| Accepting the reality that mistakes will be made, | | | | hackers but to be honest does it really matter? |
| intrusions will occur and that inoculation and list updates | | | | Universally they are persona non grata no matter |
| will lag behind any new attack, will guide corporations in | | | | what intent they have or attack vector they use. What |
| the establishment of realistic countermeasures which | | | | all companies want is for the problem to go away. |
| will allow them to survive systemic attacks, averting | | | | Certainly as long as computers are in use, hackers will |
| the risk of corporate-wide compromise. | | | | exist - another undeniable truth. Companies want to |
| Safe & Secure - For The Moment: | | | | keep them out of their revenues, or more specifically |
| After months of reverse engineering, endless nights | | | | from impacting their revenues. Security breaches are |
| and bad Chinese food, the as-of-yet unknown hacker | | | | production impacting events (PIEs) that can crush |
| group, the Internet Free Radicals, has found their new | | | | revenue generation in numerous ways: |
| attack point. Using steganography, they have devised | | | | • Literal loss of revenue based on production |
| a method of injecting malicious code into any image file | | | | downtime. |
| which will regenerate and re-inject itself into any | | | | • Loss of customer confidence due to bad |
| network. Using this algorithm, a time-delayed virus is | | | | press. |
| attached to several "humorous" videos that have been | | | | • Erosion of competitive advantage due to |
| posted for download on the immensely popular social | | | | compliance failures. |
| website - By 5am that same morning more than | | | | The real solution lies in the 95%. Security executives |
| 1,000,000 systems are now infected and the virus is | | | | live in fear of the infamous "Sunday afternoon phone |
| just getting started. The virus, not due to show itself | | | | call", where the weekend IT staff informs the CSO |
| for several days, quietly spreads undetected. | | | | that over half of the corporation's resources are down |
| Later that same morning... | | | | due to some previously unknown hack. |
| International Global Finance Corporation (IGFC) | | | | A far better scenario that every CSO can live with is |
| completes updating virus inoculation files on all of their | | | | arriving to work on Monday morning only to find a few |
| servers and have completely scanned over 20 | | | | systems that "need attention". This is 95%. |
| terabytes of financial data on their ATM servers. The | | | | The best position companies can hope to achieve in |
| scan has taken four IO intensive hours but finally all | | | | future security events is one that minimizes the impact |
| systems are clean and secure. One minute later a third | | | | of an attack by making it impossible for the mistakes |
| shift operator at IGFC views a video posted at | | | | of a few to cripple the revenue generating capacity of |
| The Computer Age: | | | | the many. |
| Twenty years after the release of the personal | | | | Companies need to embrace the new tact of |
| computer, the world is a different place. No one needs | | | | information survivability by minimizing PIE, production |
| to point out the prevalence of computers in daily life or | | | | impacting events. |
| the inherent risk that comes with using them. The | | | | The global business community has to change |
| problem is simply this: these very computing systems | | | | expectations to match the changes brought about by |
| that we rely upon were not designed with security in | | | | the proliferation and accessibility of computing |
| mind. With the growth of computing use across every | | | | resources. |
| segment of business operations, only now are | | | | Public and private sector organizations can create an |
| corporate information security teams scrambling to find | | | | environment in which pressure is put back on those |
| effective systemic security solutions. | | | | who would seek to do damage by implementing true |
| Unfortunately there are five words that are never | | | | business continuity efforts. Nothing is more daunting to |
| spoken but words whose truth is know by everyone | | | | an attacker than to see their "prey" bounce right back |
| involved in information assurance circles; | | | | after a blow. |
| There is no 100% solution. | | | | Attackers will soon turn to other ventures once they |
| Every Chief Security Officer knows this to be true and | | | | realize their efforts leave their targets unfazed and |
| every CEO should hear and completely understand | | | | nonplussed. From the view of the attackers, this is the |
| this reality. Ninety-five (95%) percent is the new one | | | | ultimate deterrent. From the view of the corporation |
| hundred percent in the world of information security. | | | | this drives customer satisfaction and creates a |
| This includes all security efforts: trusted computing, | | | | strengthened work environment. |
| data integrity, identity theft, and anti-malware software. | | | | The next security event is not an If but a When. What |
| To view corporate security in any other way is to | | | | CEO's and CSO's need to implement are aggressive |
| deny reality - the proverbial e-ostrich stance. | | | | policy, practice and procedural measures coupled with |
| Three irrefutable facts dictate this reality: | | | | solutions that turn a 5000 system event into a five (5) |
| • Hackers are consumers and purchase | | | | system non-event. |
| every version of software usedin business today. | | | | The real question that needs to be asked is how a |
| • There is no way to remove human chaos | | | | company can become event agnostic not how it can |
| from the information securityequation. | | | | be 100% secure. |
| • Software development companies cannot | | | | We must acknowledge that the enemy will find a |
| eliminate the flaws in theircode nor create quality | | | | weakness to exploit but also realize that you can |
| assurance environments that emulate all ofthe | | | | make certain that any intrusion is contained, controlled, |
| complexities of the global business environment. | | | | and ultimately crushed. At every level of a company |
| So what can be done? Go on the offensive? Not | | | | there must be a new understanding that their will be |
| likely. Today's attackers are well trained, agile and | | | | pot-holes but not sink holes. There is much to be said |
| virtually invisible making capture almost impossible. | | | | for the company that weathers a storm. |
| These facts coupled with the obvious one that | | | | The good news is that there are many new |
| corporations are in the business of conducting business | | | | techniques being made available that will help a |
| not tracking downwould-be malcontents serves to | | | | corporation reach the reality of 95%. |
| heighten the problem. Should UPS concentrate on | | | | Great strides are being made in malware spread |
| getting packages to their destination on time or turn all | | | | mitigation, trusted computing, data portability, and |
| of their resources towards tracking down hackers? | | | | network attached security solutions as well as the |
| Don't bother to ask UPS, they know their mission | | | | consolidation of effective solution sets. These efforts |
| statement. It includes boxes not bits. | | | | coupled with proper metrics and procedures will allow |
| That leaves a defensive posture. | | | | businesses to obtain an enterprise wide view of their |
| Ask any General how he or she feels about defensive | | | | security efforts thereby allowing them to easily deploy |
| stances in the theatre of war (and yes, information | | | | new security techniques and measure their |
| security is a war). The answer will not be positive or | | | | effectiveness. |
| reassuring. Somehow, someway the attacker will find | | | | In the end, corporations seeking to create the Kevlar |
| a means of "getting inside the walls". Unfortunately for | | | | Company need to focus on eliminating production |
| the global business community this is currently the only | | | | impacting events through survivability. Resilience is the |
| stance possible. | | | | ultimate preemptive stance when it comes to |
| Or is it? | | | | information assurance. Only from this 95% posture can |
| Much has been written about the motivation behind | | | | the goal of 100% assurance ever be achieved. |