Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security //


// // //
01:36 PM
Carol Wilson
Carol Wilson
News Analysis-Security Now

CenturyLink: Changing the Security Mindset

Businesses need to think of cyber security as more than an occasional investment.

Businesses need to stop thinking of cybersecurity as an IT function and think of it as an ongoing activity such as accounting, the head of CenturyLink's security services says.

In an interview with Light Reading the day after he'd hosted a CenturyLink Inc. (NYSE: CTL) Cybersecurity Summit in Monroe, La., Bill Bradley, the SVP of cyber engineering and technology services, admits he and others in the field are frustrated by the continuing need to get businesses to update their security efforts and take them more seriously. Given the way data breaches dominate the headlines, it's hard to fathom why businesses of any size that are networked don't realize security is a priority. And what business isn't networked these days?

But as Bradley himself recently experienced, many business folks aren't doing things as simple as changing passwords regularly or updating their systems from the default settings. At a recent speaking appearance, he asked the audience how many people had passwords that were at least two years old.

"At least 40% of the audience raised their hands, and they were the honest ones," he says. When Bradley pushed the same question to five years, "a substantial number of people still raised their hands."

He believes this is driven by the false sense of security company executives get when they invest in security infrastructure.

"They are thinking about it like you once thought about your IT budget," Bradley says. "You'd make an investment and then you would expect that to have a life of a certain number of years before you would need to refresh. But that refresh cycle -- people got very comfortable with. I don't think that is the right model for security."

Instead, the security model should be much more in line with how businesses view accounting -- as an ongoing effort.

"In an accounting-type model, you have an ongoing effort if you are a business," he says. "You have to get accounting reports out every month, every quarter, every year. But it doesn't just end there, you have to have an external audit and you have to do that every year, and it's something people take very seriously."

Don't get left in the dark by a DDoS attack -- learn best practices to strengthen the security of your network. Join us in Austin at the fourth-annual Big Communications Event. BCE brings you face-to-face with hundreds of speakers and thousands of industry thought leaders. There's still time to register and communications service providers get in free.

If that same level of attention was paid to security, Bradley notes, then many common breaches would be prevented, because much of today's activity depends on accessing networks through unprotected devices such as sensors or home automation gear, or easily prevented things such as email phishing.

Like most other telecom network operators, CenturyLink has made managed security services a major focus in recent years, including acquiring netAura last year and using that technology and talent to develop its own portal as well as add significant consulting expertise. The portal, which CenturyLink was showing off earlier this year to folks at the RSA conference, enables a more intelligent and proactive response to security threats, Bradley says. (See Unknown Document 722371.)

"It's a proprietary portal that sits on top of those [network] systems, aggregates that data and allows customers to run sophisticated reports that allows them to make more informed decisions," he says. "That gives you real transparency into what is going on in your network."

CenturyLink will also provide the expertise to businesses, particularly midsized and smaller, that don't have the people and processes to make the technology work, Bradley says. But in providing a full service security system, the company doesn’t encourage business customers to just sit back and enjoy the ride.

"We don't recommend they take that 100% [of responsibility for security] from anyone," he says. "They have to be actively engaged in defending their own systems and company themselves. But we can provide a significant part of that service to them."

And like every other person in the managed security services arena that I know, Bradley says much still must be done to educate businesses and make them smarter about security, in no small part because those who are waging cyber warfare are incredibly smart, and as the recent Wikileaks efforts have shown, more than willing to share what they find with each other to get smarter.

— Carol Wilson, Editor-at-Large, Light Reading

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file