InfoWorld - Security Adviser: Know your threats before you deploy defenses

Collecting information about how your organization was compromised in the past may not be fun, but without that step, you'll never do security right

By Roger A. Grimes
Oct 6, 2015

Only in the computer security world would I get taken to task for saying the defenses you apply should be directly related to the threats you face. That’s exactly what happened after I posted “The No. 1 problem with computer security” last week.

Several readers wrote to tell me how stupid I was for not including their pet threat defense project. Others wrote to say I did not sufficiently appreciate the threat of pass-the-hash attacks. Still others maintained I shouldn’t be proclaiming anything when many companies don’t have firewalls or up-to-date antivirus software, and so on.

Well, I don't lack for appreciation of any particular threat. As I said, each company should measure its own risks and respond accordingly.

If not having a firewall, for example, is one of the leading causes for exploitation at your company, then you should be on it, although I doubt a missing firewall is the root cause of your problems. Traditional firewalls only help when a service you are running is either unpatched or misconfigured -- if you have those problems, a firewall won't save you.

How do I know? Because most of the world has firewalls, and those companies are as exploited as the companies that lack them, because firewalls don’t stop many threats these days.

That’s the heart of my recommendations: Most companies do not look at the exploits that are most successful against them before they choose their security defenses.

Click the URL above to read the full article