Cisco's latest Security Report: urgent risk assessment of internal threats

For IT administrators in enterprises, internal threats are the most troublesome. The implementation, compliance, and applications of Web2.0 closely affect the security of enterprises. Recently, Cisco released a half-year Threat Report, which provides general suggestions on how to solve these closely related problems.

The most difficult to resist seems to be internal threats.

This is a recent news hotspot. Some energy companies and the US State Department have become the most famous victims.

"There are three reasons for increasing internal threats," said Patrick Peterson, Cisco Senior Researcher and Chief Security Officer. "The first is financial problems. Many employees are involved in illegal activities out of despair. The second reason is that the relationship between the employer and the employee has changed, and the employees are increasingly distrustful of their employers. The third reason is the expansion of global and outsourcing services ."

To address this threat, Peterson said companies need robust identification and auditing mechanisms, but they cannot overdo it. He pointed out that, for example, the postman city of Montana recently asked job seekers to provide all their account names and passwords on various social networking websites. "They did notice the real threats, but the policies they execute may be illegal and certainly unnecessary, "he said.

Peterson said enterprises must be able to identify risks and apply different policies to specific job functions and business scopes. "There is no one-size-fits-all policy," he said. "We have repeatedly stressed that you must fully understand risks ."

"However, it is surprising that many companies do not focus on in-depth understanding of risks and do not develop strategies to minimize risks, "Peterson acknowledges that security policies are often too vulnerable to compliance, rather than being developed based on risk management. Previously, 51cto.com introduced the six assessment methods for implementing risk management in a previous article. experts also suggested that the significance of risk assessment lies in understanding risks and the risk handling process, after considering the management cost, you can select a suitable control method for the enterprise and adopt the same baseline Control for similar risk factors. This helps reduce the cost of low-risk assessment on the premise of ensuring the effect.

Peterson explained that this means they must begin to solve the problem after the problem occurs. No one should be struggling with a problem that has been fixed two years ago, but in the real world, there are still many people.

"CSO (Chief Security Officer) must play a leading role in looking at real-world risks," he said. He pointed out that some industries often have to wait until the problem develops into a situation. For example, enterprises in the financial service industry generally have to wait until a peer has published a newspaper title due to security issues, to solve the problem. Peterson said that when this happens, they should at least try to find out why they didn't find the problem before reading the news.

Software development will be protected

The new software development platform helps enterprises manage internal threats when developing new applications. IBM released cloud computing-based authorization software to solve this problem. Open-source teamforge also makes a commitment to help enterprises solve this problem.

Verizon business announced last week that it provided an application security service to help enterprises manage the entire project lifecycle and even improve their software development processes.

Peterson said these services are indeed needed by the enterprise. "The development work has become faster and more complex, and the current risk is much higher than before. If you encounter errors, especially network applications," he said. "attacks from bad guys are coming so fast."

SaaS and Web 2.0

Many enterprises are very concerned about Web 2.0. They should understand what it brings to them, but cannot ignore risks. "There are many similarities between security threats and infectious diseases," Peterson said. "Some community networks, especially community networks, are my nightmare, it's like an infectious disease doctor seeing everyone in the room sneezing at others."

To reduce the risk, you must sacrifice performance. Peterson said that the safest email service he used was when he was a bachelor at Stanford University in 1987. "I can send emails to anyone in the school, which is safer than what I use now, but its functionality is not even mentioned in pediatrics," he said.

The security policy of the Community network must be based on real data. If you continue to do what you want, both the user and IT department will eventually be overwhelmed.

How to conduct training

Peterson believes that video is much more powerful than text, even for advanced training. "When I took out a video and asked them to see for themselves what happened to those who browsed the web page, their eyes would shine even if they were already knowledgeable, I know they have a new understanding, "he said.

"You can't just say, 'Don't touch the stove, hot things, 'or 'Be careful with Windows ActiveX Vulnerabilities,' and so on. You need to communicate substantially. Once they understand that 'some people want to hurt me and the enterprise, 'they are half done, "he said.

The enterprise's security guidelines cannot be too long. One of the ways to simplify the Guidelines is to customize the guidelines for specific work functions or business scopes. In addition, he added that many books on security policies have been written more than a decade ago, but there are many projects to be concerned about, but none of them can be deleted.

[Edit recommendations]

1. Fully decrypts enterprise information security risk assessment
2. Information System Security Risk Assessment application: Basic knowledge
3. Information System Security Risk Assessment application: evaluation process