Too many questions, too few answers?

Graphic: The Spread of "Red October"The threat landscape is changing, and if you have seen the latest James Bond movie (SKYFALL) you would recall the clip when M launches into her speech(1:39). Similar kind of scenarios are exactly what information security professionals worldwide are dealing with, some information security professionals know and understand the actual threat vectors, others are left with limited or no budgets.

Is your security team busy with routine tasks, compliances, mundane stuff but not the top 5 risk items. Did the risk items change when the clock switched to February? And your security staff was working on risk items from the previous year’s calendar.

There are several vulnerabilities that could exist and earlier this year it was found that Java has vulnerabilities that would take some time to fix. We were also told about Red October this year where several GB of data were siphoned off systems.

Whichever industry you are in, have you locked down at the end of the day, akin to a lock down at night at home to keep out burglars? There are new state-sponsored organised cybercrime rings that now use their industry vertical experience to carry out target attack, for example this month it could Banking, next Telephony and so on. Cyber-intelligence gathering can work both ways, with the bad guys collecting data on your organisation and then finding way in.

What about you security dashboard? As a CEO you look at the top line financials, sales and how well your stock is doing. Have you considered an Infosec dashboard? No!! that’s because you have left it to the CISO who isn’t monitoring that either. If you haven’t had a public security breach is because the bad guys are already in or that they have listed you somewhere down the list, or maybe it is happening and you don’t know it. Will this security breach damage the reputation of your organisation? And your stocks downslide?

Is your security infrastructure actually working? Is your helpdesk your worst enemy,  that open ports to access the internet at night? Do your employees access restricted applications in collaboration with the IT team? Have you actually sifted through audit trails(Big Data challenges)  to understand if compliances are being bypassed? Is your security contractor giving you really good advice? or ticking a few boxes? Has your IT team actually seen the threats first hand?

Are your advisors really providing sound security advice to the client or are they just fulfilling the role and box-selling? Do they ignore/bypass the security protocols at client sites? Are you relying on age old mechanisms of security searches? Which version of Angry Birds do you play? Has this been vetted by the security team?

We are actually staring in the face of information security meltdown, probing has already started from all cyber agencies and your network is not safe. What are you going to do about it? Or will it be a case of TOO LITTLE!! TOO LATE??

Next week: Quick wins!!

Further Reading
The hunt for Red October
Java Zero Day vulnerabilities
Java Exploits