When I am doing random tasks at home, I enjoy having background noise to keep me busy and moving. Whether it is music, a fan or the sound of my children laughing, I enjoy it as a backdrop.
As breaches become the common theme of my daily RSS feeds, I begin to wonder, when do they become just noise, too? As I look at some of the more commonly known breaches and vulnerability announcements, I ponder how we preserve their context and keep those lessons in our forefront.
- CNET gets hacked through a Symfony exploit; one million user names, passwords and emails are stolen;
- LastPass announces vulnerabilities in its Bookmarklets;
- Code spaces is shut down by hackers with a DDoS;
- eBay makes a very late announcement urging users to change passwords due to possible exposure of 150 million accounts; it is later deemed there is a privacy concern, as well;
- Heartbleed, one of the most far reaching vulnerabilities, turns the heads of every internet user, as almost a half a million of the Internet’s secure web servers’ certificates are found vulnerable to the theft of private keys, users’ session cookies and passwords;
- Target is breached through its point of sale hardware, coming through a third party supplier’s access.
How do we stay diligent and understand which is the highest priority? Security is a “net addition” to the workload of many small and medium businesses, and they need to prioritize what is most important.
In Cindy Valladares’ post The Information Security Hierarchy of Needs, she mentions the 20 Critical Security Controls and the importance of focusing on the solution versus the problems.
My first inclination was that we need to weed through the news and define the “bar” of what is newsworthy and what is not. And while learning from the breaches about which risks your business is most susceptible to, I am inclined to agree with Cindy and her analysis that we should focus on the highest risk vectors that will give us the greatest amount of protection among the myriad of commotion:
- Inventory your HW and SW and knows its criticality (CSC 1 & 2);
- Update your asset configurations to be CIS compliant (CSC 3); and
- Scan for vulnerabilities and patch/remediate accordingly (CSC 4)
If we can prioritize our work to do these high-value actions in our environments, then I believe we will do two things:
- Create a higher level of expectation (e.g., baseline security) from business over time, so we can continue to progress to more sophisticated protections; and
- We will begin to see diminished stories in the news as hackers are thwarted, thereby allowing only the most egregious actions to rise to the top, and reducing the volumes to review.
I enjoy background noise when I keep busy, but diligence is paramount. I look forward to seeing a reduction in the news feeds pertaining to breaches, so I can hear the music.
- The Sea of Information Security
- Security: Not Just a Checkbox Anymore
- Understanding What Constitutes Your Attack Surface
- Leveraging Security Controls and Analytics To Protect Sensitive Data
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].