本文最初发表于2023年1月13日.
你可以在6point6网站上阅读原文.
网络安全技术债务会产生风险,就像金融债务会产生利息一样. 6point6的西蒙·哈钦斯报道, 网络安全能力总监, 和施卢蒂·库尔卡尼, 网络安全架构师, 解释一下什么是网络安全技术债务, 为什么这是一个问题——以及如何解决它.
认识到网络安全对加强和保护数字公共服务的重要性, 英国政府去年公布了其 国家网络战略2022. The strategy lays out how the UK intends to develop its cyber power in support of national goals throughout this decade. 这凸显了该国数字基础设施的韧性, citing the importance of “preventing and resisting cyber-attacks more effectively” as a key pillar of building a prosperous nation. These objectives are well thought through and aligned to the ambition of strengthening the digital economy, 但是什么会阻碍成功的执行呢?
就像其他组织一样, government departments are under constant pressure to deliver new digital services to their citizen customers. 这包括建立在, 巩固和融合他们的技术能力, 以及对复杂的遗产进行现代化改造和迁移数据.
通过使用各种数字应用程序和接口, these complex legacy systems that power the national infrastructure are increasingly being exposed to different agencies, 商业及公共机构. 隐藏在这里的是任何IT和安全领导者的克星:技术债务, 更具体地说, 网络安全技术债!
什么是网络安全技术债?
在谷歌上搜索一下,你会发现网络安全技术债务的各种定义. 在6point6,我们将其简单地定义为 the gap between the security-assured technology implementation you would have ideally intended – and what is actually operationally live. 随着系统和架构变得越来越复杂和相互依赖, 由于更新周期,债务也会增加, 应用程序更改和软件升级.
与金融债务一样, 许多组织认为,网络安全技术债务是一种必要之恶, 为了加速业务成果而采取的措施. 但是,这只应该在特定的情况下进行,并且要非常小心和管理. 而金融债务会带来利息,而且利息会很快复利, 网络债务带来的风险可能以同样的方式加剧. 关键在于管理债务,不让债务失控. 它应该仔细和定期地支付, 避免违约——或者在网络债务的情况下, 严重的安全事故, 这将导致重大的声誉损害.
为什么网络安全技术债务是个问题?
IT departments across the UK public sector are under constant pressure to deliver new digital services in the shortest possible timeframe. 近年来, stringent external deadlines such as Brexit and the rapid COVID response have pushed the delivery machinery to the brink. In some circumstances the operational urgency to launch services has outweighed the risk of leaving some security aspects unaddressed. 除了, subsequent pressures to improve user experience have further hampered attempts to comprehensively address vulnerabilities.
In the past this might not have been much of a problem with legacy applications and architectures residing behind firewalls and secure perimeters. 然而, 数字政府服务的增长, 同时欢迎, 是否会将潜在的漏洞暴露给新的更广泛的攻击媒介. 风险管理本身不足以保护这些系统免受攻击.
The ever-increasing complexity of systems architecture and application interactivity also leads to complications. 一个看似无关紧要的应用程序, 匆忙通过测试,以确保可以进行更广泛的部署, 能否打开系统和基础设施的后门. 这可能会增加对一系列攻击向量的脆弱性, 随后导致的结果包括数据丢失, ransomware, 或者病毒部署. 就英国政府而言, 国家网络安全中心 这也可能导致网络间谍活动, 服务中断或虚假信息的传播.
不处理金融债务会导致违约. 在网络安全方面,不处理债务可能会导致灾难性的安全漏洞. 撇开明显的风险不谈, the reputational damage resulting from the personal data of millions of citizens ending up in the wrong hands, and the loss of confidence in government that would accompany such an issue would be hugely embarrassing the world over.
Cyber security technical debt can also be introduced when the security processes and controls that have kept the legacy infrastructure working are also used to support the digitisation of services on a restrictive budget. Trying to do more with less has seen many security and IT teams being required to manage ageing infrastructure and add new applications, 这会带来额外的复杂性吗. The result is that these same teams no longer have the resources to unpick the 网络安全技术债 which has accrued.
2021年12月,零日威胁出现,威胁严重性评分为10/10. 许多组织都知道,由于Log4j的漏洞,他们很容易受到攻击, 但他们就是不知道在哪里,怎么去. 他们失去了应对威胁的时间, 同时努力了解他们的财产,并询问他们的供应商和合作伙伴.
计划定期安全审查,并集中保存设计数据, 使用中的组件, 软件组成, 修补制度和支持合同至关重要. It’s also important to catalogue software and systems that are out of support or under special or extended support. 有些软件和代码可能是不可替代和/或无法修复的. 在某些情况下,它可能比被期望照顾它的员工存在的时间更长. Understanding your estate and its vulnerabilities is a big part of managing it and will accelerate your response to future incidents should new threats emerge.
How should public sector leaders and their IT departments respond to the challenge of 网络安全技术债?
There are four critical areas where public sector leaders and their IT departments should focus their response to the challenge of 网络安全技术债 in government. 这些都是:
组织参与
Cyber security technical debt grows over time and when not addressed becomes a “whole of government” challenge to manage. Identifying and assigning a senior executive level sponsor for managing 网络安全技术债 is an important first step to creating a joint business and IT collaboration to track and reduce the debt. The aim is to build a culture of awareness around cyber debt so that it becomes the remit of the whole organisation, 而不仅仅是安全和IT团队.
在网络安全和商业发展之间取得适当的平衡,是商界领袖的职责, 所有政府领导人都可以对网络弹性产生直接影响, 安全, 以及国家的安全.识别和记录
必须确定并记录网络安全技术债务. 一些IT团队不这样做,因为他们认为这是一个可以避免或不必要的成本. 其他人则忽略了它,因为他们认为它不会给用户带来任何切实的好处. 了解成功的违规行为对提供基本服务的操作影响, 违约的财政成本, and recognising the ramifications of reputational impact are the first steps in gaining buy-in to the process of auditing the cyber security debt in any department or organisation. 这种编目工作不是一次性的,而应定期进行.理解并确定优先级
收集并记录了你的立场之后,是时候去理解它了. After running an audit for the first time you may be looking at a report that is daunting in its apparent volume of vulnerabilities. 然而,并不是所有的漏洞都是一样的. 一旦你吸收了这些数据,你就可以优先考虑并组织你的回应.把你的回应付诸行动
同时,了解网络技术债务使你有可能开始偿还债务, there is also a requirement for constant monitoring and prioritisation to avoid it growing again in future. This is likely to involve buy-in from a number of business and technology stakeholders to ensure security testing and remediation is adopted across all IT implementations. 以这种方式进行定期测试将有助于使每个人都专注于做出更好的安全决策.
6point6如何提供帮助?
At 6point6 we have an established 5-step approach to support our clients to address 网络安全技术债:
- Conduct an in-depth review and document your current position by gathering and auditing system information through multiple sources
- 从严重性和可能性两方面了解你的风险
- 使用我们的架构方法建立一个平衡和相称的补救计划
- 建立利益相关者意识,优先偿还你的网络安全技术债务, 监察及报告进度
- 在IT和业务规划中进一步嵌入安全性, 集成测试和业务需求, 以帮助避免未来进一步的网络安全技术债务
开始
如果新的数字应用程序的价格和速度总是主要的激励因素, 这将导致新的网络债务的出现. 它还将导致现有债务被忽视或搁置,等待未来的解决.
同时,复杂多变的环境增加了网络债务的可能性, 它们并没有使之成为必然. 偿还你的债务可以马上开始. Contact us today to find out more about the proven 6point6 approach to identifying and addressing 网络安全技术债.
作者简介
西蒙钦斯 6point6的网络安全能力总监是谁, a role that enables him to combine deep technical understanding with the ability to bridge the gap between business and customers, 将建筑的各个方面结合在一起. 舒如提Kulkarni 是网络安全架构师, harnessing her 15 years’ experience working in Information Security to provide the best security approach that addresses our customers’ unique challenges.
