28 October 2017

Critical Infrastructure: "Known Vulnerabilities" in Your Enterprise...

What are the known vulnerabilities in your enterprise architecture?  We will come back to this question.

Asymmetric Warfare across the globe spans a digital Internetwork that has it's roots fostered in openness and with little regulation.  We are in many instances within real possibilities of significant digital systems failures.  Here is a just small window into that battlefield.

Operational Risk Management (ORM), is a mature discipline that you and your organization shall embrace, study, expand and continuously support.  One facet of Operational Risk, the Information Technology (IT) systems in your enterprise, is not part of an evolution any longer.  It has become a pervasive and mobile social revolution, that is now accelerating beyond your comprehension.

Let's put it another way.  Known but unmitigated vulnerabilities, will likely be the origin of your demise, failure, damage, ruin and loss of precious assets.  Why do you let it continue?

You and your organization are on the edge, operating each day with peoples lives, reputations and Personal Identifiable Information (PII) at stake and even the livelihood of the enterprise itself.

Whether that is your family, business, state or even your country, you can do something more to address your known vulnerabilities.  Do you know who, what and where they are in your enterprise?

When you hear the name "Equifax" today, what do you think?  Data security breach, correct?  What about these organizations:
  • Whole Foods Market Services, Inc.
  • Discover Financial Services
  • Transamerica
  • Hyatt Hotels
  • Northwestern Mutual Life Insurance Company
  • Wells Fargo Advisors
  • Sprint
  • Massachusetts Mutual Life Insurance Company
  • Sharp Memorial Hospital
  • Virgin America
  • The Neiman Marcus Group
  • Keller Williams Realty, Inc.
  • Club Quarters Hotels
  • Hard Rock International
  • Four Seasons Hotels Limited
  • BMO Harris Bank NA
  • Bank of the West
  • Gannett Company, Inc.
These are all well known companies, who have reported data security breaches by law, to the State of California, over the past 6 months.  There are dozens more of other organizations who are not large, well known brand names such as these.  Some are as a result of the Equifax breach and organizations who were using Equifax product solutions internally.  Now multiply this by 50 states.

So what?

Our Critical Infrastructure(s) in the United States are something we just take for granted.  Bank ATM's on every corner, bridges across bays and rivers, trains and planes departing from even small cities, trauma hospitals, massive hotels and supermarkets, fiber communications and LTE wireless network connectivity almost everywhere.

Let's come back to where we started.  What are the "Known Vulnerabilities" in your enterprise architecture?  Why are you so certain, that your adversaries are not currently inside your network?

The resilience modernization of your particular enterprise, is going to be expensive.  Mostly, because it has been patched and poorly integrated for a decade or more.  In some cases, simply because your adversaries and competition are more stealthy than you are.  Faster than you are.  Smarter than you are.  Laying in wait.

So what are you going to do about it?  In your home, business, city, state, or country and beyond?
"As a highly connected nation, the United States is especially dependent on a globally secure and resilient internet and must work with allies and other partners toward maintaining the policy set forth in this section. Within 45 days of the date of this order, (May 11, 2017) the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Secretary of Commerce, and the Secretary of Homeland Security, in coordination with the Attorney General and the Director of the Federal Bureau of Investigation, shall submit reports to the President on their international cybersecurity priorities, including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation."   Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure 
You are going to find, repair and replace your known vulnerabilities.  Then repeat.  When you think you are finished, you can begin the next project, on your UNKNOWN vulnerabilities.

No comments:

Post a Comment