Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

CIO and CSO should take a follow the money approach to security: IBM X-Force

IBM X-Force report finds Web sites and Web applications were major vulnerability for enterprises in 2008
Page:

CIOs and CSOs could do well to consider the monetisation cost and overall profitability of security risks when considering how to safeguard their organisations, according to the findings of a new report from IBM’s Internet Security Systems X-Force research and development team.

The 2008 X-Force Threat and Risk Report finds that despite there being many headline security issues in 2008, a number if these never amounted to mass exploitation.

This is in part due to the economics of IT security wherein criminal attackers out for profit, however, have considerations that the security industry does not always take into account, such as monetisation cost and overall profitability.

According to the report, the security industry currently prioritises threats almost entirely on the basis of technical measures of the risks that they present, while largely failing to capture the economic opportunity that a vulnerability presents to an attacker.

“The result of this new reality is that there have been several vulnerabilities this year that received very high Common Vulnerability Scoring System (CVSS) scores and raised widespread alarm within the security industry,” the report says. “However, they were not widely exploited in the wild. In most cases, these vulnerabilities did not fit well into the current business models of computer criminals.”

While CIOs and CSO shouldn’t ignore less obvious money-spinning risks, more careful consideration of the way that vulnerabilities fit into the business models of criminal organisations will help better prioritise IT protection and patching efforts, the report says.

The report suggests that enterprises should assess individual risks using a quadrant with low to high opportunity on the x axis and high to low monetisation and exploit cost on the y axis. Any risk that falls into the high opportunity and low cost square, such as SQL Injection, is a prime risk.

“If the security industry can learn to recognise vulnerabilities that fit into the top right quadrant of this graph, it can do a better job of determining when emergency patching is most needed in the face of immediate threats, when widespread exploitation of a vulnerability will take a long time to emerge, and when it is unlikely to ever emerge,” the report says.

According to Craig Lawson, senior security consultant, IBM Internet Security Systems, CIOs should ensure they have a vulnerability management program in place consisting of protection, discovery, patching and reporting.

“For example, not many users think to update or patch their Web browser and that's a prime avenue for exploitation at the moment,” he says. “So if every CIO did one thing, upgrade the Web browser and its add-on components to the latest and greatest version of IE/Firefox etc, they would have a significant increase in their security posture.”

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: IBM, IBM Australia, Internet Security Systems, Lawson, Security Systems, X-Force
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: X-Force, security, IBM
Latest Blog Posts
Whitepapers
  • Backup and Recovery as we Know it is Changing
    Increasing complexity in the data centre, including the rapid deployment of virtual servers, ever-expanding compliance requirements, and increasing amounts of sensitive data on mobile devices has put more strain on backup and recovery. Read on.
    Learn more »
  • Ten ways to save money with IBM Tivoli Storage Manager
    According to a recent report by Gartner, “By 2014, at least 30% of organizations will have changed backup vendors due to frustration over cost, complexity and/or capability. ”However, replacing a backup infrastructure can be a painful and disruptive process. The best replacement solution will beone that not only addresses these issues, but also demonstrates significant cost savings, enables a rapid return on investment and ensures a seamless transition.This white paper describes 10 ways that IBM® Tivoli® Storage Manager solutions can help organizations save money while addressing their data storage challenges, including those associated with exponential data growth.
    Learn more »
  • Printer Usage and Cost Management Strategies for the Australian Mid-market, an Unrealised Opportunity
    This whitepaper was commissioned to aid senior business and ICT decision makers of medium-sized government and corporate organisations, including marketing, finance, and technology executives to better understand the current use of print devices including copiers, printers and multi-function Page 19 Reproductions in whole or in part are prohibited. This whitepaper also provides insights into how current management practices can be improved to optimise investments and improve sustainability. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments

HP and IDG news, product videos and resources