Viewing posts from September, 2015
At Gray Tier, would like to reshape how network defense strategies are thought about. Network security policies are usually an afterthought. Put up some firewalls over here, sprinkle some IDS over there; maybe a host based monitoring system and presto - secured! Being compliant is not the same as being secure. No longer can an organization go through this robotic thinking of network security and assume that is good enough. Recently more companies are conducting penetration tests either by internal teams or external companies as a service. The issue with network penetration testing is that this assessment is only a snapshot in time of the organization's network security posture. As soon as something is changed within the network, is the previous assessment still valid? Networks are by nature complex systems-of-systems, and it’s very difficult to know if there are second or third order effects to adding, removing, or changing one of those systems. Moreover, your network might be secure, but are your business partners network’s secure? What kind of trust relationships do you have with them (e.g. Target)?
The cyber prefix is used everywhere these days - cybersecurity, cybercrime, cyber-attack, cyberspace, etc. What most people may not know is that, in the security community, there seems to be a vocal opinion that “cyber” is a useless term. This is probably strange to those not in the industry and we agree, but there is a sound reason behind it.