Fighting the top IT security risks

Share this article:
Amol Sarwate
Amol Sarwate
Microsoft's recent Patch Tuesday included an FTP vulnerability in Microsoft Internet Information Services (ISS) that was the target of a limited number of zero-day attacks.

Just last month, the SANS Institute released a report warning how such zero-day vulnerabilities are growing more common. The report also noted that organizations are taking longer to patch client-side software and web application vulnerabilities. The report was based on a broad dataset: More than six million vulnerability assessments and intrusion data from six thousand organizations.

That's quite a disheartening finding. Organizations must focus on the battles of today. They can't continue to fight those of the past ten years — but that's what enterprises are doing by focusing too heavily on network and operating system vulnerabilities. They're only part of the picture. To address today's pressing risks, more emphasis has to be placed on endpoint and web applications.

That also is the finding of a paper published just weeks before the SANS Institute released its report, by the Center for Strategic and International Studies entitled “The Twenty Critical Controls for Effective Cyber Defense.” This paper is worthwhile reading for any security or IT manager. And the handful of "guiding principles" below pinpoints effectively how organizations should be managing the risks of their IT systems today:
  • Defenses should focus on addressing the most common and damaging attack activities occurring today, and those anticipated in the near future.
  • Environments must ensure consistent controls across an enterprise to effectively negate attacks.
  • Defenses should be automated where possible, and measured periodically or continuously, using automated measurement techniques where feasible.
  • To address current attacks occurring frequently against numerous organizations, a variety of specific technical activities should be undertaken to produce a more consistent defense.
Following these principles, as well as the 20 controls detailed in the paper, would go a long way to helping any organization attain compliance to most regulations, and to mitigate crucial risks and stay secure. For example, three controls in the CSIS paper (Control 2, Inventory of Software; Control 3, Secure Configurations; and Control 10, Vulnerability Management and Remediation) ensure that systems network, servers, client and web applications are identified, prioritized, and remedied. In addition Control 7, Application Software Security, calls for long-term risk mitigation by having application developers make certain that they check their code for common errors, such as failure to sanitize inputs, and generally develop applications with security in mind, as well as assess regularly those web applications for vulnerabilities during production.

Managing the risk of IT systems is getting more — not less —  complicated, and organizations must continuously make certain that they not only have the process and technology in place to keep systems secure, but that they also make certain they're focusing on the right threats and vulnerabilities.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in Opinions

Beware of the malware walking dead

Beware of the malware walking dead

This Hallows Eve might be a good time to remind ourselves that zombies can be just as deadly, and I'm referring to recycled tools and techniques from years gone by.

Why the Home Depot attack shouldn't have happened

Why the Home Depot attack shouldn't have happened

Major retailers are falling prey to massive credit card information heists, despite spending millions on cyber security systems.

Next-generation malware: Think like the enemy and avoid the car alarm problem

Next-generation malware: Think like the enemy and avoid ...

When it comes to enterprise security, one rule remains constant - attacks will continue to increase in sophistication and attackers will seek to outmaneuver existing defenses.