Those Who Fail to Learn from [Data Security] History are Doomed to Repeat It

Don Miller

We title this post using Sir Winston Churchill’s famous quote (with a bit of modification) because it reinforces a valuable data security lesson for purposes of National Cyber Security Awareness Month.  Churchill’s quote reminds us that while we must always be forward-looking in all aspects of our business, it is also essential that we pause periodically to think critically about our history so as to avoid repeating mistakes of the past.

The Best Data Security Systems are Built on a Foundation of Policies Based on Trust

At a recent data security conference, FBI Agent Tim Wallach made a comment highly relevant for those MFT Nation readers concerned about knowing and understanding their data security history.  He said:  “Cyber is based on a system of trust and hackers are exploiting that trust in any way they can.”  The evolving data security landscape has changed many things, but it has not changed the fundamental truth that data security is all about trust.  The days of using “fear, uncertainty and doubt” as a means of promoting data security within an organization are long gone.  In our experience, effective data security comes from policies that build trust, and building trust necessarily begins with risk assessment, as explained in more detail below.

Risk Assessment is a Critical Component of an Effective Data Security Program

Through a process of risk assessment, IT professionals identify threats and vulnerabilities on their networks, and weigh the risks they present to the confidentiality, integrity, and availability of information on the network.  Without adequate risk assessment, an organization is blind to vulnerabilities intruders or insiders could exploit to obtain unauthorized access to sensitive information on its network, even for vulnerabilities it could have easily eliminated. Knowing a network’s vulnerabilities and the prospect of harm they present is essential for deciding which security measures are reasonable for the network.  Thus, performing a risk assessment acts as the foundation for an effective data security program.

Many Public and Private Resources Exist to Help Conduct a Useful Risk Assessment

Frameworks to identify, assess, and mitigate risk are available at no charge from various sources, such as the National Institute of Science and Technology (“NIST”) and the Centers for Medicare and Medicaid Services (“CMS”).  Private entities, such as the System Administration, Networking, and Security Institute (“SANS”), also provide IT practitioners with risk assessment information and training.  These free frameworks set out concepts organizations can adapt as needed to identify and prioritize vulnerabilities taking account of their circumstances, such as their network structures and the types and amounts of harm that would result if there were a breach.

For example, NIST Special Publication 800-30 contains a nine-step process, beginning with cataloging network resources (including hardware, software, information, and connections) to define the scope of risk assessment, moving through vulnerability identification and cost-benefit analyses of measures that could mitigate the risk of a vulnerability, and ending with security measure recommendations and a written record of the process.  These primary steps include methods and tools that could be used to perform them.  CMS used the NIST concepts to provide a similar framework for analyzing and managing vulnerabilities for entities subject to HIPAA and the Security Rule.

Many Public and Private Resources Exist for Determining Known or Reasonably Foreseeable Vulnerabilities

A wealth of information exists for identifying known vulnerabilities.  Sources include alerts from software vendors and security companies, and software vulnerability databases compiled by private and government entities.  These databases include the Common Vulnerabilities and Exposures (“CVE”), the Common Vulnerability Scoring System (“CVSS”), the US Computer Emergency Response Team (“US Cert”), and NIST’s National Vulnerability Database (“NVD”).  The CVE assigns to each known vulnerability a unique numerical identifier that is used to catalog and retrieve information about the vulnerability, including remediation measures in many instances.  The CVSS facilitates prioritizing vulnerabilities by calculating a numerical impact severity score between 0 and 10 for each vulnerability, taking into account factors such as how easy or hard it is to exploit the vulnerability and the resulting impact on confidentiality, integrity, and availability.  US CERT provides free technical assistance to networks and notifications of current and potential security threats.  The NVD is the U.S. government’s free one-stop-shopping software vulnerability management database, and includes the CVE dictionary, CVSS severity ratings, and additional analysis and information about known vulnerabilities.

bTrade can Help

A data security strategy must be tailored to meet an organization’s unique set of needs and requirements, but conducting a periodic risk assessment can form the foundation for a truly effective data security program.  To learn more about the information in this post, or to discuss the topic with bTrade’s data security experts, send a confidential email to