Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Cloud Security: Think Todays Reality, Not Yesterdays Policy
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/30/2014 | 2:01:52 PM
Re: Hmm
That's a truly frightening story. But sadly, I believe it. 
TalKlein
50%
50%
TalKlein,
User Rank: Author
6/30/2014 | 10:49:25 AM
Re: Hmm
BP,

You ask, "How hard is it to put a VPN on a mobile device and require it to authenticate to the network?" - for the most part it's very hard (I dare say, impossible) when the user is on an unmanaged device on a public network.

Now, you write of highly sensitive environments where security is a core competency of the organization - in those scenarios the trifecta of BYOD/Mobility/SaaS are simply disallowed via policy - and IT has what I call "compliance blinders" on, meaning they simply can't acklowledge that users are breaking policy even though they know they are.

I am reminded of a scenario in a previous company, we were in a meeting at a top secret military contractor facility when all of a sudden someone announced that the CIO was coming. All of a sudden the wifi router was turned off and everyone pocketed their iPhones, and started clicking away on their Blackberry's. After the CIO left I asked our contact why the wifi was turned off and iPhones pocketed, and he said, "we're not allowed to surf the public web from this office. As far as the CIO is concerned, it doesn't happen." I asked, "You mean he doesn't know about it?", and his response floored me, "Of course he knows about it, he just can't see it. Plausible deniability, you understand?"

I understood. Do you? :)
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/28/2014 | 1:55:36 AM
Hmm
I agree with the overall point of that last graph, but there is another part of me that quibbles with some of the other points you made. I don't necessarily agree that enterprises should abandon the idea of approved devices, particularly in highly sensitive environments (critical infrastructure, certain government agencies, financial industry, etc). How hard is it to put a VPN client on a mobile device and require it to authenticate to the network? 

BP
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/27/2014 | 4:18:02 PM
Re: Wakeup call to regulators
Aha!  All data is not equal so the the idea of performing a triage of sorts in order to protect the most important data makes perfect sense. Thanks for the clarification. 
TalKlein
50%
50%
TalKlein,
User Rank: Author
6/27/2014 | 10:00:56 AM
Re: Wakeup call to regulators
I think you and I are violently agreeing, perhaps with different expectations of the outcome.

We both agree that everything is broken. Given this fact, I believe we need to start focusing on establishing a risk appetite for data breaches by investing in mechanisms that treat data exfiltration like fraud - to do so, we need to develop operational methods for assigning relative value to data. Personally, you may expend less resources protecting your credit card than you do your passport, even though they are both valuable, your risk appetite for losing one may be greater than the other. We need to apply these types of logic sets to enterprise data. That's the only starting point I can think of in the face of our agreed upon "everything is broken" reality.
TalKlein
100%
0%
TalKlein,
User Rank: Author
6/27/2014 | 9:54:38 AM
Re: Wakeup call to regulators
Sorry, that was a typo, should have been:

Not every breach is the same, and the focus should be on identifying the most valuable data to protect, NOT investing in ways to further lock down users.

I think it's very realistic, there's already an established practice called "risk appetite" in the world of risk management. Today risk appetite mostly measures acceptable transactional fraud in things like credit card and financial transactions. Here is a good example: https://annualreport.deutsche-bank.com/2012/ar/managementreport/riskreport/riskstrategyandappetite.html

With data, because we don't know it's value, we can't have any risk appetite for its loss. And THAT is the problem. We need to accept the we will lose data and start developing our security framework around controlling risk rather than eliminating risk.
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
6/27/2014 | 9:28:50 AM
Re: Wakeup call to regulators
This says it better than I ever could: https://medium.com/message/everything-is-broken-81e5f33a24e1

You can't enable, "access to anything, from anything, at any time" without a relative increase in risk to the organization and its customers. Any risk management strategy that starts under the premise that everything can be "securely enabled" has chosen to ignore the reality that "everything is broken".
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/27/2014 | 8:19:28 AM
Wakeup call to regulators
The wake up call you reference needs to be regulator bodies recognizing that having absolutely no risk appetite for data loss is not tenable. Not every breach is the same, and the focus should be on identifying the most valuable data to protect, investing in ways to further lock down users. 


How realistic is this? 

 
TalKlein
100%
0%
TalKlein,
User Rank: Author
6/27/2014 | 12:16:00 AM
Re: Shadow IT
"hey IT, this is happening whether you like it or not....do the best you can" is one side of the coin. The other side of the coin is IT working with business units to select and adopt a service that best meets the needs of the company. In my writing I usually refer to this as a philosophical shift IT must take, from being the "jail warden" to becoming the "crossing guard".

None of the recently publicized major breaches were the result of Shadow IT. These were all breaches of sactioned services, and the attack vector was likely the user and not the platform. The wake up call you reference needs to be regulator bodies recognizing that having absolutely no risk appetite for data loss is not tenable. Not every breach is the same, and the focus should be on identifying the most valuable data to protect, investing in ways to further lock down users. 

 
AnonymousMan
50%
50%
AnonymousMan,
User Rank: Moderator
6/25/2014 | 6:11:34 PM
Re: Shadow IT
I don't disagree that this is the current reality, but I can't help but SMH. "Safely enable" is all too often just a fancy way of saying, "hey IT, this is happening whether you like it or not....do the best you can".  There are fundamental security problems that have simply not been solved.

How many breaches must there be? We are collectively failing to secure IT, everywhere you look. NO ONE has been or is immune to this. At some point, and I think soon, there is going to be a reckoning. I'm talking more gov't control and possibly an alternate Internet. The definition of critical infrastructure isn't being expanded by the US Govt just for giggles. It will be interesting to see these two trends collide.

BTW, Choosing to use SaaS may have nothing to do with "accessing data anywhere, any time, and from any device".
Page 1 / 2   >   >>


Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27605
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27606
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2020-27607
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
CVE-2020-27608
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27609
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.