Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Reducing Cyber Risk with Trustworthy Best Practices

Cisco : 08 January, 2015  (Special Report)
Ed Paradise, Vice President of Engineering at Cisco explains industry best practice for cyber risk reduction
Reducing Cyber Risk with Trustworthy Best Practices

Everyday, it seems there is another high profile security incident in the news. The “2014 Data Breach Stats” reports for the first half of 2014 there had already been 330 data breaches, with more than 8,715,474 records exposed. For the same time frame in 2013, there were 279 breaches. According to the Ponemon Institute, the average cost of an organizational data breach was $5.4 million in 2014, up from $4.5 million in 2013.

The market is experiencing an evolving threat landscape in which attackers are more advanced and more capable. Threats are more visible now for two primary reasons. First, as the Internet of Everything evolves, so do threat opportunities and hackers’ tactics and techniques for penetrating the network in more ways than ever before – with even more motivation. Second, the increased sophistication of today’s infrastructure combined with greater threat intelligence allows organizations to see those threats more quickly and accurately.

Organizations are searching for solutions to avoid becoming the next headline. What service level agreements for services and requirements in products should be in place to help minimize the risk?

Trustworthy Solutions

Customers are telling us that their most important issues are security and assuring the integrity of the products and data in their networks. In light of the heightened potential for cyber catastrophe, the role of trust is more important than ever before throughout the entire IT industry. A trustworthy product requires that trust be integrated throughout the product lifecycle based on a transparent and open culture of the company, its policies, its processes, its supply chain, and its partners.

Distribution security and integrity are also key components of a trustworthy solution. Where an organization buys its infrastructure is important. Counterfeit or gray market products often contain inferior components, illegal software, and the quality level is usually suspect. These unauthorized channels increase the risk of vulnerabilities and costly service disruptions. A trustworthy distributor should guard against malicious modifications or substitution of technology and misuse of intellectual property. Trustworthy vendors should be able to demonstrate control over their design, development, supply chain, manufacturing and distribution processes. To verify trustworthiness, vendors should also provide immutable sources of trust that are integrated into their products. These trust anchors, working with Secure Boot, detect hardware, firmware and software tampering and provide evidence that a product is authentic at startup.

Organizations also need to constantly monitor and manage their network environment and systems to look for the latest best practices and be diligent in applying them. Diligence is the key factor. Organizations cannot afford to be complacent just because they have met the initial requirements; continuous monitoring, auditing and forensics of infrastructure are critical. Then, as vulnerabilities occur —and they will—incident response and assessment teams can collaborate with vendors to address the breach or virus quickly and transparently.

A Trustworthy Vendor

A trustworthy vendor should provide ways to affirm that its product is performing as expected and has not been compromised, either with hardware or with software. Vendors should be able to confidently attest that a product performs as expected based on the vendor agreements in place, and that it hasn’t in any way been modified or compromised between the time it’s sold and installed.

A trustworthy systems checklist should include:

Policies:

* The organization should have security policies, awareness and educational programs that promote compliance. An employee code of conduct and core security values should be agreed on by all employees.
* Transparency is key to trust. The organization should be open and forthcoming about any security vulnerability and remediation.     

Processes:

* There are many steps that go into developing any piece of network infrastructure. The organization should follow (and be able to provide documentation of its adherence to) best practices for product development and measurements of compliance (e.g., ISO 27034).
* Inevitably, security incidents will happen. Therefore, the organization should provide incident response and assessment that is both transparent and reliable.
* Today’s supply chain is global, touched by many elements and many players across the world. The organization should have security built into its supply chain processes across facilities, personnel, and delivery.         

Technologies:

* Start with trust from the ground up. Ensure the organization uses a trust anchor as the foundation of counterfeit detection, and secure communications across the enterprise.
* The organization should use verified cryptography to show industry-verified and tested security.
* Transparency must be enabled through trust visibility into the network environment.    
* Other foundational security technologies to look for include the use of a hardware root of trust, having a secure device identity established at manufacturing, storing certificates securely, using a strong entropy source for encryption and signing vendor software images, and always using keeping current with software updates.        

While the checklist isn’t exhaustive, it is an introduction to the elements a trustworthy partner ought to be able to provide to the other organizations it works with. Ultimately, a trustworthy vendor must be a leader focusing on continuous improvements to protect their customers’ network, data, and reputation. It must be reliable, responsible, and transparent anticipating challenges and changes while delivering value and executing on its promises.

Looking Ahead

There is no doubt that data breaches will continue. Along with death and taxes, such breaches have become an inexorable aspect of life. Successful attacks are costly, both to corporate coffers and to reputations. However, as malicious actors have gained in sophistication, so have those in charge of network security. To win the trust of customers, everyone must implement industry best practices (before), respond to breeches quickly and transparently (during) and remain constantly vigilant (after).  In today’s advanced threat landscape, complacency is the enemy.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo