cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

You're doing it wrong

Ryan Heffernan
Microsoft

‎Mar 24 2017 02:01 PM - last edited on ‎Nov 30 2021 09:01 AM by

‎Mar 24 2017 02:01 PM - last edited on ‎Nov 30 2021 09:01 AM by

You're doing it wrong

There's a good article in Dark Reading today by Michael A. Davis:

 

"We've all seen them — you might even have one open right now: an Excel spreadsheet with red, greens, and yellows that tell you where your risk is. You probably follow the simple convention of focusing on low-hanging fruit first and then drill down as hard and as fast as you can on the critical and high items.

 

Sorry to say this, but you've been doing it wrong. You see, attackers are opportunistic and scrappy, yet we don't seem to work in those variables onto our sea of reds and yellows. I refer to this as the "single versus multivariable risk assessment problem." We have single rows with risk assigned and work them as if they are singular risks. Attackers, on the other hand, chain risks together. They leverage a low risk on a Web server and a low risk on a database server to get access to high-risk data. Two lows can equal a high? Yes, but your prioritization process doesn't think that way."

 

It has a similar themes to blog posts we published previously on disrupting the attacker's kill chain and how defenders think in lists, but attackers think in graphs.

 

 

2,102 Views
2 Likes
1 Reply
Reply
1 Reply
Reza_Ameri-Archived

‎Jun 23 2017 12:38 AM

‎Jun 23 2017 12:38 AM

Re: You're doing it wrong

In general, we need to understand the threat model within a domain. For example, in a company when we are assess threats for finance department, protecting Excel and financial software consider higher priority and we might set policy in excel for that department to block all codes and extensions. While in the same company for developers, we never set such policy and we concentrate more on protection codes and prevent running malicious scripts.

In also depends on the how employees learn about threats, in social engineering attacks, you could just do a smart data mining on social media and pretend to be head of IT and contact company and ask credential of employees directly. We need to understand threats in each environment and create defend model for each attack model and keep updating it.
1 Like
Reply