[BreachExchange] Security Think Tank: No one-size-fits-all security solution

Thu Aug 31 19:52:31 EDT 2017

http://www.computerweekly.com/opinion/Security-Think-Tank-
No-one-size-fits-all-security-solution

There is no shortage of companies out there making claims that there is a
universal solution to security (it makes for a good marketing message), but
unfortunately, in practice there is no “one-size-fits-all” solution to
security.

Determining which practices, controls and countermeasures will work best in
a given organisation is based on that organisation’s own needs: what works
for it culturally, the level of risk that its business is subject to, and
so on.

For example, the security techniques and methods that work best for a large
hospital might be very different from what would work best for a “mom and
pop” retailer – and more different still from a government agency or large
financial institution. So, answering the question “what should
organisations do?” is a bit more nuanced than it might seem on the surface.

In my opinion, there are two things every organisation should be doing:
risk management and intelligence gathering. Risk management is the process
of figuring out which risks the organisation needs to address, and putting
measures in place to find them, track them, mitigate them, and make sure
they stay mitigated going forward. Likewise, intelligence gathering,
particularly of the threat environment – what the bad guys might be
interested in and how they might attack – informs the risk management
process directly.

Both of these areas are systematic processes rather than solutions that can
be bought off the shelf, so the good news is that no special equipment is
required to accomplish this. However, doing these things well and
comprehensively takes discipline, planning and preparation.

For ransomware specifically, one very helpful measure is to conduct a
pre-planning “tabletop” exercise to ensure that individuals in the
organisation are prepared for a ransomware event. For example, think
through your response and discuss specific decision points ahead of time
rather than when the heat is on during an actual incident.

The normative position of law enforcement (and most security practitioners)
is not to pay the ransom – it can cause a criminal to “retarget” the
organisation down the road, and only sometimes will the attacker actually
make good if the ransom is paid. However, this can be a more difficult
stance to take in the heat of an incident: the dollar amount can seem small
compared with the impact of the ransomware. Decisions like this are best
thought through in advance.

In terms of limiting the impact of cyber attacks in general and recovering
quickly, tabletop and planning exercises are again a good idea, as is a
systematic risk management process.

Beyond these, helpful practices can include building capabilities to
understand and react to the threat environment – in particular, keeping
tabs on “big ticket” events such as ongoing malware or ransomware attacks –
as well as testing the organisation’s defensive posture through
vulnerability assessment, penetration testing and other techniques that
allow an organisation to systematically measure its defences.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170831/24912e13/attachment.html>