While the sophistication of cyber-threats facing our government grows every day, traditional thinking about how federal information security leaders should fight that challenge is evolving. It was once accepted that cyber-security in an enterprise could only be achieved by driving out all vulnerabilities that are susceptible to attack. But there is now increasing recognition that this isn’t necessarily the case.
In order to successfully operate a secure cyber-environment, federal government entities must take a cue from cross-sector and industry approaches and learn to be comfortable with something that feels very uncomfortable — accepting risk.
It has become clear that cyber-infrastructures cannot be defended from all risks; in fact, it must be accepted that many risks — both the known and the unknown — will continue to persist. Historically government entities and private organizations have directed tremendous resources toward complete risk elimination, only to see emerging threats outpace their efforts. As a result, security goals have shifted to focusing on identifying the threats that would impact the mission the most.
By focusing on security that matters, enterprises effectively manage their risks by directing the majority of their security efforts toward high-priority threats. Many commercial enterprises have already embraced this shift to maintaining enterprise protection by implementing effective risk management processes.
‘Zero Day’ Vulnerabilities
The 2010 Top Cyber Security Risks Report published last September by Hewlett-Packard exposes the precarious situation of public- and private-sector enterprise systems by revealing a surprising statistic about system vulnerabilities due to “zero day” attacks. Such an attack tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. This attack occurs on or before the first day of developer awareness (hence “zero day”), meaning the developer hasn’t had any time or opportunity to distribute a security fix to software users. According to the report, the number of unpatched zero day vulnerabilities has grown rapidly in the past five years, with at least six or seven undiscovered vulnerabilities existing in any given product or enterprise system at any one time. Beginning around 2006 and continuing unabated for the past four years, a drastic increase in Web application vulnerabilities has been witnessed as well. These mounting vulnerabilities provide direct access for cyber-attacks.
This data underscores why total eradication — trying to defend against every attack vector — is a futile effort that treats threats equally: There will be vulnerabilities in cyber-assets that don’t pose a major threat to mission outcomes, and there will be undiscovered zero day attacks that can be devastating. Recognizing that no single countermeasure is effective against every threat, layering defenses can mitigate many but not all risks. The bottom line is that successful system security becomes a matter of placing priorities based on systems that will have the highest likelihood of impacting delivery of critical services.