Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Why We Need Better Cyber Security: A Graphical Snapshot
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
DavidC239
DavidC239,
 User Rank: Apprentice
12/3/2014 | 6:56:20 AM
Re: Is this a trend?
I can't say due to legal reasons. I do know that it's symptomatic of a lot of companies. There is no single silver bullet to address what happened to the Target's of the world. It's far too complex of a problem.

Let me describe it like this: Cyber Security is an ecosystem. Any breakdown in that ecosystem will have ripple effects all across it. One of the most common effects of such a breakdown is the watering down of security monitoring staff, either due to budget constraints, or diverting security staff to other areas (compliance/audit, projects, etc.). This.happens.every.single.day to Cyber Security staff across virtually all markets, including Critical Infrastructure. That ripple effect results in not having sufficient people with their eyes on the screen mitigating security issues as they occur. Add to this is the fact that (in Target's case) they were off shoring some of their security monitoring. That suggests to me they were trying to keep security budgets as low as possible. So there are a couple of bread crumbs to follow...

We are in the early stages of a cyber war and look at who some here are blaming for the compromises... the people trying to defend against them. We should be blaming the corporate boards and executive management for failing to properly fund and staff their security programs.

Ask yourself this...  What has been the single most common response by major companies over the past year in addressing their security breaches? *Increased funding for Cyber Security*. More bread crumbs...

This will be my last response to this discussion. I need to get back to security monitoring... :)
TerryB
TerryB,
 User Rank: Ninja
12/2/2014 | 4:40:10 PM
Re: Is this a trend?
@David, I hear what you are saying. But do you KNOW if Target was understaffed or did the people there just blow it?

As I said, I'm not a security professional and have never worked at a company big enough to have a security professional. Well, maybe big is not correct word, we were $100 million+ companies. But we are heavy mfg, we don't have credit cards, personal info or any intellectual property that can be monetized by these clowns. So we are lucky. I feel for the businesses that do have to deal with it and and genuinely am trying to understand what is going on out there. So I appreciate your comments as an insider.

But the key to your response is that they were (and entire indusrty) understaffed and undertrained. If that is case, this 37% growth Marilyn talks about isn't driven from future activity, it's a fix for the current situation.

But my inital point remains: this isn't that different from War on Drugs and throwing resources at that did nothing to curb it and consumed a lot of our tax dollars. Like drugs, the bad guys get enough from cyber breaches they can match whatever you throw at them. 37% more people won't cure this by itself, not even make it 37% better.
GonzSTL
GonzSTL,
 User Rank: Ninja
12/2/2014 | 3:47:20 PM
Re: Is this a trend?
Prior to the exfiltration of data from the Target networks, certain alarms were triggered when the malware was detected, and Target IT security personnel were informed about them. I am not sure that the warning was lost due to other false positives from other security software, nor was it a lack of resources, as Target claimed to have invested hundreds of millions of dollars in data security. The alarm sent to IT security was that malware graded at the top of FireEye's criticality scale were discovered within their network. More likely, the failure was in Target's Incident Response and Event Handling procedures. You can throw as much detection resources as you can, but unless you have a properly defined, practiced, and rigorously followed incident response procedure coupled with a well structured and comprehensive risk management program, you may as well have nothing. Alarms are there for a reason, and each one of them must be addressed properly. IT security systems such as SIEM, IDS/IPS, Anti-malware, etc. must be configured properly so that events can be properly correlated to vulnerabilities and threats so that the instances of "false positives" are reduced as much as possible and actionable items become manageable. Malware detection, which was the case at Target, was not properly managed and addressed, leading me to conclude that either their incident response procedures or their risk management program was sorely lacking. If you were a retailer, what would you do if you found Black POS in your payment systems network? Although the initial detection did not specify Black POS, but instead noted that "unknown malware" existed within their payment systems, and Target personnel were informed about its presence, and they supposedly acted upon it. What exactly did they do? What we do know is that whatever action they performed proved inadequate, and that can only happen if the incident response procedure was not thorough enough, or their risk assessment of unknown malware did not result in a high rating, which would have yielded a strong response. I would like to think that they recognized the risk properly, which leaves incident response as the culprit. I know this sounds simplistic, but it is probably exactly what happened at Target. The formula is quite simple: if you find malware in your payment systems, obliterate it immediately and check everything. Had IT security acted upon the malware report in a timely and appropriate fashion, then the breach could have been contained before data actually left the network.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
12/2/2014 | 1:56:31 PM
Re: Training and awareness for end users
That's very true @Keith Graham, But we all know the limits of user training. And the phishers are so sophisticated these days, I bet they can fool even the most expert & skeptical security expert occaisionally. 
Keith Graham
Keith Graham,
 User Rank: Author
12/2/2014 | 1:53:36 PM
Training and awareness for end users
I'd like to also just throw into the mix here, that a major part of the problem is lack of training and awareness of our end users.  I dont disagree with any of the points made here, but all the time we have non-savvy users falling for that phishing email, clicking that link/or opening that weaponized document (thus resulting in malware being downloaded and an attacker getting a foothold) we're onto a losing battle. 
DavidC239
DavidC239,
 User Rank: Apprentice
12/2/2014 | 11:35:59 AM
Re: Is this a trend?
/rant

If you don't have sufficient security staff to tune those monitoring systems in the first place (1) you will have an excessive amount of noise.  If your security staff are not 100% dedicated (left alone) to monitor those security systems (2) you will have more security incidents.  If you do not have sufficient security staff engaged in the SDLC and project development process (3) then you will end up allowing insecure systems and software to be implemented in your production environment, which will result in more security incidents.  If your security staff does not have sufficient (and *current*) training on the latest threats and how to counter them then they will miss or be delayed in responding to the resulting security incidents.   "That doesn't sound like something that throwing MORE people at will fix, sounds like we need better systems." (5) suggests a lack of understanding of what it really takes in todays hostile world...

1.  Tuning your monitoring systems = security staff

2.  Dedicated security monitoring = security staff

3.  Engaged with the IT and business units during product/software development = security staff

4.  Ensuring a robust training budget exists for security = well trained security staff

5.  Intelligent, accurate, efficient, and automated security technology does not really exist.  That stuff might exist in the CSI TV show but not in the real world.  The security technology that *does* exist still requires #1, #2, #4 above.

We can't do our jobs on a shoe string staffing budget, without advanced, continous training, and if we are pulled in 15 different directions, leaving the house unguarded (Target breach anyone?), then you get what you get... hacked!  We are facing warehouses and dorms full of foreign hackers with all the advantages.  Either we comit to fighting the good fight (in the hear and now) or we disconnect from the web, take our ball and go home.

/rant

PS.  I do not, nor have I ever worked for, or been affiliated with Target.  My views are my own and have no realtion to current or past employers.
TerryB
TerryB,
 User Rank: Ninja
12/1/2014 | 4:15:29 PM
Re: Is this a trend?
60 Minutes was very general and non technical, Marilyn. I suspected none of that was news to you professionals. I'm primarily a developer and generalist (I'm only local IT guy here) who's background is from IBM mainframe and midrange servers, so I don't read Dark Reading very often. As a browser app developer, I am interested in staying up on application exploits in that vector. But almost all my apps are consumed internally behind a firewall, I'm not exposed like these public facing sites. So I don't lose a lot of sleep over cross site scripting.

But I had read a few articles on the Target breach, knew about initial access coming from one of their vendors hacked. Also knew the breach went undiscovered for a long time. But had no idea some security systems flagged it and it just wasn't acted on because of the routine noise. Is that called a "Chicken Little" system? :-)

My main point is I'd be shocked to see any IT job grow by 37%. I mean, more software gets written and used every year and you sure don't see developer jobs growing to match that. The underlying tech/systems has to solve this, not throwing more people at it who can only do so much about careless password usage, phishing, infected web pages and opening rogue email attachments. We can't have a security professional following every business user around and authorizing every computer transaction. Just too much cost involved.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
12/1/2014 | 3:27:01 PM
Re: Is this a trend?
I saw the 60 minutes segment, too and much of what was reported there (for a general audience) has been part of our regular conversation on Dark Reading. But to your point, the challenge is definitely getting right people, the  right technology and the right processes to get through all the noise. There is no magic bullet, to be sure, but we can do better. 
TerryB
TerryB,
 User Rank: Ninja
12/1/2014 | 1:15:23 PM
Re: Is this a trend?
This is not a knock on security professionals but the discussion is beginning to sound more like the DEA's response to the War on Drugs. Throw more resources and people at it and then we will win! We've seen how well that worked out.

I watched the 60 Minutes segment on Cyber Security last night. Especially interesting was the guy from FireEye. It was first time I heard the story that FireEye's stuff caught the Target breach but the warning was lost in all the false positives from other security software. That doesn't sound like something that throwing MORE people at will fix, sounds like we need better systems.

The other key takeaway for me was his comment that you WILL get breached, that battle is just to limit how long it lasts and what they get access to. Again, not something throwing security people at is going to fix.

No question the awareness of security importance has to be drilled into developers and architects of systems. From a cost point of view, businesses will sure get more bang for their buck that way than paying people who do security and nothing else. But there is no magic bullet here.
mejiac
mejiac,
 User Rank: Apprentice
12/1/2014 | 10:09:33 AM
Re: Is this a trend?
@Marilyn Cohodas,

So the question remains...do we get out of the storm? (mearning pursuit more low tech solutions), or get better rain coats?

I think an answer lies somewhere inbetween, in I think the finance industry would be the ones trying to implement more robust security meassures
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.