Endpoint

9/13/2017
02:00 PM
Joshua Douglas
Joshua Douglas
Commentary
Connect Directly
Twitter
LinkedIn
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Problems That Keep CISOs Awake at Night

The last few years have shown a big difference in the way cyber-risks are acknowledged, but progress still needs to be made.

On a recent trip from Washington, DC, to Boston, I overheard a conversation on the train that I never thought I would hear. The discussion began with a passenger asking his colleague, "Did you just get this spearphishing attack? It looks so obvious."

Just two years ago, this conversation would never have happened. When you consider that 91% of targeted cyber attacks begin with a spearphishing email, open dialogue and recognition of cybersecurity threats represent a significant shift in our collective awareness of cyber-risks.

With major attacks such as WannaCry permeating news headlines and social media platforms, cybersecurity has become a mainstream topic. Unfortunately, the rise in sophistication of threats is outpacing the uptick in cybersecurity training and the growth of the talent pipeline. These concerns, among others, are what keep chief information security officers (CISOs) tossing and turning at night.

Most employees remain vastly unprepared for the risks posed by individual hackers, hacktivist groups, and state actors. This was evident earlier this year when a phishing scam spread quickly across the Internet through an email embedded within a fake Google Docs file. This was a more-advanced attack, as the scam required those affected to grant permission through a legitimate Google sign-in screen. Even the cybersecurity savvy were susceptible to this disguise.

To address today's challenges, CISOs need to reassess their common concerns and consider a different approach. Here are five things to keep in mind:

  1. Not everyone can hire a cyber unicorn. Globally, 70% of employers  plan to increase the size of their cybersecurity staff this year. Not only is there a lack of cybersecurity professionals to meet this skyrocketing demand, but there are even fewer of what I call "unicorns" — security experts who understand networks and know how to protect them. Cybersecurity unicorns are curious analysts who have experience with protecting network perimeters, scripting, and identifying endpoints. Organizations can't afford a full security detail to cover these skills, which is why we will likely see more of them opting to outsource security operations in the near future. [Editor's note: Raytheon is one of many companies that offer such services.] Cybersecurity service teams can be located anywhere and dedicate the necessary time and skills to both react to attacks and proactively hunt for them to ensure organizations remain operational and secure.

  2. The Dark Web never sleeps. The Dark Web is a breeding ground for cybercrimes and hosts all types of tools required to execute them, including malware for purchase and cybercrime services, so that criminals don't even need to be technical experts to launch a major attack. As the Internet becomes an open field for predators, organizations must hunt around the clock. The average mean time to detection of threats already on a network is around 200 days. That time — when hackers are able to steal data or damage the network — can be dramatically reduced by proactive threat hunting. This involves monitoring normal and abnormal network traffic patterns to identify threats before they become damaging.

  3. Checking the compliance box doesn't stop the breach. When it comes to managing data and hiring or outsourcing talent, many companies face budget constraints that stem from compliance. Businesses must be compliant, but compliance and security are not interchangeable when it comes to cyber attacks. Compliance is critical but shouldn't be confused with security. The Defense Federal Acquisition Regulation Supplement, for example, requires organizations to have a firewall for segmentation and logging policies. While a firewall limits access and logging provides insight on network incidents, these are only tools. Without trained people to look at the threats and act on them, there isn't enough protection. Organizations must conduct a thorough security assessment, identify existing threats and the riskiest users, prioritize security measures, and implement and test an incident response plan. Compliance often falls into place when it's the final consideration and not just a top budget item.   

  4. Reputation is on the line. Just as most travelers in the past never casually chatted about a phishing scam, board members didn't dabble in cybersecurity concerns. Today, it's a different story. There is a tremendous fear of a cyber attack severely damaging brand image and the bottom line. Organizations have a fiduciary responsibility to protect their customers' data, but cyber attacks threaten this stewardship. In healthcare, an industry with mountains of sensitive personal data, breaches by hackers affected 15.2 million Americans last year. Beyond data loss, the loss of intellectual property could further cripple organizations. To maintain the confidence of shareholders and customers, organizations must align their brand with one of security — and make sure they can back it up.

  5. When everything is connected, security is everything. Our businesses are more exposed to unseen risk than ever before from employee devices, automated manufacturing, the global supply chain, and the Internet of Things. The cyber attacks that are not visible by just looking at your own networks could cause harm to information and operational technology. Now a heating and air conditioning system could be the conduit through which nation-states attack each other. A gas turbine or nuclear facility could be a tool to harm more than just systems and put human safety at risk. So, companies need to provide cybersecurity for more than just their networks. They must embed cybersecurity into their products and services, into their supply chains, and into their partnerships.

The cybersecurity threat is hitting government agencies, commercial businesses, and critical infrastructure harder than ever before. As a result, organizations need better visibility into networks, more cyber unicorns to defend those networks, and an informed workforce capable of recognizing threats. These factors provide stronger defenses and enable CISOs to sleep better at night knowing their organizations are ready for the next attack.  

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Joshua Douglas has nearly two decades of experience in helping global enterprises and government agencies secure their most prized business/mission assets. During his 10+ years at Raytheon, he has served as the CTO for Forcepoint, overseen Raytheon's Cyber Security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
martin.george
50%
50%
martin.george,
User Rank: Apprentice
9/25/2017 | 11:07:01 AM
Post
Wow, I even couldn't imagine, that it is so difficult( Thanks a lot for such great article
C_3PJoe
100%
0%
C_3PJoe,
User Rank: Author
10/2/2017 | 10:48:25 PM
Re: Post
If you had a Top 10 list, where would you rate humans (i.e. threats to IP and Social Engineering)?
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3937
PUBLISHED: 2018-08-14
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...
CVE-2018-3938
PUBLISHED: 2018-08-14
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST r...
CVE-2018-12537
PUBLISHED: 2018-08-14
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
CVE-2018-12539
PUBLISHED: 2018-08-14
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...
CVE-2018-3615
PUBLISHED: 2018-08-14
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.