**10.2 Defend**

In the context of defending against cyber attacks, defensive processes include ongoing risk mitigation, service and device hardening, and incident detection. A recent study (Schwartz, 2011) showed that up to 96% of organizations are unaware they have been hacked. Believing themselves either untargeted or immune to cyber attacks, they remain blissfully ignorant of information theft, espionage and other malicious attacks taking place right under their noses. Organizations must ensure, at a bare minimum, that they are able to detect security incidents when they occur. To fail in this opens the door to potentially expensive lawsuits and even criminal proceedings depending on the type of information that has been lost.

#### **10.3 Act**

Finally, we should establish procedures and protocols to ensure that in the event of an incident we act appropriately. We avoid the use of the term 'react', as it tends to carry a negative connotation of a knee-jerk 'reaction' that is ill conceived and inflammatory. Actions in response to a cyber-attack should be carefully planned to facilitate the effective response that minimizes expense and collateral damage. The word act is hence deliberate and suggests that organizations should be proactive rather than reactive.

These domains should not be seen as sequential steps in which each is terminated prior to the commencement of the next, but rather three continual processes that form the

Preparation includes planning, risk assessment, policy, business continuity planning, countermeasure deployment, training, education and accreditation. These are all essential in

Accreditation is a particularly interesting term in this context. Security accreditation is management acceptance of the risks associated with a system. This is no small responsibility in the event of an attack. To increase assurance and reduce associated risk, a thorough penetration test should be carried out as standard part of an accreditation process. Conducting a penetration test is effectively paying someone to hack your organization's systems. A skilled penetration tester will be able to locate vulnerabilities and advise on cost effective ways to reduce their risk. Organizations should be careful of individuals marketing themselves as penetration testers without the appropriate skills. A tester should carry recognizable certifications (GIAC, CEH, etc.) and be a member of an accredited or approved organization (such as (ISC)2) that requires a member code of

After the test, a report should be provided which will indicate the specific vulnerabilities found with suitable fixes, and recommend process improvements that will reduce the risk of

In the context of defending against cyber attacks, defensive processes include ongoing risk mitigation, service and device hardening, and incident detection. A recent study (Schwartz, 2011) showed that up to 96% of organizations are unaware they have been hacked. Believing themselves either untargeted or immune to cyber attacks, they remain blissfully ignorant of information theft, espionage and other malicious attacks taking place right under their noses. Organizations must ensure, at a bare minimum, that they are able to detect security incidents when they occur. To fail in this opens the door to potentially expensive lawsuits and even criminal proceedings depending on the type of information that has been

Finally, we should establish procedures and protocols to ensure that in the event of an incident we act appropriately. We avoid the use of the term 'react', as it tends to carry a negative connotation of a knee-jerk 'reaction' that is ill conceived and inflammatory. Actions in response to a cyber-attack should be carefully planned to facilitate the effective response that minimizes expense and collateral damage. The word act is hence deliberate and

suggests that organizations should be proactive rather than reactive.

Act

**10.1 Prepare** 

ethics.

**10.2 Defend** 

lost.

**10.3 Act** 

foundation of organizational security.

optimizing our readiness for cyber attacks.

future vulnerabilities going unchecked.

The continual application of these three domains cannot be emphasized enough. External consultants who are experienced, certified security professionals can be invaluable resources in maintaining an effective cyber-security posture and ensuring our businesses remain unhindered by an attack they were unprepared to handle.
