Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Can We Talk? Finding A Common Security Language
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
JasonPolancich
JasonPolancich,
 User Rank: Author
10/4/2014 | 9:03:38 AM
Re: Intriguing but I'm not yet convinced
Same here! Thanks.
SDiver
SDiver,
 User Rank: Strategist
10/3/2014 | 2:21:48 PM
Re: Intriguing but I'm not yet convinced
In any case, I appreciate the discussion Jason.  Take care.
JasonPolancich
JasonPolancich,
 User Rank: Author
10/3/2014 | 1:19:57 PM
Re: Intriguing but I'm not yet convinced
Well, on this point, I cant argue with you at all.

Wth the JP Morgans, Targets and Home Depots becoming poster children on a weekly basis now, it's hard for me to believe cyber concerns have not become major, daily leadership opportunities for CEOs. That said, you're likely right that the "it wont happen to me" attitude will persist for some time to come. The unfortunate reality, though, is that, for pretty much every business, it will happen to them. It's only a matter of time.
SDiver
SDiver,
 User Rank: Strategist
10/3/2014 | 12:25:14 PM
Re: Intriguing but I'm not yet convinced
Hello Jason,


Like you, I also have to convey 'cyber-security' message to CEO's and also, like you, I attempt to present information that addresses business risk.  However, I am convinced that many CEO's simply refuse to take an interest in cyber risk management because:  1) They're too focused on compliance-based risk such as PCI, 2) They think they're hidden from any type of attack for a variety of reasons, or 3) they think that security will negatively impact their customers.

You're recommendions are excellent but nothing new; I've seen these types of indicators in risk assessments before. Please don't misunderstand; I encourage you to continue to help spread the message.

Perhaps the crux of my argument is that even the best business intelligence reports, risk assessments, etc. are useless if the CEO is not interested in cyber risk management in the first place.  While I agree that security experts need to improve their business communication it is painfully clear that CEO's need to change their attitude about cyber risks.  I personally believe that the Home Depot CEO is criminally negligable as a result of the breach because he was warned by many experts; some of whom I know professionally and will vouch for their security and business experience. 

One example.  I know somebody who is absolutely convinced that Microsoft's two-factor authentication is safe from attack and feels that no additional reasonable security measure is needed despite the information I provided to him regarding the vulnerabilities in RSA tokens and Microsoft Active Directory.  I assure you, your business intelligence reports won't change his mind because he doesn't want to spend any more money.

I'm sorry to be pessimistic but I am convinced that CEO's need to be a little more flexible and accept the fact that they may be at risk.  As the old saying goes, it's impossible to argue with a closed mind.
JasonPolancich
JasonPolancich,
 User Rank: Author
10/1/2014 | 3:12:05 PM
Re: Intriguing but I'm not yet convinced
SDiver,

Correct. Implcit in the piece above is that this sort of approach is just a starting point. That said, it's a starting point where there is little already established along these lines in most enterprises today.

Further to your points, when we consult with orgnizations, we often talk of this kind of approach developing into a kind of business intelligence practice for cyber at the same level as is typically and traditionally in domain areas  like the financial performance of a business, its products, people, etc.

Can that sort of biz intell and analysis "crystal ball" every thing that may happen with the accuracy required to, as you mention, not be dimissed? Absolutely not. But can you imagine a successfuly business who is turning a blind eye to a financial perf business intelligence approach? I cant. Again, the approach outlined is designed to address one (I think, missing) part of a comprehensive, multi-layered and multi-dimensiional cyber strategy with many, many pieces and parts. It's a puzzle and each individual pieces is a little bit of the overall picture.

Lastly, Im not sure the logic you use below around the whole Target-HVAC supplier vector doesnt sorta throw the baby out with the bathwater, so to speak. Meaning, convincing the "CEO of the risk the effect would be hard to define" becomes more and more easy a proposiiton over time as a dedicated data and intell analysis approach proves its merit as part of solving the overall puzzle (as, for example,  financial performance, market intell, logistics, business intelligence does)


Good comments and thanks for the dialog!

 

Jason
SDiver
SDiver,
 User Rank: Strategist
10/1/2014 | 2:40:16 PM
Intriguing but I'm not yet convinced
Jason, I appreciate your article I think it's a start but I don't think you go far enough.

Take the Target breach, for example.  The idea of combining company operations with a third party HVAC system in the same network segment was obviously considered a great idea at the time for saving money but I'm sure we all agree that Target now seriously regrets this decision.

If I was the CISO at Target I'm sure my concerns, even express through the "Threat Categories" model you linked to would have been dismissed because the idea of data compromise seems so abstract.  CEO's obviously understand and can picture the risks of shoplifting, robbery, etc. but stealing money and personal information through an electronic means is far more abstract.  Many people simply have a hard time of understanding this concept.  Even if you could convince the CEO of the risk the effect would be hard to define.  An attacker could compromise the system through the HVAC network but what would be gained?  Customer data?  Proprietary information?  Security experts can theorize what can happen but evidence would be difficult without a thorough (and expensive) penetration test.  I'm sure you'll agree that CEO's would not be open to shelling out money for a pen test every time a network infrastructure modification is proposed.

I look forward to your response.  Thank you.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
9/30/2014 | 9:09:44 AM
Re: Other Side Of The Coin
I wrote a column about the "geek gap" in 1997. Back then it wasn't focused on security, but general IT. I guess it shouldn't be suprising given the advances in technology in the past 17 years, that the chasm has not decreased (and it probably has increased). Your point is well taken about  the  attention paid in the cybersec market to "tooling and tech solutions as opposed to productivity and analysis that has formed the basis for other key business domains." Never too late to start, though.
JasonPolancich
JasonPolancich,
 User Rank: Author
9/30/2014 | 9:01:49 AM
Re: Other Side Of The Coin
Marilyn, this is purely based on my own experiences. for the better part of the last two decades ive spent a big portion of time in close querters meeting with, working for, building things for, consulting to and finally sitting on the same side of the table as leadership exectuvies. i can tell you that, in every role, the understanding gap is palpable on the exec side. they may well sense the danger and urgency around topics, but the level of understanding and grasp required to steer strategy and budget effectively is still shallow water at best. Part of the problem is there is so much attention paid in the cybersec market to tooling and tech solutions as opposed to productivity and analysis that has formed the basis for other key business domains.

 

 
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
9/30/2014 | 7:19:42 AM
Re: Other Side Of The Coin
Thanks, Jason. I find it interesting that you think that the C-suite has "the longest road to travel" in understanding the security domain. Why is that? Surely, today infosec issues are front and center. Is it merely because of the language barrier? Or is there something more fundamental? 
JasonPolancich
JasonPolancich,
 User Rank: Author
9/29/2014 | 5:07:45 PM
Re: Other Side Of The Coin
Marilyn,

yes, ive used this approach a lot over the years, many times to convince organizations that expensive, complex, sophisticated approaches are not only often not necessary, they are noften ot even as effective as simple spreadsheets and a diligent data collection approach. it's actually what led me to start my latest company. where's the cyber business intelligence that typically brings org domains, at all levels top-to-bottom, together around plannign and managing success?



this all works especially well for connetcing the C-suite as they traditionally have the longest road to travel in not only understanding the domain, but in making informed decisions based on accurate, intuitive data. in other words, charts and graphs and simple analytics that come out of this type of data collection, when presented in clear, visual ways, leads often to immediate breakthroughs and encourages an ongoiing "closing of the gap" in communcations. vocabulary + data. The number one net result? much, much faster decision-making, whether it's incident reponse, budgeting, acquisition or any number of places where accuracy matters.

 

Jason
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.