InfoWorld - Security Adviser: The No. 1 problem with computer security

Everyone focuses on the wrong threats. You've undoubtedly been breached already, so the key is to collect data that can help you prevent attackers from succeeding again

By Roger A. Grimes
Sep 29, 2015

I've been in the computer security field for nearly three decades. During that time, I've watched it go from bad to worse to ugly.

Today, the average computer security defense is so bad, we had to invent a new paradigm a few years ago called "assume breach." This phrase admits that our security controls are so inadequate that we concede defeat in preventing hackers from gaining access to our environments. Instead, we concentrate on limiting the damage attackers do once they're inside our "hard outer shell."

This is actually the way we need to think about computer security today. If you have anything worth stealing, you've been breached. Every computer defense strategy must assume breaches have occurred and will occur, yet remain dedicated to preventing them.

The problem I have with the "prevent breach" imperative is that in most cases, the defenders aren't really trying. They say they are. They may think they are. But they aren't.

For example, in most environments, two attack vectors account for 99 percent of all successful attacks: unpatched software and social engineering. But instead of defending our environments in a risk-aligned way, we concentrate our efforts on almost everything else.

Click the URL above to read the full article