Just last month, the SANS Institute released a report warning how such zero-day vulnerabilities are growing more common. The report also noted that organizations are taking longer to patch client-side software and web application vulnerabilities. The report was based on a broad dataset: More than six million vulnerability assessments and intrusion data from six thousand organizations.
That's quite a disheartening finding. Organizations must focus on the battles of today. They can't continue to fight those of the past ten years — but that's what enterprises are doing by focusing too heavily on network and operating system vulnerabilities. They're only part of the picture. To address today's pressing risks, more emphasis has to be placed on endpoint and web applications.
That also is the finding of a paper published just weeks before the SANS Institute released its report, by the Center for Strategic and International Studies entitled “The Twenty Critical Controls for Effective Cyber Defense.” This paper is worthwhile reading for any security or IT manager. And the handful of "guiding principles" below pinpoints effectively how organizations should be managing the risks of their IT systems today:
- Defenses should focus on addressing the most common and damaging attack activities occurring today, and those anticipated in the near future.
- Environments must ensure consistent controls across an enterprise to effectively negate attacks.
- Defenses should be automated where possible, and measured periodically or continuously, using automated measurement techniques where feasible.
- To address current attacks occurring frequently against numerous organizations, a variety of specific technical activities should be undertaken to produce a more consistent defense.
Managing the risk of IT systems is getting more — not less — complicated, and organizations must continuously make certain that they not only have the process and technology in place to keep systems secure, but that they also make certain they're focusing on the right threats and vulnerabilities.