Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/18/2019
10:00 AM
Jason Sandys
Jason Sandys
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Calculating the Value of Security

What will it take to align staff and budget to protect the organization?

As much as we'd like to think things have changed in the wake of WannaCry, NotPetya, and other high-profile breaches, many companies still don't take IT security seriously. It's easy to see why: Target, Sony Pictures, Equifax, and Maersk are still very much in business and doing just fine.

Have those organizations changed their protocols as a result? Undoubtedly. It takes a direct hit on an organization, with a significant financial impact, to force change. Until then, it's business as usual.

Of course, this is a tremendous source of stress for CISOs and their security teams. They're reminded daily how vulnerable the organization is: patching that is woefully out of date, remote workers with unprotected systems out in the wild, insufficient budget and resources and a lack of cooperation — or worse, direct conflict — between IT operations and IT security.

A new report on IT security from 1E, "Getting Your House in Order," finds three challenges facing IT: securing new technologies, restrictive budgets, and a lack of understanding between IT security and IT operations on how the other works. Worse yet, 90% of organizations prioritize something else (customer service, sales, etc.) ahead of IT security when it comes to budget allocation. 

Short of a breach, what will it take for companies to get it together and properly protect the organization? They must do the following:

1. Acknowledge how accessible their data is. There's a general lack of knowledge about how discoverable data sets are, even in supposedly secure cloud platforms. Too many operate under the assumption that they can dump data into an S3 bucket in the cloud and it will be safe because it's on a secure platform. Cloud storage is only as secure as your protocols and endpoints used for accessing it. A single compromised user credential can provide unfettered access to your most valuable data.

2. Recognize outsourcing isn't the answer. Most companies believe by dumping their data into the cloud, they're also dumping the security responsibility onto the cloud host. They assume that buying space on Amazon Web Services or Azure is like buying an insurance policy. This is not the case; plenty of S3 buckets are left completely unsecured. Even if they were secured by the host, the data is only as secure as the points of access to it, which is why safeguarding endpoints is absolutely critical.

3. Match the value of their data with equivalent resources. Unless you're putting enough resources and investment toward protecting data, it's not going to be secure. To improve cybersecurity, over 75% of IT pros say their organization needs to invest more in software migration automation and training for IT security and IT operations teams. And more than 60% say their company needs to invest more in software patching. Clearly, there is misalignment on the value of security and the resources allocated toward it.

4. Assess the level of risk within their IT estate. Only about 60% of organizations report having a high level of control and visibility over endpoints on the network and software in use. With remote workers, local admin rights and departmental or location-based autonomy, it's nearly impossible for IT to keep up with tracking the organization's assets without some type of automated solution to do so. However, you can't safeguard what you can't see; organizations must gain clearer visibility of the IT estate in order to deliver proper protection.

5Migrate to Windows 10. There isn't a business case for upgrading to Windows 10 beyond security. Yet, whether you pay the extended support agreement for Windows 7 or you bite the bullet and migrate to 10, you'll still be forking over the cash for endpoint security. CIOs must recognize improving security is a valid business case, and protecting the organization protects the bottom line — and potentially the financial security of the board of directors and shareholders. In fact, 58% of survey respondents believe that failure to migrate to Windows 10 by 2020 will result in "significant security risk." CISOs can use this risk potential to garner investment in making the upgrade.

6. Solve patching and bandwidth issues. The pace of updates and the challenge of limited bandwidth creates a bottleneck for many companies. If I run a financial firm and my day traders are down for an hour for a system patch, they could lose $1 million apiece. Considering that more than half of IT pros believe unpatched software is one of the main causes of security breaches, patching must become a priority. Investing in the right tools to automate the process can help overcome patching challenges and the bandwidth deficits that are partly to blame.

Bringing IT operation and IT security together establishes cohesion on the end goal. At Microsoft, not only do all of the developers have some level of security training, they also have security people sitting alongside them. They collaborate to ensure that work in progress meets the company's established security guidelines from the beginning to reduce the risk of a security flaw and prevent adversarial situations.

By educating both teams on the roles, goals, and objectives of the other, companies can leverage the full capability of their IT resources to secure the organization with an investment that reflects the value they place on security.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jason Sandys, Enterprise Mobility MVP, has 20+ years of experience in a wide range of technologies, environments, and industries and extensive knowledge in implementing and supporting all things SMS and Configuration Manager beginning with SMS 2.0. He is currently a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ajfreeland
50%
50%
Ajfreeland,
User Rank: Apprentice
8/1/2019 | 4:37:02 PM
Shockingly high percentage of companies!
90% is an alarmingly high percentage of companies not prioritizing IT security. Many make the push to the cloud with AWS but ignore the importance of data security. TLS 1.3 is a great move for data encryption in the cloud but comes with the downside of visibility loss. Nubeva has a new method for out of band decrypted visibility for TLS 1.3. It's called Symmetric Key Intercept. Check it out on our website!
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/19/2019 | 7:12:15 PM
Interesting comments
I love the title, I don't think you can put a value on security and one's reputation. However, there are a few things that stood out in the message.
  • 1. Acknowledge how accessible their data is. - the first thing you said is the lack of knowledge, someone from Accenture, Attunity and other organizations have allowed certain individuals who have not been properly trained to configure S3 buckets. For one, there is a setting that says "Block public access". So they had to uncheck the boxes in order to give the public access. From a training standpoint, this should have been the first thing that should have come up. It would not have mattered if it was onsite or offsite, this was an oversight by the entire organization (no one from the security team, audit, IT, Engineering addressed this issue).
  • S3 configuration
  • 2. Recognize outsourcing isn't the answer. - the same explanation applies, the cloud is only as good as the person driving it. They can't think of everything, that is where training and consulting will prove to be beneficial and provide guidance in helping the organization in making the right decisions, there is a solution AWS provides where it runs security checks against your environment, this would have been useful in their design, this could have mitigated this issue.
  • 3. Match the value of their data with equivalent resources. - I agree with this sentiment, this was discussed in the earlier sections, but we are on the same page
  • 4. Assess the level of risk within their IT estate. - Yes, this can be done with tools from IT NMS tools (i.e. Solarwinds, HPE Openview, OpenManage, but there is another way as well, I can go into the router and extract the MAC addresses, then I can download the MAC addresses lookup values (1st six digits) and determine what type of device sits on the network (this would have helped NASA identify the Raspberry PI on their network
  • 5Migrate to Windows 10 - Ok, if the organization is a windows shop, then yes. But I would look into other solutions like Cinnamon, Lubuntu, Suse, Ubuntu, Core-OS or others. The systems can be managed using tools from HPE ALG. They provide more security tools that are inherent like:
    • IPTables/UFW - elaborate firewall rules "iptables -I INPUT 1 -p tcp -m multiport --dport 22,80,443 -m conntrack --ctstate NEW -j ACCEPT
    • SELinux - policies to address accessibility - semange fcontext -a -t "default_t" "/home/<user>(/.*)?" or "chcon -Rv --type='default_t' /home/<user>" | "restorecon -Rv /home/<user>"
    • RKHunter/Chkrootkit - Rootkit analysis - rkhunter -c
    • Fail2Ban - IPS/IDS
    • Webmin - Online Management tool, gives admins the ability to monitor and check individuals machines from a web interface, Fedora does the same thing port 9000, also with packages from OAuth and Moo, the system provides MFA/2FA using Amazon, F5 or Google
    • SIEM - easy to integrate existing systems and monitor log information "tail -f /var/log/audit/audit.log" | setenforce 1
    • Tie Linux system to AD (slapd) and run "crontab -e | 0 1 * * * yum update > /home/<user>/desktop/update.txt"
  • 6. Solve patching and bandwidth issues. - Patching is one thing, but addresses an inherent security risk that has not been patched is another (i.e. telnet running, open RDP, GPOs not pushed to the desktop properly and backup and imaging process has not been established. There are tools that can restore entire systems (desktops/laptops) within minutes using tools found on the web instead of hours.

You have made some valid points, I do think we have to continue to do the work and stay vigilant.

Todd
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8650
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
CVE-2014-3536
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-3643
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2014-3652
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.
CVE-2014-3699
PUBLISHED: 2019-12-15
eDeploy has RCE via cPickle deserialization of untrusted data