You’d think that we would have gotten a handle on “remediation” given that the term was first coined in 1818. However 197 years later it is a growing concern, especially when it comes to IT remediation.
Yes, the term can apply to medical and other industries, yet when it comes to IT security, remediation grows legs, takes on a life of its own, and becomes a different challenge. Especially now in 2015.
Planes equipped with jet engines fly at greater altitudes than propeller-driven aircraft. These include commercial flights, cargo jets, and even private passenger jets. The air traffic control tower usually assigns a cruising altitude of up to 37,000 – 39,000 feet, but long flights are typically assigned higher altitudes.
So let’s talk about the jet engine altitude approach (the broad picture, let’s call it 37,000 feet):
- Does your board of directors appreciate and consider IT security to be a threat?
- Do your C-level executives provide support for the efforts of the company to proactively prevent security breaches?
- Do you have assets in place to deal with remediation?
- Are these assets properly trained and educated?
- Are these assets subject matter experts or do they simply knee-jerk respond to the crisis.
- Are these assets on top of their game so that they jump into action as soon as an “even” occurs?
- It is inevitable that not everything can be caught beforehand, but the response time is vital to critical events. What is your response time?
Generally, the shorter the flight, the lower the altitude. This is complicated by winds. Especially during the winter the jet stream goes strongly west to the east and causes aircraft going east to go higher than the westbound planes.
For short flights (500 miles or less) mid to low 30’s is probably correct.
So let’s dive down and consider some more poignant factors (the mid-range picture, let’s call it 30,000 feet):
- Has any of your security crew attended a DEFCON or a Black Hat USA event?
- Have you budgeted for the upcoming conferences in 2015?
- Who is your go-to guy/gal when it comes to security expertise? The person that will give you a straight answer?
- The last time you launched an SDLC, how many hours were allocated for security assessments and scrutiny?
If you are flying a short distance you tend to fly at or below 2,000 feet. Longer distances are easier on pilots at heights above 5000 feet. Jetliners fly as high as the air traffic controllers will allow them to as a jet aircraft is more economical the higher it flies (as the air gets thinner so less resistance to the plane).
Using the same metaphor let’s talk about the low altitude approach (the smaller picture, let’s call it 2,000 feet):
- What do you know about SQL injection?
- What do you know about reflective versus stored XSS?
- What do you know about http://owasp.org?
- What do you know about https://www.sans.org?
- What do you know about the OWASP Top Ten?
- How many years ago did SQL injection become a problem and why do some people think it is passé?
- Does your team know what account traversal is?
- Does your team know what risk assessment is?
- Does your team know what application threat modeling is?
- Does your team realize that SQL injection attacks can gain shell/root access to your network and all its data, essentially taking over the server[s]?
To sum up this article:
- Security Altitude – management, directives, course correction, leadership – these are vital and you are the jetliner in this position to course-correct your business.
- Security Attitude – what a business can instill in its company culture, employees and best practices to ensure that education, budgeting, security expertise and mindset so as to protect a companies reputation, data, clients, customers, partners and the well being of the company in general. This puts everyone in the driver’s seat to ensure that every aspect of the company is properly protected