Abstract of paper
Today organisations are facing a threat from cyber-attack, whether they are international conglomerate or a one man outfit, none are immune to the possibility of attack if there have a connection to or presence on the Internet. The attacks can take many forms from the Distributed Denial of Service through to targeted phishing emails, many attacks result in low tangible costs but can have high intangible costs to the targeted organisation such as lose of brand reputation and loss of business. Many small businesses have taken weeks to find their websites have been blacklisted by search engines as their site has been compromised and is now hosting malware.
Although attack sophistication has grown since the password guessing attacks in the early 1980’s to the sophisticated Advanced Persistent Threat (APT) that is being seen today, the skill level required to launch attacks has dropped as the development of hacking toolkits and malware toolkits have given the script kiddie hack sophisticated tools with simple GUI interfaces. The hacking group Anonymous’s use of tools such as the Low Orbit Ion Cannon (LOIC) available on sourceforge and github, enabled thousands of individuals who have no programming knowledge to take part in their orchestrated campaigns. The high profile of cyber-activity is encouraging increasing number of people to dabble with easily findable tools and scripts and many progress deeper into illegal activity.
The motivation of attackers targeting an organisation is extremely wide ranging from the organised criminal gangs looking for monetary return to rival organisations or countries looking for intellectual property, hacktivists looking to extract revenge for a perceived infringement of their freedom through to random attacks because they can or they are just developing and testing their skills on a random target. All this requires an organisation to protect themselves from attack whether they are hosting a website on a third party’s infrastructure or have a large number of connected gateways on the internet and offering multiple services hosted on their own infrastructure to the general public and other organisations.
An organisation’s security posture is an indication the countermeasures that have been implemented to protect the organisations resources. The countermeasures are security best practice that are appropriate to the organisations risk appetite and the business requirements. The security posture is defined by an organisations security policy and its mission statement and business objectives.
Countermeasures come with a cost which should not exceed the value of the resources they are protecting and they should be effective, provide value for money, and a return on investment for the organisation
Measuring how the organisations actual security posture relates to it’s agreed acceptable level of risk is a problem that is faced by organisations when looking at whether their countermeasures are effective and providing value for money and a return on investment. There are two methodologies that can be used.
- Auditing – which is the mechanism of confirming that the processes or procedures agree to a master checklist for compliance
- Assessing – is a more active, or intrusive, testing methodology to adequately assess your processes or procedures that cannot be adequately verified using a checklist or security policy
A review of the use of assessment methodologies such as vulnerability assessment and penetration testing to assess the infrastructure and application security posture of an organisation shows how they can provide identification of vulnerabilities which can aid the risk assessment process in developing a security policy. It will demonstrate how these methodologies can help in assessing the effectiveness of the implemented countermeasures and aid in evaluation as to whether there are provide value for money and a return on investment.
It is proposed that a long term strategy of using both methodologies for assessing the security posture based on the business requirements will provide the following benefits
- Cost effective monitoring of the infrastructure and security posture
- Ensuring that the countermeasures retain effectiveness over time
- Responding to the continual changing threat environment
- Ensuring that value for money and return on investment are maintained
No comments:
Post a Comment