Now that the money has been spent, the future mortgaged and a second, much deeper, round of cuts is about to begin, it will be interesting to see who is brought in to help terminate the inflexible PFI contracts that stand in the way of a return to fiscal health. The alternative may well include pain on the scale of that in Greece and Ireland, with a Geddes Axe style 10% cut in public sector wages and pensions.
I personally think Francis Maude could do a lot worse than bring Richard Grainger back to complete the job he started - when he held the NHS contractors to their side of the nonsense contracts he inherited - and his former employer, Accenture, was the first to sue for peace and walk away. However, in parallel with the cuts to "stop the bleeding" we do have to start rebuilding for the future.
If the bulk of the Civil Service is to be sent home for the summer, they should be enrolled, to short order, on distance learning courses on Finance and Business Administration using some of the excellent material available from the Open University or Strathclyde Business School as part of the long overdue implementation of the Fulton report .
And after that summer break, will we have seen a seismic shift in power from Whitehall to Town Hall and "Nanny knows best" to "self help", turning the "Big Society" from rhetoric into reality. I fear, however, that I may see pigs practicising synchronised swimming in flood water before then.
In this, our third and final interview segment with Dan Guido, Co-Founder and CEO of Trail of Bits, Dan talks about security threats, and attack vectors that pose the greatest threat to enterprises today. Watch the interview below.
We also added in a quick summary to cover the highlights of the interview.
How can organizations prepare to face security threats?
Dan states that organizations should look at all the attacks that are happening in the industry they are in, (from peers, data releases from security companies), so they can learn from the lessons that other companies have experienced. Dan states that there is not enough sharing of information in the industry about attacker techniques, tactics and procedures that have been used to perform compromises. Companies need to collect and analyze attack data, understand what hackers are doing, and then utilize that information to develop defenses that work against the techniques being used. Security programs should be able to trace back to actual reductions in data loss.
Which attack vectors pose the greatest threat to enterprises today?
Dan stresses the importance of protecting the entire enterprise from threats, not just protecting one single application. That said, he also notes that attackers interested in financial fraud or credit card theft will be focused on compromising individual applications. To defend against them, enterprises may want to use dynamic web scanning, or source code auditing per application.
To view the other interviews with Dan Guido posted as part of this series, click on the links below.
1. Interview with Dan Guido on Vulnerabilities
2. Interview with Dan Guido on Mobile Platforms and BYOD
Let us know how you liked this interview series with Dan Guido, and if you have any suggestions for other hot topics you would like to see industry experts discuss.
Organizations have traditionally viewed vulnerability scanners as a tactical product, largely commoditized, and only providing value around audit time. How useful is a 100-page vulnerability report to an operations person trying to figure out what to fix next? Though those 100-page reports make auditors smile, as they offer a nice listing of all the audit deficiencies to address in the findings of fact. The tide is definitely turning. We see a clear shift from a largely compliance-driven orientation to a more security-centric view. We’ve documented our views on this evolution to a vulnerability/threat management platform in the paper Vulnerability Management Evolution.
No organization, including the biggest of the big, has enough resources. So you need to make tough choices. Things won’t all be done when they need to be. Some things won’t get done at all. So how do you choose? Unfortunately most organizations don’t choose at all. They do whatever is next on the list, without much rhyme or reason determining where things land on it. It’s the path of least resistance for a tactically oriented environment. Oil the squeakiest wheel. Keep your job. It’s all very understandable, but not very effective.
Optimally, resources are allocated and priorities set based on their value to the business. In a security context, that means the next thing done should reduce the most risk to your organization.
We’d like to thank all of our sponsors for supporting our research, including nCircle, Qualys, Rapid7 and Tenable. As long as compliance is in play, you’ll need to scan for vulnerabilities. At least make some use of a more functional platform to do that and more.
Download: Vulnerability Management Evolution
The paper is based on the following posts:
- Introduction
- Scanning the Infrastructure
- Scanning the Application Layer
- Core Technologies
- Value-Add Technologies
- Enterprise Features and Integration
- Evolution or Revolution
Gov. Gary Herbert apologized to the 780,000 victims of the health data security breach on Tuesday.
To restore the public’s trust, he announced Tuesday that he fired Department of Technology Services director Stephen Fletcher and hired an ombudsman to shepherd victims through the process of protecting their identities and credit.
“The people of Utah rightly believe that the government will protect them, their families, and their personal data. When they interface with us that is in fact our charge,” Herbert said at an afternoon news conference, adding that one of his family members was among those whose information was compromised.
In this episode we discuss the origin of legacy vulnerabilities. We also discuss the Amnesty International hack and how it takes a special jackass to hack a charity.
Links for this episode:
Links to cool stuff our awesome sponsors are providing:
CloudPassage offers a free Basic version of Halo that includes extensive cloud security features, such as host-based firewalls, vulnerability management, security event alerting, server account management and intrusion detection. Halo works with any cloud provider and makes server security portable across environments. The convenient Halo portal allows you to manage all your security from one screen, whether it's in public, private or hybrid clouds – even traditional data centers.
Check it out here
Manage your Big Data with the most scalable log & security intelligence platform for the Enterprise & Cloud.Don’t take our word. Try it for yourself! For a limited time, download here
Posted by: Richard Saunders, Director, Trustworthy Computing
Earlier this week we shared news around the security benefits small to mid-size businesses (SMBs) gain from using the cloud in both the United States and Singapore. Additional data focusing on SMBs in India shows that improved security, time savings and cost savings are all benefits Indian SMBs using the cloud experience as well.
...(read more)
