The Control Policy Group

There is nothing like collecting real data and validating the effectiveness of your security countermeasures.

Most companies have good perimeter security – i.e. a firewall and an IDS or IPS. While many security people often view an IPS as the next generation of IDS; it’s important to understand the different roles of detection and prevention. Detection helps you understand what kind of attacks are being mounted (or potentially COULD be mounted on the network, and prevention (an IPS) is part of your access control  systems – a way of keeping the bad guys off your network.

However, in our experience the same companies with well-managed perimeter security do not know what’s happening inside their network.

Do you know what is happening inside your network?

Read the full article here  network surveillance.

What do hackers really want?

No question is more important for mounting  effective security countermeasures. The management, IT and security practitioners cannot expect to mitigate risk effectively without knowing the objectives and cost of potential attacks on their organization.

We all depend on transaction processing systems in order to run the business and make decisions, no matter how many employees we have. Whether you have a small business making wedding cakes or a global enterprise with 14,000 employees in 40 locations, you use information systems daily to buy, sell, pay and collect from customers.

The prevailing security model predicates defense in depth of transaction systems. The most common strategies are to mitigate risk with network and application security products that are reactive countermeasures; blocking network ports and services, detecting known application exploits, or by blocking entry of malicious code to the network.

Are any of these security countermeasures likely to be effective in the long-term? Can attacks on a business be neutralized with defensive means only? In other words, is there a “fire and forget” security solution for the business? The answer is clearly no.

A reactive network defense tool such as a firewall cannot protect exploitation of software defects and an application firewall is no replacement for in-depth understanding of company-specific source code or system configuration vulnerabilities.

Business Threat Modeling is a threat assessment process that employs a systematic risk analysis of business systems along with quantitative evaluation of how well removing defects reduces risk.

Business Threat Modeling is based on four basic tenets:

1. Risk analysis for production software

2. Quantitative evaluation and financial justification

3. Explicit communications between developers and security

4. Sustain continuous risk reduction

You can download the Business Threat Modeling methodology for free here

Comments are off for this post