So how do you analyze a threat from an imaginary company? That doesn't seem like something that people concern themselves with on a consistent basis. However, it was something I found myself doing this week.
The part of this I found interesting was after reading all the data from the company I had to come up with a likely scenario. See the imaginary company had been breached. They let client credit card numbers into the open. In my likely scenario, the were breached due to an e-mail scam. That scam then attached them to a bot net. Once that happened the people running the bot net were able to determine that CC data was present within the system. You see where this is going right? It got be think, how can an organization do anything about this?
In my opinion most security problems in companies boil down to one of three things.
1. A Policy problem
2. A People Problem
3. A technology problem
Policy Problems
So, my recommendations in the magic scenario mirrored this. Policies you see can be fixed if the will is present to do so. The real issue here is that they must originate from the top. They must explain the will of a corporation to the stakeholders and employees. A good example of this would be an acceptable use policy.
People problems
These types of problems are solved by hiring qualified candidates. This may mean background checks and extensive interviews. It will also mean continuous peer based review. In addition it will mean that people may need to be let go. This also takes into account people who mean to do an organization harm. Controls must be put in place to limit that harm. The policies should also reflect the reality of employees and harm seekers.
Technology Problems.
These problems are typically solved by people following policies. Sometimes a new piece of technology may be needed, but sometimes an old piece of technology must simply be utilized. In my imaginary company the issue here was lack of updates.
As IT and security professionals it is very easy to attempt to fix all problems with technology. While I am still deciding what I think about all of this, I am attempting to appreciate how difficult fixing security problems can be.
No comments:
Post a Comment