One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1522765 |
| Date de publication | 2020-02-03 14:00:00 (vue: 2020-02-03 20:01:20) |
| Titre | NO FATE |
| Texte | “The future is not set, there is no fate but what we make for ourselves.” John Connor, Terminator 2 There is a prevailing viewpoint among security professionals that security breaches are inevitable. They have adopted the mantra, “It is not a matter of if but a matter of when.” As recently as the day I wrote this post, I attended a meeting where this attitude was used to justify accepting easy to mitigate security risks. This attitude is nothing new and it has a name: “fatalism.” Merriam Webster defines fatalism as, “a doctrine that events are fixed in advance so that human beings are powerless to change them.” Ask yourself as you read this, is that the truth? Are you powerless to change events or do you make your own choices? When you make the choice to choose compliance over security, that’s not fatalism but a mixture of choice and will. It’s a decision to be good enough to escape liability without being good enough to escape fate. It’s a trap! Many of the big credit card breaches of the past decade occurred while an organization was PCI compliant. Target was certified PCI compliant weeks before it was hacked in 2013. Verizon has breach data that supports the fact that although companies become compliant they often do so in a way that is unsustainable. Do not take away the wrong lesson. The lesson here is not if Target couldn’t fight the hackers then I can’t either. The lesson is that the culmination of their decisions resulted in an environment that made it possible. You make choices every day that impact your personal and professional destiny. I promise you security is not an expensive goal attainable only by the super-rich. It is far more about the knowledge, dedication, ingenuity, and heart you put into it. As a blog post, I have to keep this short so please forgive me for not addressing every area of focus you need to cover to commit to security. There are four phases to the model I recommend for IT security: identify your environment, categorize your risks, know your enemy, and test your solutions. This model is a cycle designed to repeat itself again and again without end. Each cycle informs upon the information gathered in the last and grows more mature with each revision. Identify your environment Phase one sounds simple. It’s the same advice given by sages, oracles, and war philosophers for thousands of years, know thyself. It is the foundation upon which all else is built. What systems are on the network? What systems are in your inventory? Where is your sensitive data? What is your sensitive data? What is the normal traffic of your network? What is the normal operating usage of your systems? This is a collection of facts, without judgment, about the environment. A single missing piece here may cause your entire security structure to crumble. For example, I did a penetration test for a bank several years ago. They had a secure system for their account data. However, one of their account representatives wanted to do something nice for their clients by recognizing their birthdays. They took the information from the secure database, including the account numbers and safety deposit box information and put it in a spreadsheet. I found that spreadsheet with an unprivileged account sitting on their internal SharePoint platform. They did not know where their data was, and had I not found it they would not have known to address it. Categorize your risks Phase two is about putting those pieces together to figure out what it all means. What do you get when you assess the systems on your network with the systems in your inventory? Rogue device detection and loss prevention. What does it mean that I found account data in SharePoint which itsel |
| Envoyé | Oui |
| Condensat | “a “fatalism “it “the “we 2013 able about accepting access account accounts activate actual address addressing adopted advance advice advised after again ago all although among any anything are area around ask assess assessed assessment attack attacks attainable attended attitude automated away bank bearing become been before behavior being beings believe better beyond big birthdays bits block blog box breach breaches break build building built but can can’t card carry categorize categorizing cause certified change choice choices choose classify client clients collection coming comment commit companies company compliance compliant components concerned conclusion conducted connected connecting connor consultant continuous control could couldn’t cover credit critical crumble culminates culmination cycle data database day decade decision decisions dedication defense defenses defensible defines delivering deny deposit designed destiny detect detected detecting detection deter deterring developing device did didn’t direction distance doctrine does done doubt each easy either else email employee end enemy engineering enough entire environment environmental escape establish even events ever every example expensive fact facts fail fake familiar; far fatalism fate fight figure final find first fixed focus forgive forward found foundation four frameworks from further future gathered get gets given goal good growing grows hacked hackers had hard has have hear heart here hipaa holistic hours how however human hypothetical identify identity impact important improved including inevitable information informs ingenuity insurance intelligence internal internet inventory invited it’s its itself john judgment just justify keep know knowing knowledge knowledgeable known knows last legal less lesson let letting liability like likely limit lining link log long look loss made make makes manager mantra manual many matter mature maturity may mean meaningful means medical meeting meets merriam message methods might military mimics missing mitigate mitigated mixture model more most movements name: need network networks never new nice normal not nothing numbers objective obtain occurred often one only operate operating opponents oracles order organization organizational organizations ourselves out outcome over own past pattern pci penetration people perimeter person personal phase phases philosophers phish phishing piece pieces planning plans platform please plug points portal possible post potential powerless prevailing prevent prevented preventing prevention primary procedure procedures process processing products professional professionals program programs promise provides purposes put putting question read real realistic reality reasonable reasonably recently recognizing recommend refining remote remove repeat reported representatives requested require responsibility resulted results revision rich right risk risks rogue safety sages same saw scams secure security security: seek send sense sensitive set several sharepoint shocked short should show showed simple simply single site sitting skip social solutions some something sounds spreadsheet standard stop stops straight stranger strengths structure success super supports system systems tactics take talk target techniques telling terminator test tested tester testing tests than that’s them then these things think thinks third those thought thousands threat threats through thyself time together too took track traffic train training trains trap tried truly truth try trying two typically understand understanding understands unprivileged unsupervised unsustainable upon usage used using vector vectors verify verizon veterans viewpoint want wanted war watch way ways weaknesses weaponized webster week weeks what whatever when where which why will willing within without work worked works world would write wrong wrote years you’re your yourself |
| Tags | Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.