Threat Intelligence

6/14/2017
02:00 PM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

By the Numbers: Parsing the Cybersecurity Challenge

Why your CEO should rethink company security priorities in the drive for digital business growth.

Digitization is progressing rapidly. From 2013 to 2020, EMC expects the digital universe to grow tenfold — from 4.4 trillion to 44 trillion gigabytes. In fact, the universe more than doubles in size every two years. However, along with that growth, the world becomes exposed to cyber attacks in an order of magnitude that is unprecedented. The tumult around the 2016 US election is just the tip of the iceberg - with a far bigger and growing issue beneath the surface.

Everyone is a potential target
Few are aware that literally every company and individual is a potential target. One in 10 people is now a victim of fraud or online offenses, a study in the UK concluded, as highlighted in The Telegraph. While these numbers appear shockingly high, it’s important to keep in mind that the overwhelming majority of these crimes are believed to remain unreported by the victims for a number of reasons, such as fear, a lack of awareness, or embarrassment.

According to Radware’s 2016-17 Global Application & Network Security report, 98% of organizations experienced cyber attacks in 2016. The perception that criminals only go after large enterprises and the public sector is completely wrong. As much as 31% of these attacks are directed at small and mid-sized companies with fewer than 250 employees. This trend is going to continue in 2017.

Cybercrime is an industry that is evolving exponentially
As reported on Bloomberg, cyber insurance premiums to protect against financial damages resulting from hacking could become a blockbuster product and rise to between $8.5 billion and $10 billion by 2020 from about $3.4 billion currently.

Cisco expects that cybercrime damages could cost up to $6 trillion annually by 2021, up from $3 trillion in 2015. However, these costs are sometimes hard to quantify and vary widely, depending on a number of factors, such as size of the organization, type and extent of the attack, publicity, industry, geography and so on. Most security experts (54%) estimate the impact of each attack at less than $100,000, but as much as 12% estimate the cost of an attack to be $1 million or above, according to Radware’s research.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Shortage of talent, missing attention in the boardroom
When asked about their primary obstacle to counter cyber attacks, more than one-quarter (27%) cited missing manpower, as the Radware report concludes. With 1 million vacancies in 2016, there is a severe workforce gap in cybersecurity, which is getting worse as the digital universe expands. Cybersecurity Ventures estimates the talent shortage will reach 1.5 million vacancies by 2019, which makes the skills rare and drives up wages.

In a 2015 study by PWC, 21% of CEOs asked globally were "extremely concerned" about cyber threats, and nearly 42% were "somewhat concerned." Frankly, these numbers appear surprisingly low, compared to the potential damages and given the workforce gap enterprises have to cope with.

So what's ahead?
Overall, the cybersecurity community seems more pessimistic about what to expect throughout 2017. Cyber attacks will become more sophisticated and catch many by surprise. According to the Radware report, the range is likely to include: Rise of Telephony Denial of Service (TDoS) and Permanent Denial of Service (PDoS) for datacenter and IoT operations; compromised surveillance systems available for rent, enabling intruders to watch through third-party cameras; more targeted and segmented ransom attacks; hijacked personal avatars and personal information for sale, or being auctioned (including medical or criminal records, lawsuit information etc.) as the Darknet goes mainstream.

CEOs should critically review their corporate priorities as the threat of cybercrime seems to be widely underestimated. To prepare their organizations for the future, gearing up and concrete actions are required. This includes technology investments (solid threat prevention and detection capabilities, robust incident response plans etc.) and, more importantly, adequate resources. Since security experts are scarce, requalification programs and formal training of the existing IT workforce plays a critical role in helping to close the gap.

While this might sound fairly intimidating, it would be negligent to trivialize the threat. With the expansion of the digital world, shiploads of data being processed, and the emergence of smart cities, societies will become increasingly dependent upon the availability and resilience of IT systems that affect our everyday lives. More than ever, it’s crucial to properly safeguard IT infrastructure as well as data whenever it's being transmitted (in motion), processed (in use), or stored (at rest).

Related Content:

 

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jesternl
50%
50%
jesternl,
User Rank: Apprentice
6/16/2017 | 2:04:39 PM
Re: Privileged Account Security - Biggest Dirty Secret in Cyberesecurity
There are tools to mitigate this, and an ever growing number of comanies is using them.
My job is to make sure they use ours to the best of their abilities
KristenK
50%
50%
KristenK,
User Rank: Apprentice
6/15/2017 | 9:51:31 PM
Re: Privileged Account Security - Biggest Dirty Secret in Cyberesecurity
You raise good points. I hope the authors will explore this as a topic more in depth. 
imispgh
100%
0%
imispgh,
User Rank: Strategist
6/14/2017 | 10:44:58 PM
Privileged Account Security - Biggest Dirty Secret in Cyberesecurity
Privileged Account Security – The Giant Dirty Secret in most organizations cybersecurity.  Why isn't it being addressed?  Lack of Courage.

The overwhelming majority of companies and government organizations are avoiding the most critical cyber-security practice of all. Dealing with privileged account security. It's the biggest dirty secret in cybersecurity. Which is extremely unfortunate because virtually every hack on record was accomplished by someone gaining access to a privileged account then moving through the system. This usually occurs due to a successful phishing expedition. (Of which 22% are successful. Keep in mind only one is needed).

Of the small fraction of companies that even deal with this area only 1% of them actually use the products they purchase properly. Said differently – even if a CISO is buying the right things they are not using most of what you paid for. And in most cases they either have no plan to actually use critical features like Password Management, Session Management and Access Monitoring, or are moving so slow it will decades to finish. Often this is meant to purposefully deceive C-Suite and above. This puts everyone at risk.

Here is how bad things are. CMU CERT is the premier authority on cyber-security best practices. Especially for DoD. I found out that CMU CERT has no solution for themselves in this area. They actually defer to CMU IT for their own security and they have no solution in this area. Shouldn't the organization responsible for telling others what best practice is use best practices for its own security?

Why is this happening? These products inadvertently expose several huge best practice gaps. Examples include having 4X more accounts than people, non-encrypted password files or spreadsheets, emails with passwords and software programs with passwords hard coded in them and many not knowing where they all are. And having local admin permissions available on laptops and end points and not knowing where they all are either.

Why don't these folks address this? Because it means pushing the culture to change bad habits and admit to their executives and boards they even existed in the first place. Governing bodies and regulators mean well but they don't help much. This is because the relevant regulations, SOC, HiTrust etc are too trusting and don't specify enough detail. This gives organizations far too much room to wiggle. This all results in most companies and organizations not utilizing best practices or readily available of off the shelf products that can significantly reduce the threat.

This is not a technical issue. It's one of Courage. Courage to admit the root causes exist, To deal with the culture and lead them to fix them. To not sacrifice customers to protect egos or let the bean counters justify it's cheaper to harm customers than the bottom line. 
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.