RELIABILITY
What constitutes reliability?
Per the ISO 27002 trust: Principles and Criteria
for Systems Reliability
Security
Integrity
Availability
Maintainability
And what if your organization uses worst-practices?
Network Mapping
Vulnerability Scanning
Penetration Testing
Security Testing and Evaluation
Password Cracking
Log Reviews
File Integrity Checkers
Virus Detectors
War Dialing
Network mapping
STRENGTHS WEAKNESSES
Fast Does not directly identify
Efficiently scans a large known vulnerabilities
number of hosts Generally used as a prelude to
Many excellent freeware penetration testing not as a
tools available final test
Highly automated Requires significant expertise
Low cost to interpret results
WRONG!!!!!!!!
Typical findings
Inappropriate policies at the macro and micro levels
Vendor provided patches not applied
Exploitable files and services not removed or disabled
Ineffective security configuration strategy
Outdated vulnerability scanning and intrusion detection
tools used
Unclear understanding of responsibilities with service
providers and vendors
Ineffective monitoring of activity and new vulnerabilities
False comfort relating to level of security and
understanding of risks to the business
How much to fix?
Not as much as you would expect
You dont necessarily need to purchase advanced
technology
80% of the problems can be resolved very cost-
effectively
Organizational culture and behavior
modification require the greater efforts
And what of these patches we keep hearing about?
Otherwise
you are playing to just give the ball to the other side.