- 1. Avoidance: eliminate the conditions that allow the risk to be present
- 2. Acceptance: acknowledge the risk’s existence but don’t do anything except for a contingency plan if the event happens
- 3. Mitigation: minimize the probability or impact of the risk
- 4. Deflection: transfer the risk somewhere else
As far as your infrastructure, Mitigations of risks is a daily task. Firewalls for networks, strong passwords for logons, WAFs for public facing sites (especially ecommerce), access cards for facilities, backups, storage, disaster recovery and the list goes on. There has been a lot of focus on mitigating DoS attacks recently, due to many popular sites, including Government web applications, having issues….and some having none. Just last week, The SANS Institute published their Top Cyber Security Risks and as Gideon J. Lenkey points out in this article, at the top they state, ‘Two risks dwarf all others, but organizations fail to mitigate them.’ They were talking about unpatched client software and vulnerable pubic facing web sites. It’s interesting that while OS patching has gotten better (maybe due to worms & auto update settings), client updates of software applications (like Flash, Java, etc) fall behind. And it’s those applications that get you in the most trouble!
As a side note, some of the runner-ups for #13 were Mobile, Malware, Monitoring and Man-in-the-Middle attacks. Since articles appear daily about those topics, I thought Mitigation might be a good since it can help in all those areas.