| Accepting the reality that mistakes will
| |
| | currently the only stance possible.
|
| be made, intrusions will occur and that
| |
| | Or is it?
|
| inoculation and list updates will lag
| |
| | Much has been written about the
|
| behind any new attack, will guide
| |
| | motivation behind hackers but to be
|
| corporations in the establishment of
| |
| | honest does it really matter?
|
| realistic countermeasures which will
| |
| | Universally they are persona non grata no
|
| allow them to survive systemic attacks,
| |
| | matter what intent they have or attack
|
| averting the risk of corporate-wide
| |
| | vector they use. What all companies want
|
| compromise.
| |
| | is for the problem to go away.
|
| Safe & Secure - For The Moment:
| |
| | Certainly as long as computers are in
|
| After months of reverse engineering,
| |
| | use, hackers will exist - another
|
| endless nights and bad Chinese food, the
| |
| | undeniable truth. Companies want to keep
|
| as-of-yet unknown hacker group, the
| |
| | them out of their revenues, or more
|
| Internet Free Radicals, has found their
| |
| | specifically from impacting their
|
| new attack point. Using steganography,
| |
| | revenues. Security breaches are
|
| they have devised a method of injecting
| |
| | production impacting events (PIEs) that
|
| malicious code into any image file which
| |
| | can crush revenue generation in numerous
|
| will regenerate and re-inject itself into
| |
| | ways:
|
| any network. Using this algorithm, a
| |
| | • Literal loss of revenue based on
|
| time-delayed virus is attached to several
| |
| | production downtime.
|
| "humorous" videos that have been posted
| |
| | • Loss of customer confidence due to
|
| for download on the immensely popular
| |
| | bad press.
|
| social website - By 5am that same
| |
| | • Erosion of competitive advantage due
|
| morning more than 1,000,000 systems are
| |
| | to compliance failures.
|
| now infected and the virus is just
| |
| | The real solution lies in the 95%.
|
| getting started. The virus, not due to
| |
| | Security executives live in fear of the
|
| show itself for several days, quietly
| |
| | infamous "Sunday afternoon phone call",
|
| spreads undetected.
| |
| | where the weekend IT staff informs the
|
| Later that same morning...
| |
| | CSO that over half of the corporation's
|
| International Global Finance Corporation
| |
| | resources are down due to some previously
|
| (IGFC) completes updating virus
| |
| | unknown hack.
|
| inoculation files on all of their servers
| |
| | A far better scenario that every CSO can
|
| and have completely scanned over 20
| |
| | live with is arriving to work on Monday
|
| terabytes of financial data on their ATM
| |
| | morning only to find a few systems that
|
| servers. The scan has taken four IO
| |
| | "need attention". This is 95%.
|
| intensive hours but finally all systems
| |
| | The best position companies can hope to
|
| are clean and secure. One minute later a
| |
| | achieve in future security events is one
|
| third shift operator at IGFC views a
| |
| | that minimizes the impact of an attack
|
| video posted at
| |
| | by making it impossible for the mistakes
|
| The Computer Age:
| |
| | of a few to cripple the revenue
|
| Twenty years after the release of the
| |
| | generating capacity of the many.
|
| personal computer, the world is a
| |
| | Companies need to embrace the new tact of
|
| different place. No one needs to point
| |
| | information survivability by minimizing
|
| out the prevalence of computers in daily
| |
| | PIE, production impacting events.
|
| life or the inherent risk that comes with
| |
| | The global business community has to
|
| using them. The problem is simply this:
| |
| | change expectations to match the changes
|
| these very computing systems that we rely
| |
| | brought about by the proliferation and
|
| upon were not designed with security in
| |
| | accessibility of computing resources.
|
| mind. With the growth of computing use
| |
| | Public and private sector organizations
|
| across every segment of business
| |
| | can create an environment in which
|
| operations, only now are corporate
| |
| | pressure is put back on those who would
|
| information security teams scrambling to
| |
| | seek to do damage by implementing true
|
| find effective systemic security
| |
| | business continuity efforts. Nothing is
|
| solutions.
| |
| | more daunting to an attacker than to see
|
| Unfortunately there are five words that
| |
| | their "prey" bounce right back after a
|
| are never spoken but words whose truth is
| |
| | blow.
|
| know by everyone involved in information
| |
| | Attackers will soon turn to other
|
| assurance circles;
| |
| | ventures once they realize their efforts
|
| There is no 100% solution.
| |
| | leave their targets unfazed and
|
| Every Chief Security Officer knows this
| |
| | nonplussed. From the view of the
|
| to be true and every CEO should hear and
| |
| | attackers, this is the ultimate
|
| completely understand this reality.
| |
| | deterrent. From the view of the
|
| Ninety-five (95%) percent is the new one
| |
| | corporation this drives customer
|
| hundred percent in the world of
| |
| | satisfaction and creates a strengthened
|
| information security. This includes all
| |
| | work environment.
|
| security efforts: trusted computing, data
| |
| | The next security event is not an If but
|
| integrity, identity theft, and
| |
| | a When. What CEO's and CSO's need to
|
| anti-malware software. To view corporate
| |
| | implement are aggressive policy, practice
|
| security in any other way is to deny
| |
| | and procedural measures coupled with
|
| reality - the proverbial e-ostrich
| |
| | solutions that turn a 5000 system event
|
| stance.
| |
| | into a five (5) system non-event.
|
| Three irrefutable facts dictate this
| |
| | The real question that needs to be asked
|
| reality:
| |
| | is how a company can become event
|
| • Hackers are consumers and purchase
| |
| | agnostic not how it can be 100% secure.
|
| every version of software usedin business
| |
| | We must acknowledge that the enemy will
|
| today.
| |
| | find a weakness to exploit but also
|
| • There is no way to remove human chaos
| |
| | realize that you can make certain that
|
| from the information securityequation.
| |
| | any intrusion is contained, controlled,
|
| • Software development companies cannot
| |
| | and ultimately crushed. At every level of
|
| eliminate the flaws in theircode nor
| |
| | a company there must be a new
|
| create quality assurance environments
| |
| | understanding that their will be
|
| that emulate all ofthe complexities of
| |
| | pot-holes but not sink holes. There is
|
| the global business environment.
| |
| | much to be said for the company that
|
| So what can be done? Go on the
| |
| | weathers a storm.
|
| offensive? Not likely. Today's
| |
| | The good news is that there are many new
|
| attackers are well trained, agile and
| |
| | techniques being made available that will
|
| virtually invisible making capture almost
| |
| | help a corporation reach the reality of
|
| impossible.
| |
| | 95%.
|
| These facts coupled with the obvious one
| |
| | Great strides are being made in malware
|
| that corporations are in the business of
| |
| | spread mitigation, trusted computing,
|
| conducting business not tracking
| |
| | data portability, and network attached
|
| downwould-be malcontents serves to
| |
| | security solutions as well as the
|
| heighten the problem. Should UPS
| |
| | consolidation of effective solution sets.
|
| concentrate on getting packages to their
| |
| | These efforts coupled with proper
|
| destination on time or turn all of their
| |
| | metrics and procedures will allow
|
| resources towards tracking down hackers?
| |
| | businesses to obtain an enterprise wide
|
| Don't bother to ask UPS, they know their
| |
| | view of their security efforts thereby
|
| mission statement. It includes boxes not
| |
| | allowing them to easily deploy new
|
| bits.
| |
| | security techniques and measure their
|
| That leaves a defensive posture.
| |
| | effectiveness.
|
| Ask any General how he or she feels about
| |
| | In the end, corporations seeking to
|
| defensive stances in the theatre of war
| |
| | create the Kevlar Company need to focus
|
| (and yes, information security is a war).
| |
| | on eliminating production impacting
|
| The answer will not be positive or
| |
| | events through survivability. Resilience
|
| reassuring. Somehow, someway the
| |
| | is the ultimate preemptive stance when it
|
| attacker will find a means of "getting
| |
| | comes to information assurance. Only from
|
| inside the walls". Unfortunately for the
| |
| | this 95% posture can the goal of 100%
|
| global business community this is
| |
| | assurance ever be achieved.
|
