The most severe security failures are generally those that we cannot anticipate – until they occur. Prior to 9/11, national security and law enforcement planners expected that airline hijackers would land their planes and reach a settlement — until they didn’t. Prior to Stuxnet, control system engineers felt that air-gapped systems could work without interference—until a virus was installed. Prior to the SolarWinds breach discovery in 2020, IT managers believed that verified updates to a trusted network management platform were legal and safe—until the platform itself became the target of a devastating supply chain attack.
The severity of injury caused by these accidents is often determined by the extent to which novel risks were unforeseen, or assumed not to be threats in the first place. In other words, the more basic the assumption, the more harmful the compromise. The objective of security is to be safe not only now, but also in the future, anticipating and mitigating threats that might arise at a later time and place through adequate preparation and security. And the assumptions we make about the future environment form the basis for that work. Assumptions are required for any security strategy to be cohesive. But they have a shelf life.
It’s doubtful that our presumptions from now will be true later o
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: