WELCOME

Capella has been designated a National Center of Academic Excellence in Information Assurance Education (CAEIAE) by the National Security Agency and the U.S. Department of Homeland Security. Capella’s information security curriculum meets the NSA Committee on National Security Systems standards 4011, 4013, 4014.

This center provides access to resources, tools, and the latest information regarding information assurance as a way to enhance understanding in this field of study.

CNSS Certification

The NSA’s Information Assurance Courseware Evaluation (IACE) Review Committee has validated that Capella’s information security curriculum meets the Committee on National Security Systems (CNSS) National Standards 4011, 4013, (and 4014 coming). Learn what this means to a Capella learner.

ARCHIVES

Current Topics

«
»


Are We Addressing the Wrong Threats?

From Mary Brown | September 17th, 2009

Riva Richmond reports on the latest SAN research which indicates that organizations are still focused on mitigating risks related to operating system threats while hackers are focused on application vulnerabilities for commonly used applications like Adobe and Office and are, in particular, focused on leveraging web development vulnerabilities. 

How would you recommend that organizations do a better job of prioritizing their risk mitigation efforts, assuming you agree with SANS and their partners who participated in this research? 

Share your ideas.

Tags: , , , ,

You can leave a response, or trackback from your own site.

2 Responses to “Are We Addressing the Wrong Threats?”

  1. Charles J says:
    September 21st, 2009 at 12:41 pm

    I agree that serious problems remain in regards to lackadaisical attitudes towards patching – but also believe that some excellent solutions currently exist, particularly in regards to virtualization.

    Application virtualization empowers the security professional to manage applications from a central repository, thus reducing the overhead involved in maintaining patchlevels while making it possible to quickly and easily do a rollback when a buggy patch rears its ugly head. Virtual Desktop Infrastructure (VDI) is another technology that can simplify the life of the security administrator. Maintaining standard images of client desktops which are locked-down to purge user activity between sessions makes it much easier to retain top-down control over client operating systems. What really excites me, though, is ‘virtual appliances’ built upon JeOS (pronounced ‘juice’, Just enough Operating System). Without the bloat of unnecessary software and services, building just what we need on a minimal system, we drastically reduce the attack footprint and the resources required to operate necessary services. It seems the virtualization world is starting to come around to the concepts information security professionals have been preaching for a long time now…

    I believe we would be foolish to not embrace cloud computing to mitigate traditional and emerging risks, but that golden egg will not be laid unless more standardization occurs in the industry. Until we can easily migrate a virtual appliance from one platform to another, we are still left with square pegs and round holes in the paradigm of proprietary platforms. My solution? Put pressure on the industry to develop a set of standards that will make it possible to deploy secured software and services regardless of the underlying hypervisor.

    In the interim, play with the tools we currently have at our disposal to develop said solutions. Citrix, Sun, VMware, and a number of other vendors and projects (open and closed source) provide free versions of their virtualization solutions. Develop and maintain hardened virtual appliances and retain images for future deployments. Learn how keeping it simple really does increase control and thus security. And of course, get annoyed about the expense and additional work involved in having to do this for so many different platforms so that you feel the pain enough to raise your voice and demand standardization that will empower security professionals to more efficiently protect the assets we are charged with overseeing.

  2. Mary Brown says:
    September 22nd, 2009 at 7:44 am

    I agree that virtualization introduces some interesting possibilities into the mix. I don’t know that I am ready to embrace it as a panacea given the tendency for the hacking community to be as creative and determined as those of us trying to secure assets.

    I see the ‘cloud’ as a higher level of risk than virtualizing PCs in a trusted environment. The use of robust encryption solutions are amongst the controls that data owners would do well to keep in mind when considering releasing their data to the cloud. Another important tool is the use of a well designed and well enforced contract. Information has value. I do not underestimate the Googles of the world and their voracious appetite for data mining.

Leave a Reply

Let us know what you think. All comments will be reviewed prior to going live. Comments that are profane or obscene, or unrelated to the topic of the post will not be published.

Categories

RESOURCES

NEWS FEEDS

META

CAPELLA CONNECTION

Capella University offers several degree programs which specialize in the information assurance and security field. Visit one of the links below for more information.

To learn more about Capella, please visit http://www.capella.edu or call 1.888.CAPELLA, option 2, to speak to an enrollment counselor.

Capella University