Commentary - As computer software has become the backbone of modern civilization, organized cyber criminals, state sponsored cyber attackers and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to generate revenue and carry out criminal activities. The growing number of cyber attacks has become one of the most serious economic and national security threats our nation faces.
Most recent cyber attacks and associated data breaches of Google, Epsilon (a leading marketing services firm), and RSA (the security division of data management giant EMC) are just the tip of the iceberg. Government networks, critical infrastructure operators and the private sector are facing an increasing frequency and sophistication of cyber attacks and breaches of information security -- often with discovery after the fact.
The dilemma that organizations are facing is that their current vulnerability measures are unable to keep up with the evolving exploits, including perimeter intrusion detection, signature-based malware and anti-virus solutions. Often, these security tools operate in a silo-based approach and are not integrated and interconnected to achieve a closed-loop process and continuous monitoring. Another shortcoming lies in the fact that a majority of vulnerability programs lack a risk-based approach, whereby vulnerabilities and associated remediation actions are based on the risk to the business.
Besides close collaboration with the Department of Homeland Security, organizations should consider overhauling their approach to security risk management to counter cyber attacks and prevent data loss, unauthorized disclosure, data destruction, copyright infringement and damage to their brand.
Establishing an advanced security risk management program strategy involves the following fundamental steps:
1. Manage and perform risk assessments to understand which systems have sensitive data and, therefore, have the highest business criticality.
2. Track sensitive data that has been outsourced to vendors and is stored off-site leveraging a vendor risk assessment process. Especially in times in which companies are more and more relying on cloud-based services, it is important to gauge the security measures and expertise of your outsourcing partner. The Epsilon data breach is a good example for this.
3. Based on the results of the risk assessments, rationalize the locations where sensitive data is stored to only the most secure systems that are protected against direct Internet traffic.
4. Track risks on these critical systems from a top-down perspective to understand the key threats that a company faces and ensure controls are in place to counter these threats.
5. Manage risk from a bottom-up perspective by consolidating and correlating data from scanners, vulnerability feeds, patch management systems, and configuration management systems to get a holistic view of vulnerabilities affecting the most business-critical assets, including those with personally identifiable information.
6. Create and track tickets to put in place controls and remediation to address these threats and vulnerabilities in a timely fashion.
7. Manage workflows associated with all of the above processes.
8. Report on risks, vulnerabilities, and effectiveness of remediation efforts.
9. Manage emergency response processes and procedures in the event that a data breach does occur in order to minimize the damages from the incident.
Implementing a security risk management program that integrates and interconnects components such as security event management, asset management, threat management, vulnerability management, security configuration management, security patch management and security incident response management will yield the following benefits:
• Reduce risk through the ability to make threats and vulnerabilities visible and actionable, meaning enable organizations to prioritize and address high risk security vulnerabilities prior to them being exploited
• Reduce cost by streamlining processes leveraging automation and reducing redundant, manual efforts
• Provide reports and metrics to measure effectiveness and efficiency
Security Risk Management can help prevent data breaches like that which happened with Epsilon, and help minimize the consequences of a data breach, if one were to occur.
Torsten George is vice president worldwide marketing for Agiliance Inc. Torsten brings more than 16 years of global experience in promoting software (e.g., enterprise applications, security software, and SaaS solutions) and network equipment products to Agiliance.