Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security //

IDS

// // //
3/10/2017
01:36 PM
Carol Wilson
Carol Wilson
News Analysis-Security Now

CenturyLink: Changing the Security Mindset

Businesses need to think of cyber security as more than an occasional investment.

Businesses need to stop thinking of cybersecurity as an IT function and think of it as an ongoing activity such as accounting, the head of CenturyLink's security services says.

In an interview with Light Reading the day after he'd hosted a CenturyLink Inc. (NYSE: CTL) Cybersecurity Summit in Monroe, La., Bill Bradley, the SVP of cyber engineering and technology services, admits he and others in the field are frustrated by the continuing need to get businesses to update their security efforts and take them more seriously. Given the way data breaches dominate the headlines, it's hard to fathom why businesses of any size that are networked don't realize security is a priority. And what business isn't networked these days?

But as Bradley himself recently experienced, many business folks aren't doing things as simple as changing passwords regularly or updating their systems from the default settings. At a recent speaking appearance, he asked the audience how many people had passwords that were at least two years old.

"At least 40% of the audience raised their hands, and they were the honest ones," he says. When Bradley pushed the same question to five years, "a substantial number of people still raised their hands."

He believes this is driven by the false sense of security company executives get when they invest in security infrastructure.

"They are thinking about it like you once thought about your IT budget," Bradley says. "You'd make an investment and then you would expect that to have a life of a certain number of years before you would need to refresh. But that refresh cycle -- people got very comfortable with. I don't think that is the right model for security."

Instead, the security model should be much more in line with how businesses view accounting -- as an ongoing effort.

"In an accounting-type model, you have an ongoing effort if you are a business," he says. "You have to get accounting reports out every month, every quarter, every year. But it doesn't just end there, you have to have an external audit and you have to do that every year, and it's something people take very seriously."


Don't get left in the dark by a DDoS attack -- learn best practices to strengthen the security of your network. Join us in Austin at the fourth-annual Big Communications Event. BCE brings you face-to-face with hundreds of speakers and thousands of industry thought leaders. There's still time to register and communications service providers get in free.

If that same level of attention was paid to security, Bradley notes, then many common breaches would be prevented, because much of today's activity depends on accessing networks through unprotected devices such as sensors or home automation gear, or easily prevented things such as email phishing.

Like most other telecom network operators, CenturyLink has made managed security services a major focus in recent years, including acquiring netAura last year and using that technology and talent to develop its own portal as well as add significant consulting expertise. The portal, which CenturyLink was showing off earlier this year to folks at the RSA conference, enables a more intelligent and proactive response to security threats, Bradley says. (See Unknown Document 722371.)

"It's a proprietary portal that sits on top of those [network] systems, aggregates that data and allows customers to run sophisticated reports that allows them to make more informed decisions," he says. "That gives you real transparency into what is going on in your network."

CenturyLink will also provide the expertise to businesses, particularly midsized and smaller, that don't have the people and processes to make the technology work, Bradley says. But in providing a full service security system, the company doesn’t encourage business customers to just sit back and enjoy the ride.

"We don't recommend they take that 100% [of responsibility for security] from anyone," he says. "They have to be actively engaged in defending their own systems and company themselves. But we can provide a significant part of that service to them."

And like every other person in the managed security services arena that I know, Bradley says much still must be done to educate businesses and make them smarter about security, in no small part because those who are waging cyber warfare are incredibly smart, and as the recent Wikileaks efforts have shown, more than willing to share what they find with each other to get smarter.

— Carol Wilson, Editor-at-Large, Light Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-0624
PUBLISHED: 2022-06-28
Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.
CVE-2017-20105
PUBLISHED: 2022-06-28
A vulnerability was found in Simplessus 3.7.7. It has been rated as critical. This issue affects some unknown processing. The manipulation of the argument path with the input ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd leads to path traversal. The att...
CVE-2017-20106
PUBLISHED: 2022-06-28
A vulnerability, which was classified as critical, has been found in Lithium Forum 2017 Q1. This issue affects some unknown processing of the component Compose Message Handler. The manipulation of the argument upload_url leads to server-side request forgery. The attack needs to be approached locally...
CVE-2017-20107
PUBLISHED: 2022-06-28
A vulnerability, which was classified as problematic, was found in ShadeYouVPN.com Client 2.0.1.11. Affected is an unknown function. The manipulation leads to improper privilege management. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used...
CVE-2017-20104
PUBLISHED: 2022-06-28
A vulnerability was found in Simplessus 3.7.7. It has been declared as critical. This vulnerability affects unknown code of the component Cookie Handler. The manipulation of the argument UWA_SID leads to sql injection (Time). The attack can be initiated remotely. The exploit has been disclosed to th...