9/2/2014 | 9:09:50 AM
Re: Providing relatable value
I agree, I especially love the idea of assigning a risk or impact value to each specifically since as pointed out, some assets have more value than others.  Treating all risks as the same threat level is no longer a way to ensure that you are prioritizing the right areas of your security plan.  It's also a great way, as illustrated in the article, to ask for the funding you really need for each project based on the real risks and costs associated to protect those assets.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/2/2014 | 9:50:14 AM
Re: Providing relatable value
Concept sounds great to me, but who woud the decisionmakers be in determining risk/pain priorities? Thoughts anyone?  
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/2/2014 | 2:06:47 PM
Re: Providing relatable value
I would think that everyone on a security team would have the ability to determine what has a higher risk value than others. Its a group effort. However, you need an authoritative head to sign off on these decisions. I would say the person who signs off on corporate security policy would be the authoratative head here. Most likely the CSO/CISO. 

I think a good way to look at this principle is you wouldn't construct a $1000 fence to guard a $10 asset. Realistic safeguards need to be a priority.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/3/2014 | 11:40:31 AM
Re: Providing relatable value
This is classic Risk Management, and is nothing new. I believe that the ultimate sign off should lie in the hands of someone responsible for the entire organization, such as the CEO, COO, CRO, etc. As long as the proper personnel are involved in the risk assessment team, the security officer makes recommendations based on a well informed decision process conducted by the team. Mind you, the assumption is that the risk assessment is conducted properly. If the security office is empowered to make the decision, then certainly the officer has the final say, with the implied consent of the CEO through delegation of authority.
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
9/3/2014 | 11:50:07 AM
Re: How To Create A Risk 'Pain Chart'
@MarilynCohodas, everything security always comes back to the business it supports which would be no different with determining risk/pain priorities.  A "committee" of decisison makers should be made up of people who can translate the techie-talk into meanful business language and consists of stakeholders throughout the organization (ex. InfoSec, Privacy, Legal, etc), shareholders, and executives.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3454
PUBLISHED: 2021-10-19
Truncated L2CAP K-frame causes assertion failure. Zephyr versions >= 2.4.0, >= v.2.50 contain Improper Handling of Length Parameter Inconsistency (CWE-130), Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fx88-6c29-...
CVE-2021-3455
PUBLISHED: 2021-10-19
Disconnecting L2CAP channel right after invalid ATT request leads freeze. Zephyr versions >= 2.4.0, >= 2.5.0 contain Use After Free (CWE-416). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7g38-3x9v-v7vp
CVE-2021-41150
PUBLISHED: 2021-10-19
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is c...
CVE-2021-31378
PUBLISHED: 2021-10-19
In broadband environments, including but not limited to Enhanced Subscriber Management, (CHAP, PPP, DHCP, etc.), on Juniper Networks Junos OS devices where RADIUS servers are configured for managing subscriber access and a subscriber is logged in and then requests to logout, the subscriber may be fo...
CVE-2021-31379
PUBLISHED: 2021-10-19
An Incorrect Behavior Order vulnerability in the MAP-E automatic tunneling mechanism of Juniper Networks Junos OS allows an attacker to send certain malformed IPv4 or IPv6 packets to cause a Denial of Service (DoS) to the PFE on the device which is disabled as a result of the processing of these pac...