Fighting the top IT security risks

Microsoft's recent Patch Tuesday included an FTP vulnerability in Microsoft Internet Information Services (ISS) that was the target of a limited number of zero-day attacks.

Just last month, the SANS Institute released a report warning how such zero-day vulnerabilities are growing more common. The report also noted that organizations are taking longer to patch client-side software and web application vulnerabilities. The report was based on a broad dataset: More than six million vulnerability assessments and intrusion data from six thousand organizations.

That's quite a disheartening finding. Organizations must focus on the battles of today. They can't continue to fight those of the past ten years — but that's what enterprises are doing by focusing too heavily on network and operating system vulnerabilities. They're only part of the picture. To address today's pressing risks, more emphasis has to be placed on endpoint and web applications.

That also is the finding of a paper published just weeks before the SANS Institute released its report, by the Center for Strategic and International Studies entitled “The Twenty Critical Controls for Effective Cyber Defense.” This paper is worthwhile reading for any security or IT manager. And the handful of "guiding principles" below pinpoints effectively how organizations should be managing the risks of their IT systems today:
  • Defenses should focus on addressing the most common and damaging attack activities occurring today, and those anticipated in the near future.
  • Environments must ensure consistent controls across an enterprise to effectively negate attacks.
  • Defenses should be automated where possible, and measured periodically or continuously, using automated measurement techniques where feasible.
  • To address current attacks occurring frequently against numerous organizations, a variety of specific technical activities should be undertaken to produce a more consistent defense.
Following these principles, as well as the 20 controls detailed in the paper, would go a long way to helping any organization attain compliance to most regulations, and to mitigate crucial risks and stay secure. For example, three controls in the CSIS paper (Control 2, Inventory of Software; Control 3, Secure Configurations; and Control 10, Vulnerability Management and Remediation) ensure that systems network, servers, client and web applications are identified, prioritized, and remedied. In addition Control 7, Application Software Security, calls for long-term risk mitigation by having application developers make certain that they check their code for common errors, such as failure to sanitize inputs, and generally develop applications with security in mind, as well as assess regularly those web applications for vulnerabilities during production.

Managing the risk of IT systems is getting more — not less —  complicated, and organizations must continuously make certain that they not only have the process and technology in place to keep systems secure, but that they also make certain they're focusing on the right threats and vulnerabilities.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.