From “Guerilla Security - Seeing the Big Picture”: “You will be hacked, and your network will die” — Second Law of Guerilla Security 1.You will be hacked. Your chances of being hacked over time are very close to 100%, much like your chance of being in an automobile accident is very close to 100%. Todays globally connected threat environment is changing so quickly that you can not have perfect security and still get useful work done. Beyond that, a focus on preventive controls creates what Bill Cheswick, the father of the firewall, calls a crunchy shell around a soft, chewy center. If you accept the reality that you will be hacked, you will start to see the major holes in your security program around detecting and recovering from incidents--a big requirement of the HIPAA security rule. 2. Your network will die. Clearly its better to avoid an attack, but avoidance is no longer an option. And as indicated in point 1, neither is reliable prevention. Threat agents will break down the door, come in through the windows, or simply bribe or extort someone to pull an “inside job.” Effective security, like effective self defense, requires continuous practice. This means not only having an effective incident response plan, but having a process-oriented emergency mode operations plan (which in the IT world is called a business continuity plan or BCP). Its not enough to write these things up--you have to run thorough tests and scenarios, both internally and with third parties. Such practice needs to be part of your organizational culture, not an afterthought for the purposes of HIPAA compliance. If you fail to stay in practice, and if you continue to put your faith in preventive controls, you are effectively saying “take me, Im yours” to malicious threat agents. By Andrew T. Robinson, Founder and President of NMI LLC. https://nmillc.net/secondLaw.html
Posted on: Mon, 15 Sep 2014 20:16:36 +0000
Trending Topics
Recently Viewed Topics
© 2015