Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Cloud Security: Think Todays Reality, Not Yesterdays Policy
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/30/2014 | 2:01:52 PM
Re: Hmm
That's a truly frightening story. But sadly, I believe it. 
TalKlein
TalKlein,
User Rank: Author
6/30/2014 | 10:49:25 AM
Re: Hmm
BP,

You ask, "How hard is it to put a VPN on a mobile device and require it to authenticate to the network?" - for the most part it's very hard (I dare say, impossible) when the user is on an unmanaged device on a public network.

Now, you write of highly sensitive environments where security is a core competency of the organization - in those scenarios the trifecta of BYOD/Mobility/SaaS are simply disallowed via policy - and IT has what I call "compliance blinders" on, meaning they simply can't acklowledge that users are breaking policy even though they know they are.

I am reminded of a scenario in a previous company, we were in a meeting at a top secret military contractor facility when all of a sudden someone announced that the CIO was coming. All of a sudden the wifi router was turned off and everyone pocketed their iPhones, and started clicking away on their Blackberry's. After the CIO left I asked our contact why the wifi was turned off and iPhones pocketed, and he said, "we're not allowed to surf the public web from this office. As far as the CIO is concerned, it doesn't happen." I asked, "You mean he doesn't know about it?", and his response floored me, "Of course he knows about it, he just can't see it. Plausible deniability, you understand?"

I understood. Do you? :)
Bprince
Bprince,
User Rank: Ninja
6/28/2014 | 1:55:36 AM
Hmm
I agree with the overall point of that last graph, but there is another part of me that quibbles with some of the other points you made. I don't necessarily agree that enterprises should abandon the idea of approved devices, particularly in highly sensitive environments (critical infrastructure, certain government agencies, financial industry, etc). How hard is it to put a VPN client on a mobile device and require it to authenticate to the network? 

BP
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/27/2014 | 4:18:02 PM
Re: Wakeup call to regulators
Aha!  All data is not equal so the the idea of performing a triage of sorts in order to protect the most important data makes perfect sense. Thanks for the clarification. 
TalKlein
TalKlein,
User Rank: Author
6/27/2014 | 10:00:56 AM
Re: Wakeup call to regulators
I think you and I are violently agreeing, perhaps with different expectations of the outcome.

We both agree that everything is broken. Given this fact, I believe we need to start focusing on establishing a risk appetite for data breaches by investing in mechanisms that treat data exfiltration like fraud - to do so, we need to develop operational methods for assigning relative value to data. Personally, you may expend less resources protecting your credit card than you do your passport, even though they are both valuable, your risk appetite for losing one may be greater than the other. We need to apply these types of logic sets to enterprise data. That's the only starting point I can think of in the face of our agreed upon "everything is broken" reality.
TalKlein
TalKlein,
User Rank: Author
6/27/2014 | 9:54:38 AM
Re: Wakeup call to regulators
Sorry, that was a typo, should have been:

Not every breach is the same, and the focus should be on identifying the most valuable data to protect, NOT investing in ways to further lock down users.

I think it's very realistic, there's already an established practice called "risk appetite" in the world of risk management. Today risk appetite mostly measures acceptable transactional fraud in things like credit card and financial transactions. Here is a good example: https://annualreport.deutsche-bank.com/2012/ar/managementreport/riskreport/riskstrategyandappetite.html

With data, because we don't know it's value, we can't have any risk appetite for its loss. And THAT is the problem. We need to accept the we will lose data and start developing our security framework around controlling risk rather than eliminating risk.
AnonymousMan
AnonymousMan,
User Rank: Moderator
6/27/2014 | 9:28:50 AM
Re: Wakeup call to regulators
This says it better than I ever could: https://medium.com/message/everything-is-broken-81e5f33a24e1

You can't enable, "access to anything, from anything, at any time" without a relative increase in risk to the organization and its customers. Any risk management strategy that starts under the premise that everything can be "securely enabled" has chosen to ignore the reality that "everything is broken".
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/27/2014 | 8:19:28 AM
Wakeup call to regulators
The wake up call you reference needs to be regulator bodies recognizing that having absolutely no risk appetite for data loss is not tenable. Not every breach is the same, and the focus should be on identifying the most valuable data to protect, investing in ways to further lock down users. 


How realistic is this? 

 
TalKlein
TalKlein,
User Rank: Author
6/27/2014 | 12:16:00 AM
Re: Shadow IT
"hey IT, this is happening whether you like it or not....do the best you can" is one side of the coin. The other side of the coin is IT working with business units to select and adopt a service that best meets the needs of the company. In my writing I usually refer to this as a philosophical shift IT must take, from being the "jail warden" to becoming the "crossing guard".

None of the recently publicized major breaches were the result of Shadow IT. These were all breaches of sactioned services, and the attack vector was likely the user and not the platform. The wake up call you reference needs to be regulator bodies recognizing that having absolutely no risk appetite for data loss is not tenable. Not every breach is the same, and the focus should be on identifying the most valuable data to protect, investing in ways to further lock down users. 

 
AnonymousMan
AnonymousMan,
User Rank: Moderator
6/25/2014 | 6:11:34 PM
Re: Shadow IT
I don't disagree that this is the current reality, but I can't help but SMH. "Safely enable" is all too often just a fancy way of saying, "hey IT, this is happening whether you like it or not....do the best you can".  There are fundamental security problems that have simply not been solved.

How many breaches must there be? We are collectively failing to secure IT, everywhere you look. NO ONE has been or is immune to this. At some point, and I think soon, there is going to be a reckoning. I'm talking more gov't control and possibly an alternate Internet. The definition of critical infrastructure isn't being expanded by the US Govt just for giggles. It will be interesting to see these two trends collide.

BTW, Choosing to use SaaS may have nothing to do with "accessing data anywhere, any time, and from any device".
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file