Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2012 > October
2012
Chris Hoover

WORST FIRST

Posted by Chris Hoover Employee Oct 23, 2012

“Worst First”. This was the theme I took away from the IT Security Automation Conference (ITSAC) earlier this month in Baltimore. ITSAC is a really worthwhile event for any federal IA professional. It focuses heavily on automated continuous controls monitoring, incident response, and SCAP.

 

The “worst first” message was the thread that held the sessions together (at least the ones I attended – there were four separate tracks). As I mentioned in my last blog, so many silver-bullet security solutions come and go. Sometimes they are new tools or technologies; sometimes it is a new process or regulation. It is nice to hear something as humble, pragmatic, and unpretentious as: find the worst, scariest risk and fix it, when that’s done find the next one and do the same, rinse and repeat, ad infinitum. What?! Who are you and what have you have done with my federal IA community?

 

It points out that we have not only matured in our technology but in our culture. There are, of course, a few assumptions for this to work. 1) We have to be able to do a reasonable job of discovering and understanding our risks. 2) We also have to know how to rank and prioritize our risks to know which are worst. The first point means improving our tools and skills: deploying better sensors in higher numbers and getting better intelligence from them using SCAP to more specifically identify platforms, vulnerabilities, and configurations. The second point is about finding a way for scoring and grading risks, including the use of SCAP specifications like CVSS and CCSS which assign severity levels. State Department was cited many times, as a pioneer of continuous monitoring, as an example of how quickly and drastically risk can be reduced by attacking the right (worst) things in the right order – quintessential Pareto 80/20…

I’m sold. Let’s do it!

 

Federal FY2013 will be a huge year for IA transformation: the first FedRAMP systems, the DHS CMaaS offerings, 800-53 Rev 4, DIA RMF… it will be a busy and exciting year!

Send me your thoughts, challenges, or questions on these issues. chris.hoover@rsa.com 

 

Chris

I recently took the plunge and purchased the iPhone, even though I was perfectly happy with my Android HTC EVO, but I really, really wanted access to Siri.

 

So, as I prepared to set up my new iPhone, it was suggested (strongly) that I, #1, set up the 4-digit password protector to access my phone (ugh), #2, enable auto-lock (really?), and #3, turn on the ‘Find My Phone’ feature.  Whew, I thought, this is a lot of work just to get started … and I haven’t even tried out Siri!

 

I mean, really, entering a 4-digit password might slow me down by a second, but I’ve never truly ‘lost’ my phone … well, I lost a few Androids in the washing machine, and had to call my cell from my landline more times than I care to admit in this blog to help me find ‘where’ I put the phone down, but was the phone really truly lost?  No.

 

It did get me thinking, however, that with all the new bells and whistles that come with my new iPhone, and many that I took advantage of with my old Android, comes built in risks for exposure of my personal information.  Scary, I thought.

 

After all, I’ve been just plain lucky up to this point. My phone is my lifeline … I have everything in the palm of my hand…bank accounts, passwords, 401(k) info, you name it, it’s on my phone. Why I carry a handbag, I don’t know .. but that’s a topic for another blog.

 

So, can my luck hold out forever … probably not. And now I’m forced to wonder just how protected the rest of my e-life is at this moment. I’m the queen of online purchases, on my phone and on my home computer – I hate malls. I download apps constantly .. huge fan of ‘Words with Friends’ and I can’t get from point A to point B without my GPS – I’m directionally challenged at best. And, text messages are about the only way I communicate with my friends and family today.

 

I work for RSA, the security division of EMC, and I think I have a good understanding of the importance of managing risk. You purchased a RSA Archer eGRC module to help you manage risks, demonstrate compliance and automate business processes for your company. And you do a great job. But, what about your own personal identity risks – are you as diligent as you should be? We all probably think we are, but have we really considered if we’ve protected our own e-life to the fullest extent to reduce personal damage and liability?  Identity theft is the number one crime in America today, with over 9 million Americans falling victim to identity theft each year and at least 70% of cellphone text spam is designed to defraud us. Ouch!

 

So, my words of wisdom: be safe, both professionally and personally!

Filter Blog

By date: By tag: