Today’s threat landscape is continuously evolving. It is filled with adversaries who are more determined than ever before, and have an arsenal of increasingly complex and sophisticated threats. Adding to this, we have more stringent regulatory demands such as POPIA and GDPR, which require organisations to be fully prepared.
The attack surface today covers network infrastructure, all connected hardware and software, as well as Web applications. This means those charged with cyber security must be able to thoroughly assess risk from several perspectives in order to get an accurate picture of where the chinks in the company’s armour lie, to reduce threats and maintain compliance.
“During security assessments, a risk should be informed by the context of the asset being assessed, and the organisation’s security strategy,” says Johannes Myburgh, senior information security consultant at F-Secure Consulting SA, who will be presenting on ’Risk priority by design,’ at ITWeb GRC 2020, happening on 25 and 26 February at The Forum in Bryanston.
“These factors should be used to evaluate a risk and inform the appropriate next steps with regard to implementing security controls,” he adds.
Where are businesses going wrong when it comes to prioritising risk?
According to Myburgh, businesses generally tend to follow an established process for testing, which includes repeating the same tests annually and only testing important or big features, testing new applications without examining the overall business context, and relying only on vulnerability scans instead of in-depth penetration tests.
He says this traditional approach remains valuable as it is part of due diligence, hardening the perimeter and tracking remediation progress. “However, in our experience, this key-holed approach is not effective at preventing real-world cyber attacks.”
This, he says, is where risk priority by design comes in.
“While traditional penetration testing forms part of adhering to compliance requirements, companies should also perform contextualised assessments of key assets to improve their resilience against targeted cyber attacks. These complex assessments should focus on identifying as many issues as possible, rather than aiming to provide a clean report.”
Delegates attending his talk will learn how to better plan their business’ penetration testing activities, and will also hear how security spend should consider both compliance and resilience against cyber attacks.
Finally, he will discuss how the planning and execution of penetration testing projects should be informed by the critical assets within an organisation, the context of each asset, and the systems used in conjunction with the asset.