官术网_书友最值得收藏!

Information security challenges

The threats faced by today's organizations are highly complex and represent a real danger. The ability to mount an attack has become very simple due to many factors including the following:

  • End user: End users that use our information systems are prone to clicking on website URLs and launching attachments in emails
  • Malware kits: Paying hackers for DIY kits to easily develop your own malware
  • Cloud computing: Cheap and easy access to computing resources helps to ensure easy access to processing power
  • Exploit subscription services: Underground services that an attacker can subscribe to, to get the latest exploits

An attacker can take these tools, string them together with tutorials found online (as well as their own knowledge and resources), and build a sophisticated attack that could affect millions of computers worldwide.

Modern computer systems were never really developed to be secure. From the very beginning, computers have had an inherent trust factor built into them. Designers did not take into account the fact that adversaries might exploit their systems to harvest the valuable assets they contained. Security therefore, came in the form of bolt-ons or bandages, for solving an inherent problem. This still continues to this day. If you look at a modern computer science program, cybersecurity is often not included. This leads us to the modern internet, overflowing with vulnerable software and operating systems that require constant patches because security has always been an afterthought. Instead of security being built into an information system from the beginning, we are faced with an epidemic of vulnerable systems around the world.

The computer power of the average inpidual has greatly increased over the past few decades. This has resulted in an increase of sanctioned, and unsanctioned, personally-owned devices processing organizational data and being connected to corporate networks. All of these unmanaged devices are often set up to accommodate speed and convenience for a personal user and do not take into account the requirements of corporate information security.

Many organizations see information security as a hindrance to productivity. It is common to see business leaders, as well as IT personnel, avoid the discussion surrounding security with the fear that security will prevent the corporation from achieving its mission. Implementing security within a project Systems Development Life Cycle (SDLC) may be fought against, as team members may believe security will prevent a project from being completed on time or viewed as an impediment to a business' financial gain. Tools such as multi-factor authentication (MFA) or Virtual Private Networks (VPN) may be resisted as the business might not want to invest the capital for such solutions, due to not understanding the technology and how it would minimize the cyber risk posture of the organization.

Overcoming these challenges requires that the information security leader has a strong understanding of the organizations that they work for and that communication is effectively maintained. The information security professional must integrate with all functional/business owners within their organization. This will allow the security professional to help determine the risk posture of each business area, and help the business owner make sound risk-based decisions. Information security must offer solutions to the business leader's challenges versus adding new challenges for the business leader to solve. Additionally, the information security professional must work and collaborate effectively with their counterparts in information technology. Many information security professionals focus on dictating policy without discussing what is actually needed. Work to foster a relationship where the information security group is sought out for answers rather than avoided.

主站蜘蛛池模板: 敖汉旗| 盐边县| 定远县| 陕西省| 宁强县| 丘北县| 万山特区| 久治县| 元朗区| 思茅市| 大英县| 沁阳市| 上饶市| 镇赉县| 海淀区| 邓州市| 油尖旺区| 靖西县| 昌邑市| 开鲁县| 益阳市| 东丰县| 濮阳县| 黄平县| 安庆市| 越西县| 双鸭山市| 泾阳县| 沂水县| 榆中县| 澎湖县| 寻乌县| 易门县| 林口县| 丰顺县| 南雄市| 韩城市| 万荣县| 德安县| 贵州省| 神池县|