Currently, the government is still focused on perimeter defense will only a shallow defense-in-depth strategy. The problem centers on an enterprise architecture that is designed to usually protect the entire network at the same level, thus peanut butter spreading network defense resources. Agencies fail built a network defense strategy that focus on protecting their crown jewels, vulnerability reduction, and adversary capability, intention, and targeting methodologies. Intelligence is more than just having lots of information; it is using data analysis, situational awareness, meaningful metrics and business context to understand the threat and, based on the organization’s risk profile, identify the appropriate action to take.
A multifaceted approach to threat and vulnerability analysis and management is critical because of one fundamental rule: adversaries have a distinct and considerable advantage over defenders because they only need to succeed once with one type of attack to be successful. The defender, on the other hand, must achieve mastery in protecting against all attacks. At the same time, defenders are burdened by budgetary, resource and legal constraints with which attackers are not concerned. Properly planned and implemented threat and vulnerability management programs represent a key element in an organization’s information security program, providing an approach to risk and threat mitigation that is proactive and business-aligned, not just reactive and technology-focused. Threat and vulnerability management programs include three major elements (Pironti, 2006):
• An asset inventory
• Threat and vulnerability analysis
• Vulnerability management
An agency seeking to defend itself should create and maintain competency models of adversaries and the techniques and skills they require to be successful. One way to thwart them is to study the materials publicly available to them about the organization and its information infrastructure. Those materials can be found by using the same tools the adversaries use—search engines and intelligence services.
Information security will continue to be a growing challenge to agencies and organizations. To be proactive in their approach to it, agencies must adopt a programmatic approach to information infrastructure risk management. Threat and vulnerability management programs, when part of a larger information security program, provide a significant advantage in addressing this challenge. The first step to solving a problem lies in understanding its scope. Threat and vulnerability management programs provide that critical first step. They afford the agency the capability to understand the problem, evaluate the potential business impact and likelihood of compromise, and implement appropriate levels of risk mitigation. By being proactive, an agency can significantly reduce the risk posed by threats to its information infrastructure and reap economic benefits by avoiding or minimizing the actual costs and the opportunity costs that inaction on security can entail.
Pironti, J. P. (2006). Key elements of a threat and vulnerability management program. Information Systems Control Journal, 1-5. Retrieved from http://www.isaca.org/ Journal/archives/2006/Volume-3/Documents/jpdf0603-Key-Elements.pdf