Latest report shows significant changes in the scale and type of attacks being executed, as recorded by one of the largest internet infrastructure companies that includes additional data sources. Akamai published their quarterly report today (January 23, 2013) and I am nearly through it … a few striking details that shift how I will recommend clients to identify; consider; and mitigate risks. The top two items that are significant (one obvious) and important include:
- China held its spot as the #1 source of observed attack traffic at 33%, with the United States at #2 at 13% (Not a huge surprise but an affirmation for many)
- The amount of attack traffic that was seen during the activist (Operation Ababil) DDoS attacks was ~60x larger than the greatest amount of traffic that it had seen before for similar activist-related attacks (The volume, intensity, and strategy of the attacks is important as most do not consider a SIXTY TIMES in factor in risk mitigation calculations)
About the Akamai State of the Internet report
Each quarter, Akamai publishes a “State of the Internet” report. This report includes data gathered from across the Akamai Intelligent Platform about attack traffic, broadband adoption, mobile connectivity and other relevant topics concerning the Internet and its usage, as well as trends seen in this data over time. Please visit www.akamai.com/stateoftheinternet
You can request access to (registration) the report here, and the individual images from the report available here. There is also a great set of write-ups coming out here and here.
Senior leadership (board of directors, audit committee members, CIO, COO) must ensure these realities are absorbed into the organization’s business processes. Leadership and strategy shifts required to tackle these evolutions remains an executive responsibility.
James DeLuccia IV
*See me speak at RSA 2013 in February on – The Death of Passwords
Posted in Compliance, IT Controls, Security
Tagged 2013, akamai, best practices, cybersecurity, ddos, denial of service attacks, ffiec, infosec, it compliance and controls, IT Controls, james deluccia, jdeluccia, sec disclosure, Security, statistics
Yesterday I presented with Prat Moghe, the founder of Tizor, on the challenges faced by businesses. A broad topic, but we were primarily focused on the database administrators and those charged with the controls in place. While we go into great detail on the difficulties of manually evaluating controls in a checkbox manner, and I highlighted specific concerns on twitter (#nzdc) a more basic harm and cause emerged – most organizations have been approaching audits and controls in the wrong manner.
- First off – consider what is the point of an/the audit? This answer may result in one of two prime responses:
- The point is the Federal government and our industry cohorts don’t trust how we’ll do business, so we have to demonstrate particular safeguards and operating integrity base points to keep our operating license.
- The second maybe, management is overseeing a massively complex organism, and only through third party verification and evaluation shall we know what in the world is right / wrong / or a complete waste.
Now both responses are right and there is nothing wrong with being more polar on any of these points, but there is a severe cost. Taking an audit as a checkbox approach means that the INTENT is not being satisfied (The classic Compliance does not equal Security is a prime example), and one should not be passing such audits – but that is not the focus of this post. Furthermore, conducting an audit in a manner where one simply responds and ties loosely together the controls for the sake of “the audit” every year translates to a complete loss in the possible savings that can be achieved from such events.
There is not doubt, audits are time consuming and resource intensive, and it is similar to a High-Stakes test. The difference is when you take a high stakes test and then take it again, you reuse the same information and have learned from the prior experience. Too often organizations do not have those lessons carried forward, because they are treated as one-time events and not integrated.
To be sure – auditors vary in skill, standards stretch the spectrum from prescriptive to principal based, and management / company culture severely impact how these evaluations are viewed and addressed. It is also true that without taking these lessons beyond the hour the audit occurs errors, expense, time, and resources, will forever and continually be lost.
Best Practice Advice:
Consider your audit plan for the year and how they can fit with your IT strategy and IT governance function as a part of the company governance program. Draft a charter that reflects how these audits work toward the companies goals, and how each audit enforces and ENRICHES the business operations.
Thoughts and contributions?
James DeLuccia IV
CIA, CISA, CISM, CISSP, CPISA, CPISM
Check out the webinar I mentioned above here, it shall be archived and viewable at your leisure.
Posted in Compliance
Tagged audit, best practices, Compliance, database, ffiec, it compliance and controls, IT Controls, onsite audit, pci, PCI DSS, regulatory, Security, sox, tizor, twitter