Threat Intelligence

5/18/2017
06:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Don't Forget Basic Security Measures, Experts Say

Some security leaders argue there is little point in worrying about emerging threats when businesses can't defend against today's attacks.

INTEROP ITX - Las Vegas - New technologies like machine learning, artificial intelligence, and IoT will drive the scale and complexity of cyberattacks. Businesses have every reason to be concerned as the threat landscape continues to grow.

But does it make sense to stress over advanced threats when organizations can't defend against the attacks they currently face?

"A lot of the security threats we face day to day are not fancy, sexy, technologically new stuff," says Anthony Aragues, vice president of product management for Anomali. If these issues were written down, they would be perceived as obvious, but they remain problems.

"We're reminding people -- hey, taking the right steps is important," says Diana Kelley, global executive security advisor for IBM Security. "Threat actors are a lot more motivated than they were 15- to 20 years ago."

Today's users are so dependent on software and connectivity that security disruptions will become increasingly palpable going forward, Kelley says. If an operating system is vulnerable, any business in any industry can be at risk. Hackers don't need to discriminate.

Many organizations, especially small- to midsized businesses, don't really plan their security architecture. In her Interop ITX Cybersecurity Crash Course presentation "Securing Your Enterprise Infrastructure," Dawn-Marie Hutchinson, executive director for the Office of the CISO at Optiv, posed a question to a room packed with IT pros: "Who here has a security strategy?"

Silence. Maybe one hand.

"Every organization right now needs help," she said, noting how attacks are getting easier and cheaper to launch, and more complex to face. "We have more information than we've ever had before, about what's coming after us and how," yet most organizations have immature security strategies.

Attitude is at the root of many security issues organizations face today, Anomali's Aragues explains. It's common for businesses to push security issues to one part of the organization and forget about them. The business often sees security costs as overhead that don't bring value.

"The overall trend that bugs me about security is companies expect it to be handled by the security department," he continues. "We're going to have a problem as long as that's the case."

Last week's WannaCry ransomware attack is a prime example of how businesses aren't putting basic security measures in place. They need to be running only updated operating systems - not older, no longer supported ones like Windows XP - and shut off unnecessary system processes.

"We can blame the Shadow Brokers for leaking NSA vulnerabilities, but there's still the issue of people running old operating systems and leaving open services they don't need to have turned on," he continues.

Individuals and businesses are more connected than ever, but they don't have the security awareness to protect themselves. Organizations can't predict the aftershock of a cyberattack when it hits, explains FireEye CEO Kevin Mandia.

"The vast majority of companies really don't know what happens when you pop off the grid," he says. In his Interop keynote, he emphasized how security hygiene is lacking if a server message block (SMB) exploit can infect more than 200,000 machines, as it did in WannaCry.

Will the latest massive, global cyberattack be a wake-up call? It depends.

The companies who will take action following WannaCry will be those who already have a plan, says Aragues. If they had a strategy in mind and only needed a budget, for example, they can now make some real progress. Those who weren't thinking about security before WannaCry will be playing catch-up and fall behind in all they want to accomplish.

Hutchinson urged tech leaders to build stronger relationships with their business teams. You can't create a business-aligned security strategy with lack of expertise and immature programs, she said.

"The way we used to do things doesn't work anymore," Hutchinson explained. "Think outside the box. The most effective moves aren't always the most natural or comfortable."

Organizations should create three lines of defense in their fight against current cyberattacks and new threats on the horizon. She suggested the following:

  • Build a highly trained team: Fight for budgets to attend security-focused events, where your team can learn news and information about threat intelligence.
  • Information risk office and steering team: This division defines and enforces security policies, manages information risk, and oversees industry and regulatory requirements.
  • Internal and external audit team: To ensure all policies and procedures are effective from inside and outside the organization.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RobinsonJ164
50%
50%
RobinsonJ164,
User Rank: Apprentice
5/24/2017 | 4:58:01 AM
Re: Information overload and skills training
Students can read dark reading through https://www.assignmenthelponline.net/write-an-assignment/ information and training skills.
LindsayCybSafe
0%
100%
LindsayCybSafe,
User Rank: Strategist
5/19/2017 | 8:14:41 AM
Information overload and skills training
Dawn-Marie Hutchinson notes that information and the frequency of basic attacks is (effectively) the new normal - the skills shortage point mirrors that of a politician growing a police force; no matter how many you deploy to patrol, there will always be holes in the system, as the police are not the system and never will be... the threat can never approach zero.   

I'd challenge the assertion that events are useful in this regard, aside from window dressing and networking. Organic skills from employees that are either undisclosed or absent entirely should be the easiest and cheapest port of call for an immediate and proactive response (who knows? Barney in admin may well be a avid dev with his start up on the side...)
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-8298
PUBLISHED: 2018-09-24
Multiple SQL injection vulnerabilities in the login page in RXTEC RXAdmin UPDATE 06 / 2012 allow remote attackers to execute arbitrary SQL commands via the (1) loginpassword, (2) loginusername, (3) zusatzlicher, or (4) groupid parameter to index.htm, or the (5) rxtec cookie to index.htm.
CVE-2018-14825
PUBLISHED: 2018-09-24
A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable...
CVE-2018-17437
PUBLISHED: 2018-09-24
Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.
CVE-2018-17438
PUBLISHED: 2018-09-24
A SIGFPE signal is raised in the function H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.
CVE-2018-17439
PUBLISHED: 2018-09-24
An issue was discovered in the HDF HDF5 1.10.3 library. There is a stack-based buffer overflow in the function H5S_extent_get_dims() in H5S.c. Specifically, this issue occurs while converting an HDF5 file to a GIF file.