One Article Review
| Source |  taosecurity |
|---|---|
| Identifiant | 1450341 |
| Date de publication | 2019-11-06 16:12:52 (vue: 2019-11-06 23:07:10) |
| Titre | Seven Security Strategies, Summarized |
| Texte | This is the sort of story that starts as a comment on Twitter, then becomes a blog post when I realize I can't fit all the ideas into one or two Tweets. (You know how much I hate Tweet threads, and how I encourage everyone to capture deep thoughts in blog posts!)In the interest of capturing the thought, and not in the interest of thinking too deeply or comprehensively (at least right now), I offer seven security strategies, summarized.When I mention the risk equation, I'm talking about the idea that one can conceptually image the risk of some negative event using this "formula": Risk (of something) is the product of some measurements of Vulnerability X Threat X Asset Value, or R = V x T x A.Denial and/or ignorance. This strategy assumes the risk due to loss is low, because those managing the risk assume that one or more of the elements of the risk equation are zero or almost zero, or they are apathetic to the cost.Loss acceptance. This strategy may assume the risk due to loss is low, or more likely those managing the risk assume that the cost of risk realization is low. In other words, incidents will occur, but the cost of the incident is acceptable to the organization.Loss transferal. This strategy may also assume the risk due to loss is low, but in contrast with risk acceptance, the organization believes it can buy an insurance policy which will cover the cost of an incident, and the cost of the policy is cheaper than alternative strategies.Vulnerability elimination. This strategy focuses on driving the vulnerability element of the risk equation to zero or almost zero, through secure coding, proper configuration, patching, and similar methods.Threat elimination. This strategy focuses on driving the threat element of the risk equation to zero or almost zero, through deterrence, dissuasion, co-option, bribery, conversion, incarceration, incapacitation, or other methods that change the intent and/or capabilities of threat actors. Asset value elimination. This strategy focuses on driving the threat element of the risk equation to zero or almost zero, through minimizing data or resources that might be valued by adversaries.Interdiction. This is a hybrid strategy which welcomes contributions from vulnerability elimination, primarily, but is open to assistance from loss transferal, threat elimination, and asset value elimination. Interdiction assumes that prevention eventually fails, but that security teams can detect and respond to incidents post-compromise and pre-breach. In other words, some classes of intruders will indeed compromise an organization, but it is possible to detect and respond to the attack before the adversary completes his mission.As you might expect, I am most closely associated with the interdiction strategy. I believe the denial and/or ignorance and loss acceptance strategies are irresponsible.I believe the loss transferal strategy continues to gain momentum with the growth of cybersecurity breach insurance policies. I believe the vulnerability elimination strategy is important but ultimately, on its own, ineffective and historically shown to be impossible. When used in concert with other strategies, it is absolutely helpful.I believe the threat elimination strategy is generally beyond the scope of private organizations. As the state retains the monopoly on the use of force, usually only law enforcement, military, and sometimes intelligence agencies can truly eliminate or mitigate threats. (Threats are not vulnerabilities.)I believe asset value elimination is powerful but has not gained the ground I would like to see. This is my " |
| Envoyé | Oui |
| Condensat | asset copyright i 2003 2018 about absolutely abuse acceptable acceptance actors adversaries adversary agencies all almost also alternative and/or any apathetic are asset assets assistance associated assume assumes attack basic because becomes before bejtlich believe believes below beyond blog blogspot breach bribery but buy can capabilities capture capturing change cheaper classes closely cloud coding collect com comment completes comprehensively compromise computing conceptually concert configuration conflict continues contrast contributions conversion cost cover cryptocurrencies cybersecurity data deep deeply denial detect deterrence dissuasion don down driving due element elements eliminate elimination encourage enforcement equation event eventually every everyone exist expect fact fails fit focuses force formula from future gain gained generally ground growth hardware has hate have helpful here hierarchy his historically how hybrid idea ideas ignorance image important impossible incapacitation incarceration incident incidents indeed ineffective infrastructure insurance intelligence intent interdiction interest intruders intrusions irresponsible its know law least level like likely limitation listed loss low magically managing may means measurements mention message methods might military minimizing mining mission mitigate threats momentum monopoly more most much negative networked none not notice now obviously occur offer one only open operating operations option organization organizations other own patching please policies policy possible post posts power powerful pre prevention primarily private product proper protect raw realization realize resources respond retains richard right risk say scope secure security see seven shown similar some something sometimes sort starts state story strategies strategy strip summarized systems tactics talking taosecurity teams techniques than them then thinking those thought thoughts threads threat threats through too tools transferal truly tweet tweets twitter two ultimately use used uses using usually value valued vulnerabilities vulnerability welcomes when which will words would www zero |
| Tags | Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.