What are Top 3 Excuses Executive's use to downplay cyber security?

"We don't need an external audit because:"
   1. We would never be attacked.
   2. A security audit is too expensive.
   3. The IT department handles all of our security, so we're safe.

IDG Response:
1. The fact is if you are connected to the Internet, you have been and will be attacked. More than likely you will be attacked at least once while reading through this website. Not every scan, probe, or attack against a website means there is a human on the other end directing the attempt. To find out more information about these attacks, see Automated Attacks. Security counter-measures such as a firewall, antivirus software, intrusion detection systems, etc. can help mitigate some of these threats or at the least sends notification of an attack in progress.

2. When weighting the costs for a security audit, it's quite easy to lose focus of the overall objective when the results do not provide a tangible return on investment. However the cost is negligible when weighted against the potential costs of recovery efforts, downtime, and public relations after a successful attack occurs.

3. The downside to relying solely on internal IT staff is the inevitable fact that no single person will cover every facet of threat discovery, especially when that person does not have a background in security. The fluid dynamics of security are constantly evolving and require examination from a variety of angles. Having a single person routinely conduct the security audit will inevitably result in something being missed. Alternatively, having a third-party auditor conduct yearly security audits can drastically increase the security stance of a company.

Were you given another excuse and think it deserves a place here? Send it to excuses@idgsecurity.com

What is a vulnerability assessment?
"A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system." is the definition given by Wikipedia. More simply, it is the determination of whether or not a weakness exists and reporting on that weakness.

What is the difference between a penetration test and vulnerability assessment?
"Pen-test" includes the same processes of conducting a vulnerability assessment with the addition of one important step, to exploit the vulnerability which was noted in the discovery phase. This is a very important step because it can show the maximum affect or damage a vulnerability can have against a network or computer system.

What is a social engineering?
Social engineering is the act of baiting or manipulating a person into performing some action or actions resulting in disclosure of confidential information. This manipulation can also result in being gained physical and network access. The single greatest threat to security is the human factor.

What type of network security solutions does IDG provide?
IDG provides can variety of network security solutions from firewalls to host-based and network-based intrusion detection systems and honeypots to VPNs, etc. Based on real-world experience working with commercial and freeware products, we can customize a security solution that best fits your company’s needs.

Does IDS provide antivirus support?
IDG has partnered with AWIL to provide sales and support for avast! antivirus suites. We work with all major commercial and freeware antivirus software packages.

What information is provided in an IDG audit report?
Vulnerability Assessment and Pen-test Reports contain the following information:
Target: Each computer/device is documented along with any vulnerability and the method used to disclose the weakness.

Risk: Each level is assigned to each item according to the following scale:

• High - Security issues that allow immediate remote or local access or immediate execution of code or commands, or with unauthorized privileges. Any item with a rating of high represents an imminent breach in network security.
  
• Medium - Security issues that have the potential of granting access or allowing code execution by means of complex or lengthy exploit procedures, or low risk issues applied to Internet components.
• Low - Security issues that deny service or provide non-system information that could be used to formulate structured attacks on a target, but not directly gain unauthorized access.
• Info - Non security issues that provide insight into the state of the network or the device.
  
  

US-CERT: United States Computer Emergency Readiness Team (www.us-cert.gov) US-CERT is charged with providing response support and defense against cyber attacks for the Federal Civil Executive Branch (.gov) and information sharing and collaboration with state and local government, industry and international partners.

SANS (www.sans.org) SANS is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - Internet Storm Center.

CERT (www.cert.org) The CERT Coordination Center (CERT/CC), arguably the most widely known group within the CERT Program, addresses risks at the software and system level. Although it was established as an incident response team, the CERT/CC has evolved beyond that, focusing instead on identifying and addressing existing and potential threats, notifying system administrators and other technical personnel of these threats, and coordinating with vendors and incident response teams world wide to address the threats.

OWASP Testing Guide v3 (www.owasp.org) The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. We advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security includes improvements in all of these areas. We can be found at http://www.owasp.org.

WindowsSecurity.com (www.windowssecurity.com) Windows security site which provides Windows security news, articles, tutorials, software listings and reviews for information security professionals covering topics such as firewalls, viruses, intrusion detection and other security topics.