Exposing Security risks seems counter intuitive, but if you don’t find a way to do it internally then your organization may become the next news story. Examples:
Equifax. Unpatched version of software.
City of Baltimore. Ransomware attack using stolen NSA tools.
50,000 organizations using SAP may be at risk.
A Wall Street Journal (WSJ) article from May, 2018 discusses how some organizations measure Security risks. This may include monitoring what percentage of an organization’s software is using the latest version.
So from the WSJ article here are two ways for your organization to think about the problem (in bold text) and then our thoughts.
Who’s attacking and why? It may be for espionage or money, and if for money then it may be for a ransom or to profit on stolen data.
How exposed are we anyway? This should stimulate questions such as:
- What software is in use?
- What versions of the software are in use?
- Where are the software versions in use? In 8folios.com an organization creates a pragmatic and sustainable map (aka blueprint) of Technologies and Technology versions to things such as Applications and Integrations (e.g. REST API). We call it the Where Used.
- What data is retained in the IT landscape?
- Where is the data retained? In 8folios.com an organization may extend the same map between Technologies, Applications, and Integrations to Data. Data is simply another interconnected portfolio of IT.
- Where is sensitive data such as PCI, PHI, or PII retained? Your organization may be surprised on how sensitive data has propagated across the IT landscape.
- Where is data not properly encrypted? This may be at-rest in Applications or other databases, or in-transit via an Integration (e.g. batch file, message queue, REST API).
A blueprint showing where an at-risk Technology version is in use is a critical (but often lacking) bottom-up approach to managing the interconnected portfolios in the IT landscape. The blueprint will drive conversations on risk, and should result in prioritized mitigation plans and budget requests.
“All the real problems of today are multidimensional… There is no way to fully understand them - thus no way to effectively begin solving them - without at some point literally drawing them out.”
- Dan Roam, The Back of the Napkin
Moreover, think about how to measure the risks. In 8folios.com we help organizations expose and measure Security-related risks in three ways:
- Lifecycle Risks. These risks occur when two items have a dependency but there is a misaligned transition between them. For example, a Manager declares the use of a Technology version needs to end on December 31, but two Applications are dependent on that Technology version and have no plan or budget to upgrade to the newer version of the Technology.
- Unencrypted Risks. These risks occur when data is not properly encrypted at-rest or in-transit.
- Unsupported Risks. These risks occur when a vendor-provided item (e.g. Technology version) is in use beyond the vendor’s support date. The Where Used may then be used to understand the magnitude of the risk.
If your organization is not having honest conversations about Security risks then it may only a matter of time... The risk of NSA-created tools being used to attack your organization’s IT landscape is now a tangible threat.
Easily build and maintain blueprints for IT.
Then achieve better outcomes by using that same information to solve common IT challenges, mitigate risk, and reduce incidents.