Drag Your Adolescent Incident-Response Program Into ...

Network Computing Dark Reading

Advertise

About Us

Newest First | Oldest First | Threaded View

[close this box]

50%

CarricDooley,
User Rank: Apprentice
11/12/2014 | 4:25:47 PM

Re: Deliverables and Checklists vs Actual Living Functions

Mr. Bryant

I'd first like to establish what we are talking about in terms of maturity, audit vs assessment, etc.

The intent of how we understand a client's maturity is NOT what we would call an audit. That implies there is a checklist, and then you could pass or fail. An audit also implies the behavior you site of "managing to the audit" versus "becoming more secure" (like the grade inflation we have experienced in US schools). We are suggesting an assessment(s) of current state against a backdrop of maturity and capability (take another look at the table).

Maturity is loosely tied to CMMI in a sense that it has been an industry-accepted term/framework for some time. It is intuitive to think about current state of security maturity and capability in terms of "reactive, compliant, proactive, optimizing", but you could really use any version of this to achieve what we are suggesting. I have seen other maturity models that reference levels of capability versus state (i.e. No capability, Some capability, etc.). We are NOT suggesting a CMMI "roll out".

I've expanded on some of these concepts in my recent Dark Reading for Intel Security Perspectives blog - please read "What We Mean by Maturity Models for Security" for additional clarity.

Reply | Post Message | Messages List | Start a Board

100%

RetiredUser,
User Rank: Ninja
11/3/2014 | 11:01:28 PM

Deliverables and Checklists vs Actual Living Functions

I appreciate mature models, well-designed processes and formal standards; I swear, I really do. But after being a part of attempt after attempt at CMMI rollout, eyes on the Level X prize, I kept seeing the same thing happen: Passing the audit became the deliverable and thus artifacts emerged to satisfy the audits up to a point, then the Level X goal slowly disappeared. I appreciate Common Criteria and its EALs (Evaluation Assurance Levels) but I've seen via hearsay similar things happen to CC, too - you can only produce artifacts up to a point before you have to have a well-oiled process with demonstrable benefits.

Now, downer attitude aside, there is Agile and Lean. By no means am I a process-oriented thinker (not that I didn't try). I believe in taking your skill-set and diving head-first into chaos, greeting it with a combat mentality, and keeping things fresh by changing the game completely the next go-round. But if there must be maturity and formality to security risk assessment, analysis and continuous lifecycle improvement, maybe there's a middle ground that the businessmen, architects and hackers can meet on. What you've described here is great and a noble goal, but what would it look like trimmed a tad, and modeled for both hacker and process-geek alike?

Reply | Post Message | Messages List | Start a Board

Editors' Choice

Enterprises Remain Riddled With Overprivileged Users -- and Attackers Know It

Robert Lemos, Contributing Writer, 4/1/2021

Inside the Ransomware Campaigns Targeting Exchange Servers

Kelly Sheridan, Staff Editor, Dark Reading, 4/2/2021

Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain

Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia, 3/30/2021

Live Events

Webinars

Cybersecurity Risk Management FREE Event 4/22

Using MS Teams as Your Phone System - FREE Event 4/14

Earn (ISC)2 CPEs at Interop Digital, April 29

More Informa Tech Live Events

White Papers

What Elite Threat Hunters See That Others Miss: Case Study

Are We Cyber-Resilient? The Key Question Every Organization Must Answer

SANS 2021 Cyber Threat Intelligence Survey

The Essential Guide to Securing Remote Access

Identify Threats 82% Faster: The Value of Threat Intelligence with DomainTools

More White Papers

Cartoon

Post a Comment

Cartoon Archive

Current Issue

2021 Top Enterprise IT Trends

We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

Battle for the Endpoint

How to build a new cyber strategy for 2021 and beyond.

Download Now!

How Enterprises are Developing Secure Applications

0 comments

Assessing Cybersecurity Risk in Today's Enterprises

0 comments

The Malware Threat Landscape

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2021-21394
PUBLISHED: 2021-04-12

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...

CVE-2021-22497
PUBLISHED: 2021-04-12

Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.

CVE-2021-3163
PUBLISHED: 2021-04-12

A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field.

CVE-2019-15059
PUBLISHED: 2021-04-12

In Liberty lisPBX 2.0-4, configuration backup files can be retrieved remotely from /backup/lispbx-CONF-YYYY-MM-DD.tar or /backup/lispbx-CDR-YYYY-MM-DD.tar without authentication or authorization. These configuration files have all PBX information including extension numbers, contacts, and passwords.

CVE-2021-21524
PUBLISHED: 2021-04-12

Dell SRM versions prior to 4.5.0.1 and Dell SMR versions prior to 4.5.0.1 contain an Untrusted Deserialization Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to arbitrary privileged code execution on the vulnerable application. The severity is Cr...

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]