From the course: Cybersecurity Foundations

Ensuring security is effective

From the course: Cybersecurity Foundations

Ensuring security is effective

- [Instructor] While we may design and implement security into our systems, this doesn't mean that it's effective. In fact, most breaches occur on solutions which have been supposedly secured using good industry practices. The reason for the security failures vary. Some breaches occur because of poor design or implementation. Some occur because of poor security hygiene in the business and some because new exploits have been found, which enable an attacker to circumvent security. There are a variety of basic assurance methods that are used by organizations to check their systems. The key ones are vulnerability scans, which identify the services which can be accessed, and check that they have all known patches applied. Security control audits, which predefine a set of conditions based on the control and predict the expected results. And penetration tests, which use known exploits and exploit techniques to try to circumvent the security control. In addition to their own testing, organizations may contract out independent evaluation of their systems. This is typically done to provide some form of certification that the system can be trusted by its users. Many organizations now gain certification against ISO 27000 for the whole business to demonstrate that their processes covering design, implementation, and operation of systems are secure. Vendors may submit their products for evaluation in accordance with what's known as the Common Criteria scheme. This provides an independent view of product assurance from a basic statement of document compliance to an increasingly rigorous level of evaluation. The Common Criteria scheme is recognized by many countries and is the main scheme used for product assurance. However, some governments have begun to question the efficacy of evaluations of overseas products even when they're done locally. The original five members of the Common Criteria group were the US, the UK, Australia, Canada, and New Zealand. New Zealand and the United Kingdom are no longer authorizing countries. Assurance isn't a perfect answer. Certified organizations do get breached and evaluated products do get exploited. However, carrying out assurance testing raises the bar substantially and avoids organizations falling victim to simple attacks. With the move to automated assurance testing, that bar is raised even further as the vagaries of the human element are removed from the testing process.

Contents