Ask the Experts: Management and Rational Decisions About Security

Saturday, September 22, 2012

Brent Huston

E313765e3bec84b2852c1c758f7244b6

Article by Mary Rose Maguire

We’re starting a new series: “Ask the Security Experts.” We’ll pose an information security question and our panel of experts will do their best to answer.

Our panel:

  • Adam Hostetler, Network Engineer, Security Analyst
  • Phil Grimes, Security Analyst
  • John Davis, Risk Management Engineer

Our Question

How can organizations (whose management may be concerned about hyped-up zero day exploits) make rational decisions about what and how to protect their assets? 

John Davis:

I think you should start to bring management perspective by reiterating to them that there is no such thing as 100% security. You cannot be entirely sure of your network or information protection mechanisms. Tell them yes, zero day exploits are probably going to get past traditional AV, IDS and IPS.

But emphasize that there are security measures that are effective in zero day situations. These include such controls as anomaly based detection mechanisms, system user security training, and incident response programs. If you can detect these attacks early and respond to them quickly and correctly, you can effectively limit the damage from zero day attacks.

Phil Grimes:

Read the available data in the 2012 Verizon Data Breach Investigations Report. This will help to show that zero day fears are mostly unwarranted.

While the threat exists, statistics show that most events occur because of “low hanging fruit”, or issues attackers leverage that don’t need super elite skills and can often be mitigated easily on the victim’s side.

The best things to do in this regard are to focus on being fundamentally secure (do the basics), and realize that detection and response are going to be the best tools to help recover from a zero day attack scenario.

Adam Hostetler:

With the data we have (Verizon report, etc), it shows that zero day threats are not as dangerous as one might think. Explain to them that the threat exists, but is somewhat exaggerated due to some high profile cases.

And if they have controls that could help combat any zero day threats, it would likely ease management’s fears.

Cross-posted from State of Security

Possibly Related Articles:
7105
Enterprise Security
Information Security
Zero Day Risk Management Threats Information Security Infosec Intrusion Detection FUD
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.