Skip Links

Open source offense could be our best defense against cyberattacks

5 tips to establish a strong cyber-offense based on publicly available information

By Sean Martin, a CISSP and the founder of imsmartin consulting, special to Network World
July 16, 2012 02:43 PM ET

Network World - A core dilemma for IT today is how to properly protect the organizations' information systems and assets given security tools often seem like a black hole sucking down both time and money. But a strong defense doesn't have to be expensive, and a good place to start is assessing what information is publicly available and figuring out how to safeguard it from attack.

It's easy to get caught up in the hype around who might be attacking organizations and why, which leads to misconceptions about the requirements and costs associated with effective security. Companies need to approach security more fundamentally and strategically. They should also be looking at it from the attacker's viewpoint, trying to identify what there is to steal and how to go about it. Those answers should be the guide for an organization's defense system planning.

ROUNDUP: The worst security snafus of 2012 -- so far

During a panel discussion at the ISSA Los Angeles (ISSALA) Security Summit in May, BeyondTrust CTO Marc Maiffret gave a good example of how media and vendor messaging both fuel and respond to trends and public interest in security, and in turn, can influence how organizations view risk and evaluate their security needs.

As Maiffret noted, distributed denial-of-service (DDoS) attacks get the media's immediate and focused attention because the events are visible to the public. The world takes notice when a prominent hosting provider, financial institution, or social network service goes offline due to a DDoS attack. The event is easy to spot, the result of the downtime is often newsworthy, and the human nature aspects of the event appeal to the masses.

As public and media attention get soaked up by the who and the why of the equation, vendors capitalize on the hype by tapping into the consumer fear factor and by shaping their product messaging around what's hot in the news. Such marketing tactics draw in even more media and public attention, and so the hype cycle continues, building and building like a snowball. All this noise scares organizations into investing to fight off the bad guys.

But what good to an organization is any security program -- expensive or not -- if the organization doesn't even know what it needs to protect or how vulnerable to attack they are to begin with?

Every organization's security needs are unique -- as are the capabilities of every security product -- and so the same product that works well for one organization may be completely useless to another. And, while each organization does have its own unique circumstances, all organizations still share in common the simple fact that any publicly accessible information they have is also readily available to attackers. No security product in the world can change that reality, no matter what a vendor's messaging may suggest its product can do.

Certainly, organizations have to ask a lot of tough questions if they are to properly protect their systems, business data and intellectual property. But while the answers to the questions of who would attack their systems and why are extremely important for building out successful security programs, these two questions should only be addressed after determining what attackers would target and how.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News