Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Can We Talk? Finding A Common Security Language
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/4/2014 | 9:03:38 AM
Re: Intriguing but I'm not yet convinced
Same here! Thanks.
SDiver
50%
50%
SDiver,
User Rank: Strategist
10/3/2014 | 2:21:48 PM
Re: Intriguing but I'm not yet convinced
In any case, I appreciate the discussion Jason.  Take care.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/3/2014 | 1:19:57 PM
Re: Intriguing but I'm not yet convinced
Well, on this point, I cant argue with you at all.

Wth the JP Morgans, Targets and Home Depots becoming poster children on a weekly basis now, it's hard for me to believe cyber concerns have not become major, daily leadership opportunities for CEOs. That said, you're likely right that the "it wont happen to me" attitude will persist for some time to come. The unfortunate reality, though, is that, for pretty much every business, it will happen to them. It's only a matter of time.
SDiver
50%
50%
SDiver,
User Rank: Strategist
10/3/2014 | 12:25:14 PM
Re: Intriguing but I'm not yet convinced
Hello Jason,


Like you, I also have to convey 'cyber-security' message to CEO's and also, like you, I attempt to present information that addresses business risk.  However, I am convinced that many CEO's simply refuse to take an interest in cyber risk management because:  1) They're too focused on compliance-based risk such as PCI, 2) They think they're hidden from any type of attack for a variety of reasons, or 3) they think that security will negatively impact their customers.

You're recommendions are excellent but nothing new; I've seen these types of indicators in risk assessments before. Please don't misunderstand; I encourage you to continue to help spread the message.

Perhaps the crux of my argument is that even the best business intelligence reports, risk assessments, etc. are useless if the CEO is not interested in cyber risk management in the first place.  While I agree that security experts need to improve their business communication it is painfully clear that CEO's need to change their attitude about cyber risks.  I personally believe that the Home Depot CEO is criminally negligable as a result of the breach because he was warned by many experts; some of whom I know professionally and will vouch for their security and business experience. 

One example.  I know somebody who is absolutely convinced that Microsoft's two-factor authentication is safe from attack and feels that no additional reasonable security measure is needed despite the information I provided to him regarding the vulnerabilities in RSA tokens and Microsoft Active Directory.  I assure you, your business intelligence reports won't change his mind because he doesn't want to spend any more money.

I'm sorry to be pessimistic but I am convinced that CEO's need to be a little more flexible and accept the fact that they may be at risk.  As the old saying goes, it's impossible to argue with a closed mind.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/1/2014 | 3:12:05 PM
Re: Intriguing but I'm not yet convinced
SDiver,

Correct. Implcit in the piece above is that this sort of approach is just a starting point. That said, it's a starting point where there is little already established along these lines in most enterprises today.

Further to your points, when we consult with orgnizations, we often talk of this kind of approach developing into a kind of business intelligence practice for cyber at the same level as is typically and traditionally in domain areas  like the financial performance of a business, its products, people, etc.

Can that sort of biz intell and analysis "crystal ball" every thing that may happen with the accuracy required to, as you mention, not be dimissed? Absolutely not. But can you imagine a successfuly business who is turning a blind eye to a financial perf business intelligence approach? I cant. Again, the approach outlined is designed to address one (I think, missing) part of a comprehensive, multi-layered and multi-dimensiional cyber strategy with many, many pieces and parts. It's a puzzle and each individual pieces is a little bit of the overall picture.

Lastly, Im not sure the logic you use below around the whole Target-HVAC supplier vector doesnt sorta throw the baby out with the bathwater, so to speak. Meaning, convincing the "CEO of the risk the effect would be hard to define" becomes more and more easy a proposiiton over time as a dedicated data and intell analysis approach proves its merit as part of solving the overall puzzle (as, for example,  financial performance, market intell, logistics, business intelligence does)


Good comments and thanks for the dialog!

 

Jason
SDiver
50%
50%
SDiver,
User Rank: Strategist
10/1/2014 | 2:40:16 PM
Intriguing but I'm not yet convinced
Jason, I appreciate your article I think it's a start but I don't think you go far enough.

Take the Target breach, for example.  The idea of combining company operations with a third party HVAC system in the same network segment was obviously considered a great idea at the time for saving money but I'm sure we all agree that Target now seriously regrets this decision.

If I was the CISO at Target I'm sure my concerns, even express through the "Threat Categories" model you linked to would have been dismissed because the idea of data compromise seems so abstract.  CEO's obviously understand and can picture the risks of shoplifting, robbery, etc. but stealing money and personal information through an electronic means is far more abstract.  Many people simply have a hard time of understanding this concept.  Even if you could convince the CEO of the risk the effect would be hard to define.  An attacker could compromise the system through the HVAC network but what would be gained?  Customer data?  Proprietary information?  Security experts can theorize what can happen but evidence would be difficult without a thorough (and expensive) penetration test.  I'm sure you'll agree that CEO's would not be open to shelling out money for a pen test every time a network infrastructure modification is proposed.

I look forward to your response.  Thank you.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/30/2014 | 9:09:44 AM
Re: Other Side Of The Coin
I wrote a column about the "geek gap" in 1997. Back then it wasn't focused on security, but general IT. I guess it shouldn't be suprising given the advances in technology in the past 17 years, that the chasm has not decreased (and it probably has increased). Your point is well taken about  the  attention paid in the cybersec market to "tooling and tech solutions as opposed to productivity and analysis that has formed the basis for other key business domains." Never too late to start, though.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
9/30/2014 | 9:01:49 AM
Re: Other Side Of The Coin
Marilyn, this is purely based on my own experiences. for the better part of the last two decades ive spent a big portion of time in close querters meeting with, working for, building things for, consulting to and finally sitting on the same side of the table as leadership exectuvies. i can tell you that, in every role, the understanding gap is palpable on the exec side. they may well sense the danger and urgency around topics, but the level of understanding and grasp required to steer strategy and budget effectively is still shallow water at best. Part of the problem is there is so much attention paid in the cybersec market to tooling and tech solutions as opposed to productivity and analysis that has formed the basis for other key business domains.

 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/30/2014 | 7:19:42 AM
Re: Other Side Of The Coin
Thanks, Jason. I find it interesting that you think that the C-suite has "the longest road to travel" in understanding the security domain. Why is that? Surely, today infosec issues are front and center. Is it merely because of the language barrier? Or is there something more fundamental? 
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
9/29/2014 | 5:07:45 PM
Re: Other Side Of The Coin
Marilyn,

yes, ive used this approach a lot over the years, many times to convince organizations that expensive, complex, sophisticated approaches are not only often not necessary, they are noften ot even as effective as simple spreadsheets and a diligent data collection approach. it's actually what led me to start my latest company. where's the cyber business intelligence that typically brings org domains, at all levels top-to-bottom, together around plannign and managing success?



this all works especially well for connetcing the C-suite as they traditionally have the longest road to travel in not only understanding the domain, but in making informed decisions based on accurate, intuitive data. in other words, charts and graphs and simple analytics that come out of this type of data collection, when presented in clear, visual ways, leads often to immediate breakthroughs and encourages an ongoiing "closing of the gap" in communcations. vocabulary + data. The number one net result? much, much faster decision-making, whether it's incident reponse, budgeting, acquisition or any number of places where accuracy matters.

 

Jason
Page 1 / 2   >   >>


Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34390
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
CVE-2021-34391
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
CVE-2021-34392
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
CVE-2021-34393
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
CVE-2021-34394
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.