As I started this journey 13 topics ago, I mentioned that ‘security’ is really about managing risks and threats.  Most security experts would agree that the only way to be 100% secure is to unplug your units & it’s somewhat foolish to think that you are completely safe across the board.  In #2 of 26 Short, I mentioned a stat that 60 percent of companies had experienced a data breach in last year. However, only a minority of six percent could say with certainty that they had not experienced any such breaches in the past two years.  If you are not in that 6%, you almost need to expect that some sort of malicious activity is always targeting your systems.  In some ways, this helps you prepare and understand your risks.  With that information, you’re then much better able to Mitigate those risks.  Mitigation essentially has to do with having a plan of action pertaining to specific risks.  Often it also gives those involved specific duties (or actions to take) depending on the severity of the event.  According to the Project Management Institute, there are four basic approaches to risk mitigation:

  • 1. Avoidance: eliminate the conditions that allow the risk to berisk present
  • 2. Acceptance: acknowledge the risk’s existence but don’t do anything except for a contingency plan if the event happens
  • 3. Mitigation: minimize the probability or impact of the risk
  • 4. Deflection: transfer the risk somewhere else

Let’s start with end users.  Many think that security is also about keeping the bad guys out.  While that’s true, it’s more about securely letting the good guys in, to the specific stuff they need, depending on the contextual conditions.  A user tries to VPN to your corporate systems but during a host check, your controller notices that the device’s AV software hasn’t been updated in two months.  Are you going to deny access to this authorized user or help them (mitigate) the situation by instructing them to update their files, or better yet, re-direct them to a landing page so they can get updated automatically.  The helpdesk can avoid a support call, plus you educate the user on the AV policy for corporate access.  Also, in regards to end users, if there are signals that a potential disaster is coming – say a storm is bearing down on locations where your remote workers live – maybe try reaching them via Systems Management before they call with no access.  You might be able to route around the situation.

As far as your infrastructure, Mitigations of risks is a daily task.  Firewalls for networks, strong passwords for logons, WAFs for public facing sites (especially ecommerce), access cards for facilities, backups, storage, disaster recovery and the list goes on.  There has been a lot of focus on mitigating DoS attacks recently, due to many popular sites, including Government web applications, having issues….and some having none.  Just last week, The SANS Institute published their Top Cyber Security Risks and as Gideon J. Lenkey points out in this article, at the top they state, ‘Two risks dwarf all others, but organizations fail to mitigate them.’  They were talking about unpatched client software and vulnerable pubic facing web sites.  It’s interesting that while OS patching has gotten better (maybe due to worms & auto update settings), client updates of software applications (like Flash, Java, etc) fall behind.  And it’s those applications that get you in the most trouble!

As a side note, some of the runner-ups for #13 were Mobile, Malware, Monitoring and Man-in-the-Middle attacks.  Since articles appear daily about those topics, I thought Mitigation might be a good since it can help in all those areas.

ps