By Aunty Malware
(Editor’s note: Aunty Malware is a real former Fortune 500 CISO who is trying to enlighten the masses without getting sued.)
As firms struggle to gain control of their assets and internal resources they begin to fall behind in strategic and tactical plans.
From a corporate standpoint firms are seriously reviewing what they have in their facilities, organizing their physical and logical assets and ensuring accountability of said assets into central DBs or repositories. Why? Accountability, due diligence, regulatory mandates and federal guidelines.
Y2K was an aid by which many firms ensured accountability for their assets and resources from a physical and logical aspect. Further, Y2K encouraged firms to implement additional resources and assets to curtail a potential disaster. 911 was an awakening, where again assessments and implementations were carried out.
However, in the past 5+ years many have become lax and processes, procedures, change management and the software development lifecycle (SDLC) has suffered, once again plummeting firms back into the overstuffed basement scenario.
2007 could be seen as the year for review and inventory refreshes: cleaning out those wiring closets, pulling out legacy systems, scrubbing stacks of outdated PCs, servers, laptops, cell phones, PDAs. But as most of us know getting rid of an old pair of jeans is not that easy. Fine, keep the jeans, even if they don’t fit, but log them into a repository so that you know you still have them just in case you can fit in them again.
Migrating from point solutions to more integrated topologies and applications is the strategic motivator in the later half of 2007 and into 2009. One size does not fit all and it would be rare to find a data center or computing facility that is not a hybrid. With the larger security companies gobbling up the little chickens we are seeing a kinder and gentler vendor who plugs and plays nicely with others. Investments in services vice hardware and software will rise.
Metrics and reporting are going to become a mainstay for almost every aspect of security and risk management. How do you know if you are at risk if you can’t measure the risk? Meaningful metrics and reporting will be required for regulators and legislation. Further proof that the metrics and reports are factual and accurate will also need to be upheld. No last minute manual slapping together of numbers and stats from 5 or 6 sources all from various points in time. Implementing automated reports and producing consistent stats is prime in 07.
What about threats? No worries, there will be no lack of those floating around. The BOT herders are making a fortune off of this malicious magic. Cybercrime is a real business (not legit but real none the less) in the billion$. As long as there is money to be made the products will be produced for sale. The major concerns are the manner in which the affluent cybercrime employees conduct their business. They have learned from our mistakes. Rather than bang on a core router or firewall they launch scripts weekly or every other day looking for configuration changes, new services, and not merely open ports to stampede. Their targets are not for fun but high value and for profit. Keeping a tighter reign on our modifications, configurations and most of all our critical information is going to be a challenge. Mainly because many of us are struggling with the unknown -i.e. lack of inventory, identification of critical information and control of the information and assets.
It’s fair to say what happens in 2007 will roll into 2008 especially as it relates to file, data and information integrity and protection. And of course there will be more regulations, federal and state mandates and Cybercrime. There is a bright side, risk management and security professionals will likely have enough work to keep them busy until retirement age.
