Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Internet of Things: 4 Security Tips From The Military
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RFordOnSecurity
50%
50%
RFordOnSecurity,
User Rank: Author
1/22/2018 | 4:51:03 PM
Still on topic
Michael, 

Missed this when you wrote it - still some pretty prescient content here! Good stuff. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/30/2014 | 3:23:45 PM
Re: What not to learn from the military
I couldn't resist posting this image of Cylon, :-)

MichaelKDaly
50%
50%
MichaelKDaly,
User Rank: Author
7/30/2014 | 2:48:44 PM
Re: What not to learn from the military
Funny you say that!  I use an image of a Cylon in some of my presentations as a reminder that being connected means inherent risk :-)
Jeff Jerome
50%
50%
Jeff Jerome,
User Rank: Apprentice
7/30/2014 | 1:51:39 PM
Re: What not to learn from the military

We have tasked key individuals with that need to "keep up"  We do that through our manufactures, customers, vendors and most importantly Information Week.  It is an almost impossible task but knowing how to find it is the key I beleive.

Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/30/2014 | 1:35:32 PM
Re: What not to learn from the military
Finding what you need about the Internet of Everything is a indeed a formidable task. Best practice 2 -- Keep pace with technology -- is a job in and of itself. Who is tasked with that in your companies? Anyone?
Jeff Jerome
50%
50%
Jeff Jerome,
User Rank: Apprentice
7/30/2014 | 8:29:01 AM
Re: What not to learn from the military
And how do we keep up with technology.  There is so much change that it is almost impossible to keep up.  Even if you assign verticles to groups it is an impossible task.  My sense is know enough to know where you can find what you need.  Oh yes the Internet of Everything
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
7/29/2014 | 9:29:26 AM
Re: What not to learn from the military
@aws0513 An excellent post! I have found myself talking about those points so many times, but unfortunately they sometimes fall on deaf ears. Usually it is because the listener has their own perception of security governance, and when it comes into conflict with those points, they stop hearing the message. I should add that many IT leaders desire to build their organizational empires, and simply lose objectivity in the process. Take a CIO for example, who believes that security should fall under his/her purview, without realizing the conflict of interest, and that IT and security must be on separate tracks but partnered towards the same goal - delivery of secure services. It amazes me that given today's threat landscape, people still do not see or even simply ignore the importance of this separation of duties. Although it is still too early to determine the outcome, a classic example is Target. They experienced a major breach, a major organizational shakeup, were given the opportunity to build a security organization with full support from top management, and they placed the CISO under the CIO! I fail to see why they did not separate these two officers and give them equal say, forcing the tiebreaker to be someone above both of them, and whose primary responsibility is the success of the entire organization. Let that person weigh the risks and make the ultimate decision.

The IoT introduces a far more wirespread and increasingly complex IT infrastructure, but the underlying principles behind securing it remain the same, as you have outlined below. What remains to be seen is how effectively the security implications are communicated upwards in an organization, so that resources are properly allocated to achieve security. After all, effective communication remains as one of the biggest challenges faced by security pros.

 
aws0513
50%
50%
aws0513,
User Rank: Ninja
7/28/2014 | 7:54:06 PM
Re: What not to learn from the military
First... thank you for the kind comment.

Next...

All of the following is my general opinion.  Others may see things different.

Most enterprise security teams fall way short on the preparing for the worst.

Some of my observations gleaned over the years:

- Many organizations have already mistakenly attributed "redundancy" as a replacement for full offline backups.

- Many organizations still do not fully grasp the concepts of "least privilege" and "separation of duties".

- Many organizations do not implement "self auditing" practices to not only validate the security controls they may have in place, but also provide information that may improve their processes and protocols that can benefit the organization in the event of a disaster.

- Most organizations still struggle with finding talented IT pros with a strong foundation of security understanding. And often only hire just one person with no contingency for when that person suddenly becomes unavailable.

- Most organization management seem to be limited in their decision making capabilities by demands for profit, demands for product delivery, and demands by customers that claim they are always right. Often, this leads to lack of managerial willpower to stand up and say "We need to do this right, not fast."  What seem even more troublesome are those "visionary" managers that still seem to avoid implementing a risk management approach to their ideas.  Security practices often seem to be an afterthought where they should be integral to business operations.

- Many people are still reluctant to ask the tough questions about practices that are currently in place. This is for various reasons, but often boils down to a general reluctance to question management practices or decisions.

- Communication (listening especially) skills will always be a challenge.  Managers often find it difficult to swallow the news that their operations are not secure.  When anyone points out a potential flaw in security, good managers should be vigilant and serious in their investigations into those claims. Security pros must also practice good listening to find ways to implement security practices while still finding a way to say "yes, we can do this securely".

If I were to lay out first priorities.
  1. Learn about the 20 Critical Security Controls. Where possible, validate that each control set is in place and fully operationalized within the organization. Start with 1 and work to 20. It will take patience and persistence.  The implementation of security controls will also take management willpower to promote changes. Where a control is not well established, conduct a gap analysis and implement a plan of action to re-mediate the shortfall.  Just operationalizing the first 8 controls can be a huge gain in security for any organization.
  2. Know where your backups are AND implement a continuous program to practice data system recovery. You will learn a ton of things about your environments when you learn what it takes to recover them.
  3. Ensure your procurement plans for restoration of a site is kept up to date. Let management know if there are any funding issues they should be aware of in this regard. Integrate this with your backup and recovery plan when changes occur due to vendor phase-out of products.
  4. Break out NIST SP800-53 and start going through the various control families in there. Have management seriously consider the PM (Program Management) family of controls because that is where the organization must determine and implement an internal structure that will be necessary to support a robust security program. NOTE: If one reads 800-53 for awhile, it will likely become apparent there is a wealth of good material in the often very dry content.
  5. Stay current.  Every major security certification that is worthy of having in your resume requires the certification holders to stay up to date on new trends, practices, and events.  DarkReading is just one of many venues where I collect information that is current and relevant to my profession.
BTW...  the above 5 items are for anyone with a prevalent security role within an organization...  management and security professionals alike.
 
I hope this is helpful to anyone reading.  Keep up the good fight out there.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/28/2014 | 2:07:48 PM
Re: What not to learn from the military
That's a great template for commercial security operations to follow. Thanks for sharing if with us at Dark Reading. Wondering your thoughts on how prepared the typical enterprise security team currently is for these kinds of challenges and what should their first priorities be. 
aws0513
50%
50%
aws0513,
User Rank: Ninja
7/28/2014 | 1:57:37 PM
Re: What not to learn from the military
It isn't so much what not to learn from the military, as much as it is to try to learn from the things that the military may still be struggling with.

In my 22 years of military service, one of the constant concepts of operations that was engendered within any military service component, regardless of job, situation, or technology, was that there should ALWAYS be a contingency plan for every operational solution where possible.

Example scenarios:
  • If the power grid is cut off or rendered inoperable...
  • If a truck broke down...
  • If the local area network stops functioning...
  • If the coffee maker failed...
  • If a key application is rendered inoperable or compromised...
  • If an important file is deleted from a file share...
  • If the only telco trunk leading into the base of operations was cut due to a backhoe operator mistake...

Example contingency relevant questions for each scenario:
  • What can we do or must we have to maintain operational capabilities as military unit?
  • What amount of time and resources would it take to restore the solution?
  • What capabilities would be rendered unavailable if the solution is lost? 
  • Can we identify more than one contingency to provide flexibility and durability to operations?
  • If there is no alternative solution, how can be operationalize the solution in a way that it has redundancy, or put in protocols and practices to substantially reduce the risk of loss or compromise of the solution?

For each identified and feasible contingency, documentation and funding and testing were required on a regular basis to ensure the contingency was still suitable and operational.

That being said, many civilian practices that exist today are modeled after solutions established by the military simply because the military MUST, due to their very nature, develop solutions and processes that maintain high levels of operational capability in the most chaotic and dangerous environments. 

Often these same solutions and processes turn out to be exceptionally effective in a less chaotic environment.

Getting back to my first statement, the things that the military may still be struggling with, will most likely also be a problem for civilian organizations.
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23945
PUBLISHED: 2020-10-27
A SQL injection vulnerability exists in Victor CMS V1.0 in the cat_id parameter of the category.php file. This parameter can be used by sqlmap to obtain data information in the database.
CVE-2020-7754
PUBLISHED: 2020-10-27
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
CVE-2020-6023
PUBLISHED: 2020-10-27
Check Point ZoneAlarm before version 15.8.139.18543 allows a local actor to escalate privileges while restoring files in Anti-Ransomware.
CVE-2020-8579
PUBLISHED: 2020-10-27
Clustered Data ONTAP versions 9.7 through 9.7P7 are susceptible to a vulnerability which allows an attacker with access to an intercluster LIF to cause a Denial of Service (DoS).
CVE-2020-6022
PUBLISHED: 2020-10-27
Check Point ZoneAlarm before version 15.8.139.18543 allows a local actor to delete arbitrary files while restoring files in Anti-Ransomware.