The threat landscape in information security is in a constant
state of flux, with new threats emerging and existing threats
becoming ever more sophisticated,write Steve Wright and
Nick Frost.
At first sight, it might be fair to say there is nothing
ground-breaking in this observation, as all security professionals
have lived with this situation for decades. But many of the
macro-environmental factors that often go unnoticed - such as
political, legal, economic, socio-cultural and technical - have
greater significance for the types of threat that challenge
information security professionals today.
These factors range from the well-publicised, such as the rise
in incidents related to organised crime and increasing signs of
internal misuse of information by employees concerned with job
security, to the less obvious, such as organisations outsourcing
critical business services to companies that can help reduce costs
but which may not always be able to provide the level of protection
expected.
The question of what actions should organisations take requires
an approach that can flex with this dynamic threat landscape while
maintaining value to the business. There is no silver bullet (and
never will be) to selecting controls to mitigate all information
security-related threat types, but there are key areas of focus
that organisations need to consider.
Get the basics right: adopt a risk-based approach to
identifying critical information and select controls to help
protect it; establish greater collaboration with the business; and
create a more vigilant workforce. A tried and tested technique for
greater collaboration with the business is to align the risks to
the objectives of a business function. This makes it more
meaningful to business owners and allows them to design a more
effective risk treatment plan.
Enhance existing security controls: analyse event logs on
critical systems; establish a responsive capability; do not place
all your trust in preventative technologies; and embed security
early on in the development lifecycle.
Adopt controls that may be seen as unconventional: test
attack kits in quarantined environments; use specialist third
parties to monitor hacking communities; and conduct background
checks on key members of staff who "hold the keys to the kingdom".
As Sun-tzu quoted, "Keep your friends close, but your enemies
closer."
Steve Wright is senior manager at PricewaterhouseCoopers
Security
Nick Frost is senior research consultant at the Information
Security Forum