Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Cloud Security: Think Todays Reality, Not Yesterdays Policy
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/30/2014 | 2:01:52 PM
Re: Hmm
That's a truly frightening story. But sadly, I believe it. 
TalKlein
TalKlein,
User Rank: Author
6/30/2014 | 10:49:25 AM
Re: Hmm
BP,

You ask, "How hard is it to put a VPN on a mobile device and require it to authenticate to the network?" - for the most part it's very hard (I dare say, impossible) when the user is on an unmanaged device on a public network.

Now, you write of highly sensitive environments where security is a core competency of the organization - in those scenarios the trifecta of BYOD/Mobility/SaaS are simply disallowed via policy - and IT has what I call "compliance blinders" on, meaning they simply can't acklowledge that users are breaking policy even though they know they are.

I am reminded of a scenario in a previous company, we were in a meeting at a top secret military contractor facility when all of a sudden someone announced that the CIO was coming. All of a sudden the wifi router was turned off and everyone pocketed their iPhones, and started clicking away on their Blackberry's. After the CIO left I asked our contact why the wifi was turned off and iPhones pocketed, and he said, "we're not allowed to surf the public web from this office. As far as the CIO is concerned, it doesn't happen." I asked, "You mean he doesn't know about it?", and his response floored me, "Of course he knows about it, he just can't see it. Plausible deniability, you understand?"

I understood. Do you? :)
Bprince
Bprince,
User Rank: Ninja
6/28/2014 | 1:55:36 AM
Hmm
I agree with the overall point of that last graph, but there is another part of me that quibbles with some of the other points you made. I don't necessarily agree that enterprises should abandon the idea of approved devices, particularly in highly sensitive environments (critical infrastructure, certain government agencies, financial industry, etc). How hard is it to put a VPN client on a mobile device and require it to authenticate to the network? 

BP
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/27/2014 | 4:18:02 PM
Re: Wakeup call to regulators
Aha!  All data is not equal so the the idea of performing a triage of sorts in order to protect the most important data makes perfect sense. Thanks for the clarification. 
TalKlein
TalKlein,
User Rank: Author
6/27/2014 | 10:00:56 AM
Re: Wakeup call to regulators
I think you and I are violently agreeing, perhaps with different expectations of the outcome.

We both agree that everything is broken. Given this fact, I believe we need to start focusing on establishing a risk appetite for data breaches by investing in mechanisms that treat data exfiltration like fraud - to do so, we need to develop operational methods for assigning relative value to data. Personally, you may expend less resources protecting your credit card than you do your passport, even though they are both valuable, your risk appetite for losing one may be greater than the other. We need to apply these types of logic sets to enterprise data. That's the only starting point I can think of in the face of our agreed upon "everything is broken" reality.
TalKlein
TalKlein,
User Rank: Author
6/27/2014 | 9:54:38 AM
Re: Wakeup call to regulators
Sorry, that was a typo, should have been:

Not every breach is the same, and the focus should be on identifying the most valuable data to protect, NOT investing in ways to further lock down users.

I think it's very realistic, there's already an established practice called "risk appetite" in the world of risk management. Today risk appetite mostly measures acceptable transactional fraud in things like credit card and financial transactions. Here is a good example: https://annualreport.deutsche-bank.com/2012/ar/managementreport/riskreport/riskstrategyandappetite.html

With data, because we don't know it's value, we can't have any risk appetite for its loss. And THAT is the problem. We need to accept the we will lose data and start developing our security framework around controlling risk rather than eliminating risk.
AnonymousMan
AnonymousMan,
User Rank: Moderator
6/27/2014 | 9:28:50 AM
Re: Wakeup call to regulators
This says it better than I ever could: https://medium.com/message/everything-is-broken-81e5f33a24e1

You can't enable, "access to anything, from anything, at any time" without a relative increase in risk to the organization and its customers. Any risk management strategy that starts under the premise that everything can be "securely enabled" has chosen to ignore the reality that "everything is broken".
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/27/2014 | 8:19:28 AM
Wakeup call to regulators
The wake up call you reference needs to be regulator bodies recognizing that having absolutely no risk appetite for data loss is not tenable. Not every breach is the same, and the focus should be on identifying the most valuable data to protect, investing in ways to further lock down users. 


How realistic is this? 

 
TalKlein
TalKlein,
User Rank: Author
6/27/2014 | 12:16:00 AM
Re: Shadow IT
"hey IT, this is happening whether you like it or not....do the best you can" is one side of the coin. The other side of the coin is IT working with business units to select and adopt a service that best meets the needs of the company. In my writing I usually refer to this as a philosophical shift IT must take, from being the "jail warden" to becoming the "crossing guard".

None of the recently publicized major breaches were the result of Shadow IT. These were all breaches of sactioned services, and the attack vector was likely the user and not the platform. The wake up call you reference needs to be regulator bodies recognizing that having absolutely no risk appetite for data loss is not tenable. Not every breach is the same, and the focus should be on identifying the most valuable data to protect, investing in ways to further lock down users. 

 
AnonymousMan
AnonymousMan,
User Rank: Moderator
6/25/2014 | 6:11:34 PM
Re: Shadow IT
I don't disagree that this is the current reality, but I can't help but SMH. "Safely enable" is all too often just a fancy way of saying, "hey IT, this is happening whether you like it or not....do the best you can".  There are fundamental security problems that have simply not been solved.

How many breaches must there be? We are collectively failing to secure IT, everywhere you look. NO ONE has been or is immune to this. At some point, and I think soon, there is going to be a reckoning. I'm talking more gov't control and possibly an alternate Internet. The definition of critical infrastructure isn't being expanded by the US Govt just for giggles. It will be interesting to see these two trends collide.

BTW, Choosing to use SaaS may have nothing to do with "accessing data anywhere, any time, and from any device".
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-38193
PUBLISHED: 2022-08-16
There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution in a victims browser.
CVE-2022-38194
PUBLISHED: 2022-08-16
In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file.
CVE-2022-38192
PUBLISHED: 2022-08-16
A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the userâ€â&b...
CVE-2022-38362
PUBLISHED: 2022-08-16
Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.
CVE-2022-30264
PUBLISHED: 2022-08-16
The Emerson ROC and FloBoss RTU product lines through 2022-05-02 perform insecure filesystem operations. They utilize the ROC protocol (4000/TCP, 5000/TCP) for communications between a master terminal and RTUs. Opcode 203 of this protocol allows a master terminal to transfer files to and from the fl...