An architectural risk assessment is not a penetration test or merely a vulnerability scan. It is an engineering process with the aim of understanding, defining, and defending all the functional output from customers, line workers, corporate staff, and client-server interactions. Architectural risk assessments include ethical hacking, source code review, and the formation of a new network design. As Fred Donovan wrote in the Cutter Consortium Executive Update, Architectural Risk Assessment: Matching Security Goals to Business Goals, “Performed correctly, [an architectural risk assessment] will empower the technology staff and enable the business to focus less on security and more on customers.” According to Donovan, the first step of an architectural risk assessment is to conduct interviews Read more
Posts Tagged 'security'
Data-centric protection and security focuses on the organization’s sensitive data (as opposed to its overall computer networks and applications). This is accomplished by locating, identifying, and cataloging sensitive data as well as by applying encryption, data masking, and policy-based data access controls (and end-user monitoring) to protect data residing across multiple enterprise environments. To what extent are organizations adopting, or planning to adopt, data-centric protection and security practices? In a recent Cutter Consortium survey, Senior Consultant Curt Hall asked 50 organizations about their data protection practices to shed some light on this important question. As shown in the figure below, more than a third (37%) of surveyed organizations currently have data-centric protection and security practices in place. Read more
Last week’s DDoS attack against Dyn Inc. had an impact on many organizations beyond the reported hits to PayPal, Twitter, Amazon, Spotify, and others. Even Cutter’s website search function was out of commission for a short while! Experts have warned that at some point, smart versions of devices such as refrigerators, televisions and thermostats could be manipulated to alter their basic functions, but did anyone foresee that these devices would be used to launch a third-party attack? This isn’t the first time it’s happened, and it’s not likely to be the last. In the July 2016 Cutter article Securing the IoT: It Takes the Global Village, author David Tayouri discusses the threats Internet of Things Read more
This upcoming issue of Cutter IT Journal seeks articles on new approaches, strategies, and solutions to help IT professionals address and prevent the possibility of cyber attacks stemming from IoT related devices. Cyber threats have been on the rise, and more so with the advent of the Internet of Everything (IoE). Common appliances are now featuring intelligent processing and real-time connections to the Internet. Health measurements are now collected in real-time by smart wearables, including general purpose smart watches. The latest models from automobile manufacturers feature cloud connectivity for enabling remote software updates, tracking fuel consumption, and streaming dashcam activity. On a larger scale, the smart grid ensures seamless and dynamic allocation of energy where Read more
At the recent RSA Security Conference in San Francisco, data-centric security and protection received a lot of attention. Several trends account for this. The main one, of course, is the large number of high-profile data breaches and other cyber attacks continually making the news — a trend that shows no sign of subsiding. In addition to this constantly lurking threat, we can add growing compliance and regulatory requirements as well as the advent of new (difficult to protect) technologies, applications, and architectures. Throw in all the revelations about hacking by various government intelligence services, and it’s easy to see why organizations and security solutions providers have made data-centric security and protection a top priority. The Read more
“Never make forecasts, especially about the future.” — Sam Goldwyn This is particularly good advice for those with the courage (temerity? foolhardiness?) to forecast trends in technology. We can safely predict that technologies will get better/faster/cheaper/smaller, but which ones? Who will use them? How? For what? Back in the days when fairly standard IT was just bought by organizations with cost-conscious and risk-averse CFOs, the only question was how much technology would be bought, which depended largely on the overall economy. Starting in the 1980s, when ordinary people began buying IT, much of it from brand-new companies, predicting consumers’ tastes and quantifying their demand presented a whole new challenge. Add in the Internet, and what Read more
A lot has changed in a few years. When I talked about cloud three years back, I got frownie-faces from my peers. Skeptical looks that belied a deeper-seated fear or trepidation, probably having more to do with their internal image of what a CIO should be than the promise or peril in the new technology. Now, enthusiasm runs ebulliently through the vendor community, animating the animal spirits and spurring on entrepreneurs in search of profits and glory. Cloud has been elevated to high strategy on the billionaire chess board. Mergers and acquisitions are abuzz. Amazon, armed with an overly energetic workforce, gets hypercompetitive in all ways good and ill, supplanting Oracle as one of our Read more