Our pursuit of security is a lot like our efforts to remain healthy.
While it’s not something I desire, I know that I’m going to get sick again. I take steps to avoid illness, including washing my hands, exercising regularly, avoiding unhealthy activities such as smoking, and even participating in my company’s wellness program. But I can’t mitigate all the threats to my health. For example, I travel all too frequently on airplanes, exposing myself to germs others are infected with. Fortunately, over the years my body has built up resistance and I’m usually unaffected. When I do get sick, and I will, I’ll see a doctor and persevere until I’m back to full health.
Keep the security doctor away
Similarly, we need to recognize that in today’s evolving threat landscape we face a constant risk of attacks and need to build up our resilience against them. Hewlett Packard Enterprise’s security research report, The Business of Hacking, reports that in 2015, losses due to cybercrime were estimated to be more than $300 billion. So while we may have layers of defenses to thwart attacks, some of these attack vectors are succeeding in bypassing our security controls. When we do succumb to an attack, our business functions will need to continue to operate.
Good systems security engineering practices are required to build more trustworthy and resilient systems. The latest guidance for this domain is captured in the second draft of National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. The SP details the engineering-driven processes necessary to develop more defensible, resilient, and survivable systems. The recommended security design principles are captured in the figure below.
As stated by NIST senior fellow Ron Ross in the forward:
“The ultimate objective is to obtain trustworthy secure systems that are fully capable of supporting critical missions and business operations while protecting stakeholder assets, and to do so with a level of assurance that is consistent with the risk tolerance of those stakeholders.” Download 93-Page Report HPE Cyber Risk Report 2016 : To read more, Click here
from cyber security caucus http://ift.tt/1WGHFqQ
via IFTTT
No comments:
Post a Comment