Hacking and Attacks and Now What???
Many people are entranced by vulnerabilities but fail to see the ultimate vulnerability.
I remember reciting weakness after vulnerability after weakness to past employers and clients. And these recitations were backed by articles and scans and all kinds of exciting, fact-finding tools.
The list would grow; and soon, so would the answers. Fund this tool. Acquire this option. And the list rolled on and on.
What was truly painful was the short-changing given to process, to program, to policy, to p-e-o-p-l-e. I can guarantee that any intrusion study, any scan, will show myriads of problems, flowering like dandelions on an April lawn. Before your organization focuses on those weeds, the proper herbicide, maybe ask this one very fundamental question:
"Yippee! We know what is wrong. Now what?"
Did you ever stop to examine how your organization fell into the problems you face? Once you apply the answers to problems identified quickly, how will you change culture to provide for a more effective set of policies; and if you'll allow it, how will your culture avoid making the same unsecure set of interactions to system use that created current vulnerabilities?
We have a name for 'unsecure at any speed' organizations: cheap yogurt. You know, no active culture... Security is not a technology, a tool, or stop-gap rule. it's a set of behaviors your people embody, same as if you built a firewall into their very souls.
You can make money, a lot of money, rattling off all the unsafe settings in an organization's technology. But it's far harder to help build security into the system's processes--and people who use them.