The National Institute for Standards In Technology (NIST) have contributed a wealth of good work to the area of information security standards. A recent example includes a proposal for the Common Platform Enumeration (CPE) that would create a naming standard for information assets that could be used in a variety of ways such as security automation.
The benefits of this standardized naming convention in terms of facilitating communication seems apparent. Got me thinking though about whether or not having a common language can become a point of vulnerability?
What do you think?
Comments
Mary,
I believe you bring up a valid point regarding the possible introduction of a new vulnerability exposure. A framework, be it NIST, COBIT, ITL, etc. identifies the rules, that is, the allowable boundaries and processes that govern the information systems of an organization. To an extent, the more compliant an organization is with these rules, the less reconnaissance an attacker may have to do in terms of understanding which systems do what and how they are managed.
This reminds me of the security chicken and the egg question “What should you be more concerned about, your threats or your vulnerabilities?” As security professionals, short of going on a cyber-security which hunt, I don’t think we can do much about the threats, but we can do a lot to remove our vulnerabilities, from assessing our systems, fixing the holes, and continued monitoring. Even if an attacker has a high level map of my systems, if I have implemented a holistic approach (securing each layer), the attacker may have a harder time “pwn” the system(s). (This assumes no matter the case, if an attacker wants in bad enough and has enough resources, they will get in.)
Additionally, when implemented to align with the organization’s business role, the standards may increase the operations management and efficiency of the organization, as well as the more streamlined processes may generate less “noise” to be filtered by security systems monitoring, more clearly exposing an attack.