Attacks/Breaches

12/1/2015
10:30 AM
Tom Kellermann
Tom Kellermann
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

How CISOs Can Change The Game of Cybersecurity

In the modern enterprise, chief information security officers need a broad mandate over security and risk management across all operational silos, not just the datacenter.

As data breaches continue to escalate, organizations, regardless of size or industry, need a new mindset to rise to the pervasive challenge of cybercrime and cyber espionage. Despite the fact that the FBI claims that their number one criminal priority is cybercrime, less than five percent of computer intrusions are successfully prosecuted, according to the Department of Justice and FBI. With jail time and other penalties few and far between, corporate decision makers are on their own when it comes to protecting corporate reputations, intellectual property, finances, and customers.

Facing this challenge boils down to risk management and financial investment. But with only 8 cents of every corporate IT dollar allocated towards security, the current picture isn’t reassuring, especially given the hostility and unregulated nature of cyberspace. Worse, today’s security investment deficit is jeopardizing corporate brands and exacerbating their risk of serious reputational damage.

Board-level mandate beyond the datacenter
Typically, organizations serious about cybersecurity appoint chief information security officers (CISOs) to lead the charge. Historically, a CISO answers to the chief information officer (CIO). The problem with this model is that the CIO role is similar to that of a football offensive coordinator, a position that is concerned primarily with increasing efficiencies, access, and resiliency within the IT realm.

While important, none of these elements aid the CISO, (continuing our football analogy, the defensive coordinator), whose principal job is to improve security and risk management across all operational silos within the enterprise. From a governance perspective, the CISO needs a broader mandate than that of a defensive coordinator, a mandate befitting an executive with more far-reaching responsibilities and reporting to the COO or CEO.

In the modern enterprise, all corporate leaders should be held accountable for their cybersecurity posture, even though their position might be far from managing the datacenter. For instance, chief marketing officers are typically focused on the actual use of the Web, such as email campaigns, mobile app development, website updates, blogs and search engine optimization. Even though these responsibilities may seem like strictly promotional endeavors, they can leave the door open for malware or other cyberattacks against unsuspecting customers’ systems. It’s not a good outcome for the company or the constituency.

Preventing the systemic spread of malware
Malware infections often times migrate from one part of the enterprise to the other, even from a third-party partner. Once a network is compromised, an attack can become widespread throughout the entire IT infrastructure supply chain in a practice known as “island hopping.” A classic example of island hopping was the infamous Target breach, which ultimately resulted in the resignation of both the CEO and CIO. A holistic mentality toward cybersecurity will mitigate the systemic risk of the spread of threats across an IT infrastructure.

The subsequent investigation at Target also revealed that thieves had infiltrated a third-party vendor to steal the retail giant’s credentials. The result? Cybercriminals successfully gained access to approximately 40 million customer credit cards, potentially affecting more than 100 million individuals. The repercussions are still being felt throughout the retail sector today.

As Target shows us, third-party partnerships are another overlooked aspect of many security strategies – strategies that demand attention and support from the corporate leadership team to be effective. Organizations looking to strengthen security should examine the policies of their partners -- including law and accounting firms -- particularly if a company is publicly traded. These partners have access to sensitive information that make very attractive targets.

A new level of safety in the digital world
For two decades, corporate focus has predominantly been on cutting cost, improving access and increasing efficiencies to goods and services. The same commitment should now transition to policies that make customers, partners and investors feel safe in the digital world created for their convenience. Just as a customer at a shopping center should expect a level of safety from the landlord and retailers, an online environment should have the same trust factor.

To accomplish this, a concerted effort should be made to elevate cybersecurity to an operational and reputational risk management priority. It is the obligation of boards of directors to improve oversight and governance for cybersecurity. This translates to analyzing investment strategies regarding information technology, cybersecurity and drastically improving training in order to stay ahead of sophisticated cybercriminals.

The Internet is not a comforting environment. Proper due diligence of cybersecurity is not only a risk management function but also a reality of modern-day brand protection.

 

Tom is a cyber intelligence expert, author, professor, and leader in the field of cybersecurity.  Having held a seat on the Commission on Cyber Security for the 44th President of the United States and serving as an advisor to the International Cyber Security Protection ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UlfM645
50%
50%
UlfM645,
User Rank: Apprentice
12/2/2015 | 2:59:26 PM
Data-centric
Antivirus software is falling behind the bad guys. I think the situation with the Target breach is very concerning that even if malware is detected it could be hard to notice in all the noise from different detection systems. This picture is not improving according to the two most recent Verizon reports that concluded that less than 14% of breaches are detected by internal security tools. Detection by external third party entities unfortunately increased from approximately 10% to 25% during the last three years.

We are wasting lot of money on firewalls and network perimeter security, things that make us feel safe but don't address real problems. Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber-attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security.

Ponemon concluded that "This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification."

I found good guidance in a recent report from Gartner. The report analyzed solutions for Data Protection and Data Access Governance and the title of the report is "Market Guide for Data-Centric Audit and Protection." The report concluded that "Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act."

The attackers are increasingly focused on stealing our sensitive data and will always look for the next path to attack the data. So we urgently need to secure the sensitive data itself with modern data security approaches.

I read an interesting report from the Aberdeen Group that revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users". The name of the study is "Tokenization Gets Traction".

Ulf Mattsson, CTO Protegrity

RIP, 'IT Security'
Kevin Kurzawa, Senior Information Security Auditor,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17906
PUBLISHED: 2018-11-19
Philips iSite and IntelliSpace PACS, iSite PACS, all versions, and IntelliSpace PACS, all versions. Default credentials and no authentication within third party software may allow an attacker to compromise a component of the system.
CVE-2018-9209
PUBLISHED: 2018-11-19
Unauthenticated arbitrary file upload vulnerability in FineUploader php-traditional-server <= v1.2.2
CVE-2018-9207
PUBLISHED: 2018-11-19
Arbitrary file upload in jQuery Upload File <= 4.0.2
CVE-2018-15759
PUBLISHED: 2018-11-19
Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perfo...
CVE-2018-15761
PUBLISHED: 2018-11-19
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges...