Information & Architecture Security Risk

Just to the Point

Panic-As-A-Service

You don't buy a bazooka to kill a mosquito!

Let's get straight into this, there is nothing new about the cyber-attacks, patronizing gullible individuals, organisations and institutes to sell fancy product. I'm not saying that there are no security incidents, but the intent is adding complex solutions to solve easy problems is not a good idea.

You don't buy a bazooka to kill a mosquito!

We are living in an era of digitization, and access to the service is far more important, [well] it could be matter of life and death. Cyber boom and bust news are making headlines' on front page almost every day.

Cost of compliance is getting higher and so is the cost of breach remediation.

The key lies in objective analysis than the theoretical one. If you want to learn what classical risk is, you might want to read COSO's Risk Assessment in practice. Underlying problem across all these vulnerabilities is bad coding and configuration errors. That's the soft belly where Orgs suffer the most. No matter how successful you Security Ops. Is; consequences of bad hygiene is paid by stakeholders and end users.

I'm not Against fixing vulnerabilities, though, how many of us talk about doing thorough designing, Threat Modelling and Negative testing for software? [Exactly] few! Business is burdened to deliver fast in hyper competitive market and strong security measures eats a lot of time and resources. OMG, this is music to a malicious actors'.

So, you want me to suggest, 3P's or 5C's of success. I don't have any, but quick blunt for Chief Information Officers (CIOs) and Enterprise Architects (EAs):

  • SecureScrum: Really want to Shift-Security-to-Left , then start making little strides to change dev/prod culture. Have SecureScrun to develop your CI/CD Pipeline. Read more about this on Arxiv here.

  • Keep It Simple: If Security Risks are all about vulnerabilities, Threat and Asset then try to identify all these three factors to know your environment before jumping to the conclusion.

  • Business Architecture and Security Integration = RiskTecture:

  1. There is No Shortcut to Success: Assess your security posture, by finding security bugs , Negative testing and brutally assault your applications to find weaknesses and acknowledge them.

  2. Minimise your Technical Debt: Track this wonderful metrics suggested by Phil Venables. Personally, I liked percentage of applications developed vs percentage of legacy systems in environment. Essentially, if your organization has new apps [And you focused on security aspects], you get better control of your environment.

  • You Need Supplies: Think of Supply chain Levels for Software Artifacts (SLSA, pronounced “salsa”), by Google, an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain.

  • Show-Me-How-Brutal-it-Is [SMHBII]: Business to confess Rabi [Security Architect], just like table top exercise, talk to leads who knows system in and out against any other Project Manager. And, empower them to do so. Equifax came up an impressive approach to prosper the culture of highlighting the security issues by connecting benefits with issues identified by staff. And, you know what they are killing it!

  • Security Operation Center (SOC) to Security Command Center (SCC) : I know, it's tough, but you have to have mature at the level of war-footing. Perform agent and agentless monitoring and utilize automation and threat intelligence to make it easy for them to correlate and contain threats at the early stage.

  • Wait Honeypot? I've many! Welcome, Cyber Mimic Defence (CMD): Dynamic, Heterogeneous, Redundant (DHR) architecture, creates Moving Target Defence (MTD) makes it costly and unwilling for attacker to get into your system. Good for Governments and financial entities.

  • Go Passwordless: Soon we would have to move to pasword less authentication and enable 2 factor authentication for secure access to services. This makes it more challenging for threat agent to gain privileged access.

  • Security Awareness by Default (SAD) Program: As all security professionals use this lingo – Humans are the weakest link in security. Fix it with risk aware culture and foster security related talks and make your staff watch Mr Robot!