Story image

Adopt a cyber attacker’s point of view to protect data

28 Jun 2018

Technology analysis organisation ISACA and SecurityScorecard have announced a joint research paper, Continuous Assurance Using Data Threat Modeling, to provide enterprises with guidance in adopting an attacker’s point of view to help account for data.

With a step-by-step guide to apply application threat modelling principles to data, enterprises can now establish a baseline for monitoring ongoing data risk over time.

ISACA is a global association that aims to help individuals and enterprises achieve the positive potential of technology.

The organisation equips professionals with the knowledge, credentials, education and community to advance their careers and transform their organisations.

ISACA has a presence in more than 188 countries, including 217 chapters worldwide and offices in both the United States and China.

Enterprises are challenged to move the process of accounting for data in a structured, systematic way higher on the list of priorities.

One option to accomplish this challenge is by applying application threat modelling principles to data (data threat modelling).

Application threat modelling provides value by allowing application security specialists to systematically evaluate an application from an attacker’s point of view.

By doing this, an analyst can methodically analyse an application to identify and map threats that the application is likely to encounter in post-deployment conditions. “To support a continuous view of anything, there are two things needed: something to measure and a way to perform that measurement frequently or in an ongoing way,” says SecurityScorecard compliance head Fouad Khalil.

SecurityScorecard's vision is to create a new language for measuring and communicating security risk.

With cloud solutions becoming an increasingly integral part of the security technology stack, SecurityScorecard recognised the need to address third- and fourth-party risk as well as better understand the security capabilities of their business partners.

SecurityScorecard is backed by leading venture capital investors including Sequoia Capital, GV, NGP Capital, Evolution Equity Partners, Boldstart Ventures, AXA Venture Partners among others.

“By implementing this continuous assurance process, an enterprise can be notified as changes happen that impact its understanding of the threats to their applications and, ultimately, their data.” The ISACA and SecurityScorecard paper provides 11 key questions to ask to implement continuous assurance related to threat understanding, including these five:

  • What are the specific indicators the enterprise will use to measure changes to the threat environment?
  • How will the enterprise account for entities in the supply chain?
  • What instruments are in place to evaluate control performance at third parties?
  • Who is responsible for maintaining and monitoring the view that is put together?
  • What is the amount the enterprise is willing to invest in this?

“Organisations often struggle with data protection that feels out of control—and this guide helps bring clarity to the chaos,” says ISACA content strategy director Karen Heslop.

Five things MSPs need to keep in mind in 2019
A Datto APAC channel exec outlines the most important factors for MSP to being paying attention to in the coming year.
Survey: IT pros nostalgic over on-prem data centre visibility
There are significant security and monitoring challenges faced by IT staff responsible for managing public and private cloud deployments.
61% of CIOs believe employees leak data maliciously
Egress conducted a survey to examine the root causes of employee-driven data breaches, their frequency, and impact.
Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Nozomi and RIoT to deliver advanced ICS security solutions to Australia
''As a specialised integrator of robust and resilient ICT and IoT solutions within Australia, we are delighted to be partnering with Nozomi Networks."
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.