This week, I would like to speak generally about information security as a whole. In my weekly reading I came across an article that featured an interview with an IS representative from CSC (my currently employer). I continued my reading and lost the article, so I am not able to neither reference it here nor tell you the interviewee’s name. However, my fellow associate made a very interesting claim. It was his belief that many companies who bare the responsibility of information security or provide information security services are not completely concerned about protecting digital assets. Many of these companies do not focus their goals on protecting their resources and doing whatever it takes to provide that protection. Rather, companies only do what can be accomplished with minimal inconvenience. Many companies and security groups base their efforts on what others or the majority is doing. By taking those same steps in efforts to safeguard their systems, they can claim that those industry standards have been met. So when an incident does occur, the person responsible can point out that the deployed actions were up to code and that all standards and rules. Claiming compliance as an excuse that all reasonable measure was observed will surely convince management that the results of the attack could not have been avoided. Right?
Now, let’s take a quick look at the industry as it pertains to information security. If your company is compliant with industry standards, then it should be safe from attackers and threats. This is not the case when the IS industry is in such bad shape. I look at information security as a war. There are people out there that mean to bring your interests harm. It is everybody associated with that interest’s responsibility to take steps to avoid these attacks. In my opinion, the attackers are very successful. We are protectors of the information are inundated with cases, and giving up more sensitive information every day. Even the major players in the information security field are taking losses. I think that it is obvious that by simply doing the bare minimum is not enough.
I of course do not have all the answers, nor do I consider myself any kind of authority in the field of IS. However, from my research thus far, it appears that poor patch management is at the source of many of these successful attacks. I understand that my inexperience my result in some naivety in my understanding of the many processes related to carrying out proper IS programs. However, patch management appears to be kicking our butts, but why? With the assistance of SCCM and other mass software deployment suites, why are so many systems going unprotected. In some cases, systems will need to be manually updated or patched. Gaining access to these systems or making them unavailable for upgrade may not be as easy as it sounds. Keeping up to date on vendor releases may be a tedious task as well. The evaluation and testing of these patches is also a time consuming requirement.
Either way, it’s a big concern. If you want to catch the silver lining in all this dreary mess, I guess we can all be thankful that our IS job security is looking great!
-MJ
No comments:
Post a Comment