Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/1/2015
10:30 AM
Tom Kellermann
Tom Kellermann
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

How CISOs Can Change The Game of Cybersecurity

In the modern enterprise, chief information security officers need a broad mandate over security and risk management across all operational silos, not just the datacenter.

As data breaches continue to escalate, organizations, regardless of size or industry, need a new mindset to rise to the pervasive challenge of cybercrime and cyber espionage. Despite the fact that the FBI claims that their number one criminal priority is cybercrime, less than five percent of computer intrusions are successfully prosecuted, according to the Department of Justice and FBI. With jail time and other penalties few and far between, corporate decision makers are on their own when it comes to protecting corporate reputations, intellectual property, finances, and customers.

Facing this challenge boils down to risk management and financial investment. But with only 8 cents of every corporate IT dollar allocated towards security, the current picture isn’t reassuring, especially given the hostility and unregulated nature of cyberspace. Worse, today’s security investment deficit is jeopardizing corporate brands and exacerbating their risk of serious reputational damage.

Board-level mandate beyond the datacenter
Typically, organizations serious about cybersecurity appoint chief information security officers (CISOs) to lead the charge. Historically, a CISO answers to the chief information officer (CIO). The problem with this model is that the CIO role is similar to that of a football offensive coordinator, a position that is concerned primarily with increasing efficiencies, access, and resiliency within the IT realm.

While important, none of these elements aid the CISO, (continuing our football analogy, the defensive coordinator), whose principal job is to improve security and risk management across all operational silos within the enterprise. From a governance perspective, the CISO needs a broader mandate than that of a defensive coordinator, a mandate befitting an executive with more far-reaching responsibilities and reporting to the COO or CEO.

In the modern enterprise, all corporate leaders should be held accountable for their cybersecurity posture, even though their position might be far from managing the datacenter. For instance, chief marketing officers are typically focused on the actual use of the Web, such as email campaigns, mobile app development, website updates, blogs and search engine optimization. Even though these responsibilities may seem like strictly promotional endeavors, they can leave the door open for malware or other cyberattacks against unsuspecting customers’ systems. It’s not a good outcome for the company or the constituency.

Preventing the systemic spread of malware
Malware infections often times migrate from one part of the enterprise to the other, even from a third-party partner. Once a network is compromised, an attack can become widespread throughout the entire IT infrastructure supply chain in a practice known as “island hopping.” A classic example of island hopping was the infamous Target breach, which ultimately resulted in the resignation of both the CEO and CIO. A holistic mentality toward cybersecurity will mitigate the systemic risk of the spread of threats across an IT infrastructure.

The subsequent investigation at Target also revealed that thieves had infiltrated a third-party vendor to steal the retail giant’s credentials. The result? Cybercriminals successfully gained access to approximately 40 million customer credit cards, potentially affecting more than 100 million individuals. The repercussions are still being felt throughout the retail sector today.

As Target shows us, third-party partnerships are another overlooked aspect of many security strategies – strategies that demand attention and support from the corporate leadership team to be effective. Organizations looking to strengthen security should examine the policies of their partners -- including law and accounting firms -- particularly if a company is publicly traded. These partners have access to sensitive information that make very attractive targets.

A new level of safety in the digital world
For two decades, corporate focus has predominantly been on cutting cost, improving access and increasing efficiencies to goods and services. The same commitment should now transition to policies that make customers, partners and investors feel safe in the digital world created for their convenience. Just as a customer at a shopping center should expect a level of safety from the landlord and retailers, an online environment should have the same trust factor.

To accomplish this, a concerted effort should be made to elevate cybersecurity to an operational and reputational risk management priority. It is the obligation of boards of directors to improve oversight and governance for cybersecurity. This translates to analyzing investment strategies regarding information technology, cybersecurity and drastically improving training in order to stay ahead of sophisticated cybercriminals.

The Internet is not a comforting environment. Proper due diligence of cybersecurity is not only a risk management function but also a reality of modern-day brand protection.

 

Tom Kellermann is the chief cybersecurity officer for Carbon Black Inc. Prior to joining Carbon Black, Tom was the CEO and founder of Strategic Cyber Ventures. On January 19, 2017 Tom was appointed the Wilson Center's Global Fellow for Cyber Policy in 2017. Tom previously ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UlfM645
50%
50%
UlfM645,
User Rank: Apprentice
12/2/2015 | 2:59:26 PM
Data-centric
Antivirus software is falling behind the bad guys. I think the situation with the Target breach is very concerning that even if malware is detected it could be hard to notice in all the noise from different detection systems. This picture is not improving according to the two most recent Verizon reports that concluded that less than 14% of breaches are detected by internal security tools. Detection by external third party entities unfortunately increased from approximately 10% to 25% during the last three years.

We are wasting lot of money on firewalls and network perimeter security, things that make us feel safe but don't address real problems. Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber-attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security.

Ponemon concluded that "This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification."

I found good guidance in a recent report from Gartner. The report analyzed solutions for Data Protection and Data Access Governance and the title of the report is "Market Guide for Data-Centric Audit and Protection." The report concluded that "Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act."

The attackers are increasingly focused on stealing our sensitive data and will always look for the next path to attack the data. So we urgently need to secure the sensitive data itself with modern data security approaches.

I read an interesting report from the Aberdeen Group that revealed that "Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users". The name of the study is "Tokenization Gets Traction".

Ulf Mattsson, CTO Protegrity

US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13552
PUBLISHED: 2019-09-18
In WebAccess versions 8.4.1 and prior, multiple command injection vulnerabilities are caused by a lack of proper validation of user-supplied data and may allow arbitrary file deletion and remote code execution.
CVE-2019-15301
PUBLISHED: 2019-09-18
A SQL injection vulnerability in the method Terrasoft.Core.DB.Column.Const() in Terrasoft Bpm'online CRM-System SDK 7.13 allows attackers to execute arbitrary SQL commands via the value parameter.
CVE-2019-5042
PUBLISHED: 2019-09-18
An exploitable Use-After-Free vulnerability exists in the way FunctionType 0 PDF elements are processed in Aspose.PDF 19.2 for C++. A specially crafted PDF can cause a dangling heap pointer, resulting in a use-after-free. An attacker can send a malicious PDF to trigger this vulnerability.
CVE-2019-5066
PUBLISHED: 2019-09-18
An exploitable use-after-free vulnerability exists in the way LZW-compressed streams are processed in Aspose.PDF 19.2 for C++. A specially crafted PDF can cause a dangling heap pointer, resulting in a use-after-free condition. To trigger this vulnerability, a specifically crafted PDF document needs ...
CVE-2019-5067
PUBLISHED: 2019-09-18
An uninitialized memory access vulnerability exists in the way Aspose.PDF 19.2 for C++ handles invalid parent object pointers. A specially crafted PDF can cause a read and write from uninitialized memory, resulting in memory corruption and possibly arbitrary code execution. To trigger this vulnerabi...