It is somewhat daunting to post my first blog entry to a collection of forums that claims Tim Keanini as one of its participants. As much as I love to engage in cerebral discussions with TK I rarely traverse the same plane as he does in my blog postings. Anyone who has read my threatchaos security blog knows I like to focus on threats, the security industry, and the response, or lack of response, of enterprise.

If there is one theme I keep harping on it is the complete lack of preparation that most organizations exhibit when it comes to cyber security. Thus, I think it appropriate to raise that point here in my inaugural post to nCircle's guest blog.

If security investments are done properly they are done in the context of a risk management program. But risk management analysis invariably underestimates cyber risks because it relies on past experience which is not relevant in a threat environment that is growing exponentially.

I was speaking at the FDIC a couple of years ago and heard about one audit they had done at a LARGE data center on the Gulf Coast of Florida. The FDIC auditor was going through the list of risk factors they tracked and he came to "Hurricane" which was ranked 1 out of 10, the least chance of occurrence. When challenged the response was "We have not had a major hurricane come ashore here more than once every 100 years, so we rank that low". The auditor said, "Yes, but there is a category 5 hurricane in the Gulf right now heading your way, doesn't that impact your risk?"

The moral of the story is that risk is dynamic and risk management programs must take that in to account. Right now it is becoming painfully obvious that bad guys are making concerted efforts to steal identities, particularly credit cards, in any way they can. From the wireless attacks against BJ Wholesale and DSW to the physical attacks against Stop and Shop, and TJX the warnings have been sounded. If there is a similar attack against any retailer in the next six months they will not be able to plead ignorance of the threat level.

And operators of critical web sites that account for significant revenue are also on notice. The bad guys have identified you and your web assets. If they cannot steal directly from you they will launch denial of service attacks against your site and attempt to extort money from you. Not being prepared is not an excuse. The cost of recovery, after an attack, will exceed the cost of being prepared by a factor of ten.

...Eric Hall! Eric is a security architect and consultant who specializes in the design, implementation, and in-depth troubleshooting of complex information systems with a focus on security. I look forward to reading Eric's upcoming posts on this blog, and I hope you do too. Enjoy!