Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Internet of Things: 4 Security Tips From The Military
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
RFordOnSecurity
RFordOnSecurity,
 User Rank: Author
1/22/2018 | 4:51:03 PM
Still on topic
Michael, 

Missed this when you wrote it - still some pretty prescient content here! Good stuff. 
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
7/30/2014 | 3:23:45 PM
Re: What not to learn from the military
I couldn't resist posting this image of Cylon, :-)

MichaelKDaly
MichaelKDaly,
 User Rank: Author
7/30/2014 | 2:48:44 PM
Re: What not to learn from the military
Funny you say that!  I use an image of a Cylon in some of my presentations as a reminder that being connected means inherent risk :-)
Jeff Jerome
Jeff Jerome,
 User Rank: Apprentice
7/30/2014 | 1:51:39 PM
Re: What not to learn from the military

We have tasked key individuals with that need to "keep up"  We do that through our manufactures, customers, vendors and most importantly Information Week.  It is an almost impossible task but knowing how to find it is the key I beleive.

Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
7/30/2014 | 1:35:32 PM
Re: What not to learn from the military
Finding what you need about the Internet of Everything is a indeed a formidable task. Best practice 2 -- Keep pace with technology -- is a job in and of itself. Who is tasked with that in your companies? Anyone?
Jeff Jerome
Jeff Jerome,
 User Rank: Apprentice
7/30/2014 | 8:29:01 AM
Re: What not to learn from the military
And how do we keep up with technology.  There is so much change that it is almost impossible to keep up.  Even if you assign verticles to groups it is an impossible task.  My sense is know enough to know where you can find what you need.  Oh yes the Internet of Everything
GonzSTL
GonzSTL,
 User Rank: Ninja
7/29/2014 | 9:29:26 AM
Re: What not to learn from the military
@aws0513 An excellent post! I have found myself talking about those points so many times, but unfortunately they sometimes fall on deaf ears. Usually it is because the listener has their own perception of security governance, and when it comes into conflict with those points, they stop hearing the message. I should add that many IT leaders desire to build their organizational empires, and simply lose objectivity in the process. Take a CIO for example, who believes that security should fall under his/her purview, without realizing the conflict of interest, and that IT and security must be on separate tracks but partnered towards the same goal - delivery of secure services. It amazes me that given today's threat landscape, people still do not see or even simply ignore the importance of this separation of duties. Although it is still too early to determine the outcome, a classic example is Target. They experienced a major breach, a major organizational shakeup, were given the opportunity to build a security organization with full support from top management, and they placed the CISO under the CIO! I fail to see why they did not separate these two officers and give them equal say, forcing the tiebreaker to be someone above both of them, and whose primary responsibility is the success of the entire organization. Let that person weigh the risks and make the ultimate decision.

The IoT introduces a far more wirespread and increasingly complex IT infrastructure, but the underlying principles behind securing it remain the same, as you have outlined below. What remains to be seen is how effectively the security implications are communicated upwards in an organization, so that resources are properly allocated to achieve security. After all, effective communication remains as one of the biggest challenges faced by security pros.

 
aws0513
aws0513,
 User Rank: Ninja
7/28/2014 | 7:54:06 PM
Re: What not to learn from the military
First... thank you for the kind comment.

Next...

All of the following is my general opinion.  Others may see things different.

Most enterprise security teams fall way short on the preparing for the worst.

Some of my observations gleaned over the years:

- Many organizations have already mistakenly attributed "redundancy" as a replacement for full offline backups.

- Many organizations still do not fully grasp the concepts of "least privilege" and "separation of duties".

- Many organizations do not implement "self auditing" practices to not only validate the security controls they may have in place, but also provide information that may improve their processes and protocols that can benefit the organization in the event of a disaster.

- Most organizations still struggle with finding talented IT pros with a strong foundation of security understanding. And often only hire just one person with no contingency for when that person suddenly becomes unavailable.

- Most organization management seem to be limited in their decision making capabilities by demands for profit, demands for product delivery, and demands by customers that claim they are always right. Often, this leads to lack of managerial willpower to stand up and say "We need to do this right, not fast."  What seem even more troublesome are those "visionary" managers that still seem to avoid implementing a risk management approach to their ideas.  Security practices often seem to be an afterthought where they should be integral to business operations.

- Many people are still reluctant to ask the tough questions about practices that are currently in place. This is for various reasons, but often boils down to a general reluctance to question management practices or decisions.

- Communication (listening especially) skills will always be a challenge.  Managers often find it difficult to swallow the news that their operations are not secure.  When anyone points out a potential flaw in security, good managers should be vigilant and serious in their investigations into those claims. Security pros must also practice good listening to find ways to implement security practices while still finding a way to say "yes, we can do this securely".

If I were to lay out first priorities.
  1. Learn about the 20 Critical Security Controls. Where possible, validate that each control set is in place and fully operationalized within the organization. Start with 1 and work to 20. It will take patience and persistence.  The implementation of security controls will also take management willpower to promote changes. Where a control is not well established, conduct a gap analysis and implement a plan of action to re-mediate the shortfall.  Just operationalizing the first 8 controls can be a huge gain in security for any organization.
  2. Know where your backups are AND implement a continuous program to practice data system recovery. You will learn a ton of things about your environments when you learn what it takes to recover them.
  3. Ensure your procurement plans for restoration of a site is kept up to date. Let management know if there are any funding issues they should be aware of in this regard. Integrate this with your backup and recovery plan when changes occur due to vendor phase-out of products.
  4. Break out NIST SP800-53 and start going through the various control families in there. Have management seriously consider the PM (Program Management) family of controls because that is where the organization must determine and implement an internal structure that will be necessary to support a robust security program. NOTE: If one reads 800-53 for awhile, it will likely become apparent there is a wealth of good material in the often very dry content.
  5. Stay current.  Every major security certification that is worthy of having in your resume requires the certification holders to stay up to date on new trends, practices, and events.  DarkReading is just one of many venues where I collect information that is current and relevant to my profession.
BTW...  the above 5 items are for anyone with a prevalent security role within an organization...  management and security professionals alike.
 
I hope this is helpful to anyone reading.  Keep up the good fight out there.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
7/28/2014 | 2:07:48 PM
Re: What not to learn from the military
That's a great template for commercial security operations to follow. Thanks for sharing if with us at Dark Reading. Wondering your thoughts on how prepared the typical enterprise security team currently is for these kinds of challenges and what should their first priorities be. 
aws0513
aws0513,
 User Rank: Ninja
7/28/2014 | 1:57:37 PM
Re: What not to learn from the military
It isn't so much what not to learn from the military, as much as it is to try to learn from the things that the military may still be struggling with.

In my 22 years of military service, one of the constant concepts of operations that was engendered within any military service component, regardless of job, situation, or technology, was that there should ALWAYS be a contingency plan for every operational solution where possible.

Example scenarios:
  • If the power grid is cut off or rendered inoperable...
  • If a truck broke down...
  • If the local area network stops functioning...
  • If the coffee maker failed...
  • If a key application is rendered inoperable or compromised...
  • If an important file is deleted from a file share...
  • If the only telco trunk leading into the base of operations was cut due to a backhoe operator mistake...

Example contingency relevant questions for each scenario:
  • What can we do or must we have to maintain operational capabilities as military unit?
  • What amount of time and resources would it take to restore the solution?
  • What capabilities would be rendered unavailable if the solution is lost? 
  • Can we identify more than one contingency to provide flexibility and durability to operations?
  • If there is no alternative solution, how can be operationalize the solution in a way that it has redundancy, or put in protocols and practices to substantially reduce the risk of loss or compromise of the solution?

For each identified and feasible contingency, documentation and funding and testing were required on a regular basis to ensure the contingency was still suitable and operational.

That being said, many civilian practices that exist today are modeled after solutions established by the military simply because the military MUST, due to their very nature, develop solutions and processes that maintain high levels of operational capability in the most chaotic and dangerous environments. 

Often these same solutions and processes turn out to be exceptionally effective in a less chaotic environment.

Getting back to my first statement, the things that the military may still be struggling with, will most likely also be a problem for civilian organizations.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file