The SANS Top 20 will shift from vulnerabilities to risks by the end of the summer of 2009. That means we will be relying more on actual attack information and reporting the changing patterns in the attacks that organizations are actually experiencing. www.sans.org
The risk focus was chosen for three reasons:
1. Vulnerability listings had outlived their usefulness because nearly all mature organizations automate vulnerability remediation and do not actively manage individual vulnerabilities.
Also so many critical new vulnerabilities were found every month that the list was becoming unwieldy. Risks on the other hand reflect the vulnerability, threat and the impact. We measure those by finding actual attack data.
2. The new, more complex attacks must be met with multi-layered defenses and can sometimes only be met with adequate detection of their presence after successful penetration. The risk focus enables mitigation discussions to be more complete and therefore more useful.
3. Federal agencies and large commercial organizations are now prioritizing their security programs based on the Top 20 Most Critical Security Controls (published by the Center for Strategic and International Studies). Those 20 controls reflect the known risk as of early summer 2009. The new risk report will be a reliable means of ensuring the 20 Critical Controls are regularly updated to reflect changes in the risk picture.
SANS is the most trusted & by far the largest source for information security training, certification & research in the world. We offer renowned Computer, Software & Network Security Training, Certification through our GIAC affiliate, Free Resources for Research & Global Incident Response, In-depth Training in Computer Security, Firewall Protection, Hacking, Intrusion Detection, CISSP CBK and more....
No comments:
Post a Comment