What is the difference between a risk, a threat, a vulnerability and an exploit? Which product or solution can be employed to address my institution’s information security and compliance needs? This paper provides some clarity on the first question, and in the process, it should help to offer an answer to the second question, one of aligning concerns with solutions with vulnerability management.
"Adequate and timely testing is essential to identify many of these vulnerabilities," says the FFIEC Information Security Booklet, the "bible" of financial institution network security. It continues, adding, "Inadequate or untimely testing may critically weaken the risk assessment."
Vulnerability Management 101:
What's a Risk and How Can I
Mitigate as Many as Possible?
By Andrew Greenawalt, Founder and Chief Technology Officer
Perimeter eSecurity Corporation
www.perimeterusa.com
(800)234-2175
Founded in 1997, Perimeter eSecurity, is the only provider of complete network security on demand for more than 4,000 growing companies nationwide. Headquartered in Milford, CT with seven geographically-distributed operations centers and three redundant data centers, the company is among the fastest growing network security providers. Perimeter, www.perimeterusa.com, offers over fifty network security services to address all potential security risks and are available to businesses on demand.
Perimeter eSecurity 440 Wheelers Farm Rd. Milford, CT 06460 T 2035413401 http://www.perimeterusa.com Introduction As financial organizations delve into the increasingly-regulated world of information security, they often confront many terms that seem indistinguishable. What is the difference between a risk, a threat, a vulnerability and an exploit? Which product or solution can be employed to address my institution's information security and compliance needs?
This paper provides some clarity on the first question-namely what kinds of risks should a financial institution be concerned with. In the process, it should help to offer an answer to the second question, one of aligning concerns with solutions.
Each year brings with it thousand of new computer security vulnerabilities. The graph below reflects the number of increased threats reported month by month over the last year. Clearly, the graph shows that every month brings with it an additional 500-1000 new vulnerabilities, or 20 to 30 new threats per day. Not every financial institution is exposed to every one of these new threats. However it's incumbent on the institution's management to assess the magnitude of each threat and deal appropriately and programmatically with those posing risks to the institution. While some of the risks may be trivial, often a single exploited vulnerability can cause catastrophic problems. Prioritizing the huge volume of threats is no trivial challenge indeed.
New Vulnerabilities per month in 2006
Known vs. Unknown When considering the protection of a business system from data security threats, one will typically rely on systems such as Firewalls and Intrusion Detection/Prevention systems (IDS/IPS). Collectively, we consider these systems Intrusion Defense Systems, throughout the paper. While these systems are a critical and necessary component of a defensive strategy they have limitations.
The most critical shortcoming of an Intrusion Defense Systems is that it is limited to protection against known or recognizable threats. The function of Intrusion Defense Systems is to leverage the firewall to limit traffic to needed channels such as mail traffic and web traffic. With the traffic cut down to only the necessary channels, it is then monitored by the IDS/IPS function with a signature base of conditions. As defined by the security experts at the SANS institute, a "signature" is "a distinct pattern in network traffic that can be identified to a specific tool or exploit."
A signature is looking for a "distinct pattern" from a known "tool or exploit." Said another way, Intrusion Defense can be thought of as a "Known Issue Defensive Tactic" -a system that defends against pre-specified patterns or threats. . The firewall
Perimeter eSecurity 440 Wheelers Farm Rd. Milford, CT 06460 T 2035413401 http://www.perimeterusa.com Perimeter eSecurity
can deliver or block traffic based on "header" information, similar to the address information on an envelope while the IDS/IPS opens the "letter" (data packet), and analyzes the "content" (payload) based on a well-known list of attack patterns.
Definitions To understand known vs. unknown threats, a few definitions need to be understood:,
. Firewall Co... [download for more]
