Threat Intelligence

5/18/2017
06:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Don't Forget Basic Security Measures, Experts Say

Some security leaders argue there is little point in worrying about emerging threats when businesses can't defend against today's attacks.

INTEROP ITX - Las Vegas - New technologies like machine learning, artificial intelligence, and IoT will drive the scale and complexity of cyberattacks. Businesses have every reason to be concerned as the threat landscape continues to grow.

But does it make sense to stress over advanced threats when organizations can't defend against the attacks they currently face?

"A lot of the security threats we face day to day are not fancy, sexy, technologically new stuff," says Anthony Aragues, vice president of product management for Anomali. If these issues were written down, they would be perceived as obvious, but they remain problems.

"We're reminding people -- hey, taking the right steps is important," says Diana Kelley, global executive security advisor for IBM Security. "Threat actors are a lot more motivated than they were 15- to 20 years ago."

Today's users are so dependent on software and connectivity that security disruptions will become increasingly palpable going forward, Kelley says. If an operating system is vulnerable, any business in any industry can be at risk. Hackers don't need to discriminate.

Many organizations, especially small- to midsized businesses, don't really plan their security architecture. In her Interop ITX Cybersecurity Crash Course presentation "Securing Your Enterprise Infrastructure," Dawn-Marie Hutchinson, executive director for the Office of the CISO at Optiv, posed a question to a room packed with IT pros: "Who here has a security strategy?"

Silence. Maybe one hand.

"Every organization right now needs help," she said, noting how attacks are getting easier and cheaper to launch, and more complex to face. "We have more information than we've ever had before, about what's coming after us and how," yet most organizations have immature security strategies.

Attitude is at the root of many security issues organizations face today, Anomali's Aragues explains. It's common for businesses to push security issues to one part of the organization and forget about them. The business often sees security costs as overhead that don't bring value.

"The overall trend that bugs me about security is companies expect it to be handled by the security department," he continues. "We're going to have a problem as long as that's the case."

Last week's WannaCry ransomware attack is a prime example of how businesses aren't putting basic security measures in place. They need to be running only updated operating systems - not older, no longer supported ones like Windows XP - and shut off unnecessary system processes.

"We can blame the Shadow Brokers for leaking NSA vulnerabilities, but there's still the issue of people running old operating systems and leaving open services they don't need to have turned on," he continues.

Individuals and businesses are more connected than ever, but they don't have the security awareness to protect themselves. Organizations can't predict the aftershock of a cyberattack when it hits, explains FireEye CEO Kevin Mandia.

"The vast majority of companies really don't know what happens when you pop off the grid," he says. In his Interop keynote, he emphasized how security hygiene is lacking if a server message block (SMB) exploit can infect more than 200,000 machines, as it did in WannaCry.

Will the latest massive, global cyberattack be a wake-up call? It depends.

The companies who will take action following WannaCry will be those who already have a plan, says Aragues. If they had a strategy in mind and only needed a budget, for example, they can now make some real progress. Those who weren't thinking about security before WannaCry will be playing catch-up and fall behind in all they want to accomplish.

Hutchinson urged tech leaders to build stronger relationships with their business teams. You can't create a business-aligned security strategy with lack of expertise and immature programs, she said.

"The way we used to do things doesn't work anymore," Hutchinson explained. "Think outside the box. The most effective moves aren't always the most natural or comfortable."

Organizations should create three lines of defense in their fight against current cyberattacks and new threats on the horizon. She suggested the following:

  • Build a highly trained team: Fight for budgets to attend security-focused events, where your team can learn news and information about threat intelligence.
  • Information risk office and steering team: This division defines and enforces security policies, manages information risk, and oversees industry and regulatory requirements.
  • Internal and external audit team: To ensure all policies and procedures are effective from inside and outside the organization.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RobinsonJ164
50%
50%
RobinsonJ164,
User Rank: Apprentice
5/24/2017 | 4:58:01 AM
Re: Information overload and skills training
Students can read dark reading through https://www.assignmenthelponline.net/write-an-assignment/ information and training skills.
LindsayCybSafe
0%
100%
LindsayCybSafe,
User Rank: Strategist
5/19/2017 | 8:14:41 AM
Information overload and skills training
Dawn-Marie Hutchinson notes that information and the frequency of basic attacks is (effectively) the new normal - the skills shortage point mirrors that of a politician growing a police force; no matter how many you deploy to patrol, there will always be holes in the system, as the police are not the system and never will be... the threat can never approach zero.   

I'd challenge the assertion that events are useful in this regard, aside from window dressing and networking. Organic skills from employees that are either undisclosed or absent entirely should be the easiest and cheapest port of call for an immediate and proactive response (who knows? Barney in admin may well be a avid dev with his start up on the side...)
Microsoft, Mastercard Aim to Change Identity Management
Kelly Sheridan, Staff Editor, Dark Reading,  12/3/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19991
PUBLISHED: 2018-12-10
VeryNginx 0.3.3 allows remote attackers to bypass the Web Application Firewall feature because there is no error handler (for get_uri_args or get_post_args) to block the API misuse described in CVE-2018-9230.
CVE-2018-19653
PUBLISHED: 2018-12-09
HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.
CVE-2018-19982
PUBLISHED: 2018-12-09
An issue was discovered on KT MC01507L Z-Wave S0 devices. It occurs because HPKP is not implemented. The communication architecture is APP > Server > Controller (HUB) > Node (products which are controlled by HUB). The prerequisite is that the attacker is on the same network as the target HU...
CVE-2018-19983
PUBLISHED: 2018-12-09
An issue was discovered on Sigma Design Z-Wave S0 through S2 devices. An attacker first prepares a Z-Wave frame-transmission program (e.g., Z-Wave PC Controller, OpenZWave, CC1110, etc.). Next, the attacker conducts a DoS attack against the Z-Wave S0 Security version product by continuously sending ...
CVE-2018-19980
PUBLISHED: 2018-12-08
Anker Nebula Capsule Pro NBUI_M1_V2.1.9 devices allow attackers to cause a denial of service (reboot of the underlying Android 7.1.2 operating system) via a crafted application that sends data to WifiService.