Risk Management
· 2010 has been a banner year for highly publicized, yet real-world proof of concepts for a number of threats. Some of which we have known about for years.’
o We started the year in January with the Google “Aurora” APT hack.See: Operation Aurora
o Then in June we had Stuxnet which was as one author put it “malware beamed back from 5 years in the future” to raise the bar on any previously known APT. See: Symantec Stuxnet Dossier
o Also in June, but progressively coming to light for the rest of the year we had Wikileaks. A classic case of the insider threat and data loss. See: Wired.com Wikileaks Story (Original)
Some questions, without the answers for now…
· Are we as industries doing enough, in a timely manner, to keep up with the pace of the myriad of threats? The threat landscape seems to be evolving faster now than anytime in recent history. Isn’t it our job to make sure that company Executives are aware of the risks associated with these threats in a timely manner so we as cyber/information/risk Analysts can have the tools to make the right decisions to best defend our sensitive information and networks in an equally timely manner? I realize the time component is an important concept here. When is it timely enough? Is being proactive in identifying the threat before we see a proof of concept in the real-world an unrealistic business goal?
· Are we (as industries) really proactive with regards to our overall information/cyber security strategies? Or are we reactive? I realize these are loaded questions and can be looked at from a number of perspectives. For example, compared to industry peers, to cyber security budgets from years past, to other industries etc. Most organizations are in business to provide shareholder value and good returns, as well as provide quality products/services to customers and thus the business case for (increased) cyber security is sometimes a tough one to make. But of all years, 2010 certainly made this an easier case to make, I think you would agree.
· In 2011 will industry be implementing controls to help us defend against threats that came to light in 2010 that were no doubt occurring in 2009 and before? Yes.
· In 2011 I suspect industry will have a “heightened interest” in analyzing controls to prevent insider threats & data loss prevention (e.g. Wikileaks), and super-APT’s (e.g. Stuxnet) with 2012 business cases, while the bad guys are moving on to new techniques.
I realize to a certain extent this is a perpetual game of catch-up. Is this a fact of life or something we can control? I think a little of both. I know we don’t live in an ideal world or business environment for that matter, so my point is not that we need to do everything “now” or be able predict the future, but I do think industry should strive to continually perform threat and risk analysis/management in as close to a real-time (preferably proactive) way as possible within known constraints. I pose another question; do we really think we are doing “enough” now, fast enough? How much more would your 2011 cyber security budgets be if your organization had an APT, Stuxnet, or Wikileaks type incident this past year?
I can’t state it any better than Gartner Analyst John Pescatore from the recently released Gartner document titled “The Gartner 2011 Information Security Scenario”:
Key Issue: How should information security programs evolve to deal with changes in business processes, information technology and threats?
We are at a cusp very similar to what we faced 20 years ago as mainframe and departmental computing were attacked by personal computing. Consumerization and cloud are breaking IT processes, and by extension IT security processes, in a very similar manner. At the same time, cybercrime (financially motivated, targeted threats) are moving even more quickly to exploit this breakage. Similarly, legislators are moving more rapidly to "help" by introducing new laws requiring new forms of reporting. The movement toward consumerization and cloud computing has a lot of promise to both increase user productivity and decrease the cost of IT delivery. However, if some of those savings aren't used to keep security ahead of the threat, many businesses will face financially significant security incidents that more than consume the benefits.
0 comments:
Post a Comment