Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Why We Need Better Cyber Security: A Graphical Snapshot
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
DavidC239
50%
50%
DavidC239,
 User Rank: Apprentice
12/3/2014 | 6:56:20 AM
Re: Is this a trend?
I can't say due to legal reasons. I do know that it's symptomatic of a lot of companies. There is no single silver bullet to address what happened to the Target's of the world. It's far too complex of a problem.

Let me describe it like this: Cyber Security is an ecosystem. Any breakdown in that ecosystem will have ripple effects all across it. One of the most common effects of such a breakdown is the watering down of security monitoring staff, either due to budget constraints, or diverting security staff to other areas (compliance/audit, projects, etc.). This.happens.every.single.day to Cyber Security staff across virtually all markets, including Critical Infrastructure. That ripple effect results in not having sufficient people with their eyes on the screen mitigating security issues as they occur. Add to this is the fact that (in Target's case) they were off shoring some of their security monitoring. That suggests to me they were trying to keep security budgets as low as possible. So there are a couple of bread crumbs to follow...

We are in the early stages of a cyber war and look at who some here are blaming for the compromises... the people trying to defend against them. We should be blaming the corporate boards and executive management for failing to properly fund and staff their security programs.

Ask yourself this...  What has been the single most common response by major companies over the past year in addressing their security breaches? *Increased funding for Cyber Security*. More bread crumbs...

This will be my last response to this discussion. I need to get back to security monitoring... :)
TerryB
50%
50%
TerryB,
 User Rank: Ninja
12/2/2014 | 4:40:10 PM
Re: Is this a trend?
@David, I hear what you are saying. But do you KNOW if Target was understaffed or did the people there just blow it?

As I said, I'm not a security professional and have never worked at a company big enough to have a security professional. Well, maybe big is not correct word, we were $100 million+ companies. But we are heavy mfg, we don't have credit cards, personal info or any intellectual property that can be monetized by these clowns. So we are lucky. I feel for the businesses that do have to deal with it and and genuinely am trying to understand what is going on out there. So I appreciate your comments as an insider.

But the key to your response is that they were (and entire indusrty) understaffed and undertrained. If that is case, this 37% growth Marilyn talks about isn't driven from future activity, it's a fix for the current situation.

But my inital point remains: this isn't that different from War on Drugs and throwing resources at that did nothing to curb it and consumed a lot of our tax dollars. Like drugs, the bad guys get enough from cyber breaches they can match whatever you throw at them. 37% more people won't cure this by itself, not even make it 37% better.
GonzSTL
50%
50%
GonzSTL,
 User Rank: Ninja
12/2/2014 | 3:47:20 PM
Re: Is this a trend?
Prior to the exfiltration of data from the Target networks, certain alarms were triggered when the malware was detected, and Target IT security personnel were informed about them. I am not sure that the warning was lost due to other false positives from other security software, nor was it a lack of resources, as Target claimed to have invested hundreds of millions of dollars in data security. The alarm sent to IT security was that malware graded at the top of FireEye's criticality scale were discovered within their network. More likely, the failure was in Target's Incident Response and Event Handling procedures. You can throw as much detection resources as you can, but unless you have a properly defined, practiced, and rigorously followed incident response procedure coupled with a well structured and comprehensive risk management program, you may as well have nothing. Alarms are there for a reason, and each one of them must be addressed properly. IT security systems such as SIEM, IDS/IPS, Anti-malware, etc. must be configured properly so that events can be properly correlated to vulnerabilities and threats so that the instances of "false positives" are reduced as much as possible and actionable items become manageable. Malware detection, which was the case at Target, was not properly managed and addressed, leading me to conclude that either their incident response procedures or their risk management program was sorely lacking. If you were a retailer, what would you do if you found Black POS in your payment systems network? Although the initial detection did not specify Black POS, but instead noted that "unknown malware" existed within their payment systems, and Target personnel were informed about its presence, and they supposedly acted upon it. What exactly did they do? What we do know is that whatever action they performed proved inadequate, and that can only happen if the incident response procedure was not thorough enough, or their risk assessment of unknown malware did not result in a high rating, which would have yielded a strong response. I would like to think that they recognized the risk properly, which leaves incident response as the culprit. I know this sounds simplistic, but it is probably exactly what happened at Target. The formula is quite simple: if you find malware in your payment systems, obliterate it immediately and check everything. Had IT security acted upon the malware report in a timely and appropriate fashion, then the breach could have been contained before data actually left the network.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
12/2/2014 | 1:56:31 PM
Re: Training and awareness for end users
That's very true @Keith Graham, But we all know the limits of user training. And the phishers are so sophisticated these days, I bet they can fool even the most expert & skeptical security expert occaisionally. 
Keith Graham
50%
50%
Keith Graham,
 User Rank: Author
12/2/2014 | 1:53:36 PM
Training and awareness for end users
I'd like to also just throw into the mix here, that a major part of the problem is lack of training and awareness of our end users.  I dont disagree with any of the points made here, but all the time we have non-savvy users falling for that phishing email, clicking that link/or opening that weaponized document (thus resulting in malware being downloaded and an attacker getting a foothold) we're onto a losing battle. 
DavidC239
50%
50%
DavidC239,
 User Rank: Apprentice
12/2/2014 | 11:35:59 AM
Re: Is this a trend?
/rant

If you don't have sufficient security staff to tune those monitoring systems in the first place (1) you will have an excessive amount of noise.  If your security staff are not 100% dedicated (left alone) to monitor those security systems (2) you will have more security incidents.  If you do not have sufficient security staff engaged in the SDLC and project development process (3) then you will end up allowing insecure systems and software to be implemented in your production environment, which will result in more security incidents.  If your security staff does not have sufficient (and *current*) training on the latest threats and how to counter them then they will miss or be delayed in responding to the resulting security incidents.   "That doesn't sound like something that throwing MORE people at will fix, sounds like we need better systems." (5) suggests a lack of understanding of what it really takes in todays hostile world...

1.  Tuning your monitoring systems = security staff

2.  Dedicated security monitoring = security staff

3.  Engaged with the IT and business units during product/software development = security staff

4.  Ensuring a robust training budget exists for security = well trained security staff

5.  Intelligent, accurate, efficient, and automated security technology does not really exist.  That stuff might exist in the CSI TV show but not in the real world.  The security technology that *does* exist still requires #1, #2, #4 above.

We can't do our jobs on a shoe string staffing budget, without advanced, continous training, and if we are pulled in 15 different directions, leaving the house unguarded (Target breach anyone?), then you get what you get... hacked!  We are facing warehouses and dorms full of foreign hackers with all the advantages.  Either we comit to fighting the good fight (in the hear and now) or we disconnect from the web, take our ball and go home.

/rant

PS.  I do not, nor have I ever worked for, or been affiliated with Target.  My views are my own and have no realtion to current or past employers.
TerryB
50%
50%
TerryB,
 User Rank: Ninja
12/1/2014 | 4:15:29 PM
Re: Is this a trend?
60 Minutes was very general and non technical, Marilyn. I suspected none of that was news to you professionals. I'm primarily a developer and generalist (I'm only local IT guy here) who's background is from IBM mainframe and midrange servers, so I don't read Dark Reading very often. As a browser app developer, I am interested in staying up on application exploits in that vector. But almost all my apps are consumed internally behind a firewall, I'm not exposed like these public facing sites. So I don't lose a lot of sleep over cross site scripting.

But I had read a few articles on the Target breach, knew about initial access coming from one of their vendors hacked. Also knew the breach went undiscovered for a long time. But had no idea some security systems flagged it and it just wasn't acted on because of the routine noise. Is that called a "Chicken Little" system? :-)

My main point is I'd be shocked to see any IT job grow by 37%. I mean, more software gets written and used every year and you sure don't see developer jobs growing to match that. The underlying tech/systems has to solve this, not throwing more people at it who can only do so much about careless password usage, phishing, infected web pages and opening rogue email attachments. We can't have a security professional following every business user around and authorizing every computer transaction. Just too much cost involved.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
12/1/2014 | 3:27:01 PM
Re: Is this a trend?
I saw the 60 minutes segment, too and much of what was reported there (for a general audience) has been part of our regular conversation on Dark Reading. But to your point, the challenge is definitely getting right people, the  right technology and the right processes to get through all the noise. There is no magic bullet, to be sure, but we can do better. 
TerryB
50%
50%
TerryB,
 User Rank: Ninja
12/1/2014 | 1:15:23 PM
Re: Is this a trend?
This is not a knock on security professionals but the discussion is beginning to sound more like the DEA's response to the War on Drugs. Throw more resources and people at it and then we will win! We've seen how well that worked out.

I watched the 60 Minutes segment on Cyber Security last night. Especially interesting was the guy from FireEye. It was first time I heard the story that FireEye's stuff caught the Target breach but the warning was lost in all the false positives from other security software. That doesn't sound like something that throwing MORE people at will fix, sounds like we need better systems.

The other key takeaway for me was his comment that you WILL get breached, that battle is just to limit how long it lasts and what they get access to. Again, not something throwing security people at is going to fix.

No question the awareness of security importance has to be drilled into developers and architects of systems. From a cost point of view, businesses will sure get more bang for their buck that way than paying people who do security and nothing else. But there is no magic bullet here.
mejiac
50%
50%
mejiac,
 User Rank: Apprentice
12/1/2014 | 10:09:33 AM
Re: Is this a trend?
@Marilyn Cohodas,

So the question remains...do we get out of the storm? (mearning pursuit more low tech solutions), or get better rain coats?

I think an answer lies somewhere inbetween, in I think the finance industry would be the ones trying to implement more robust security meassures
Page 1 / 2   >   >>


News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...