Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
The Internet's Winter Of Discontent
Oldest First  |  Newest First  |  Threaded View
aws0513
aws0513,
User Rank: Ninja
12/22/2014 | 11:12:19 AM
Security that is integral... not an additive.
Good points in the article Paul.

I particularly keyed on the last small sentence.
Awhile back, my supervisor rhetorically asked me why we had so much difficulty implementing basic security practice and controls.
He didn't expect an immediate answer from me, but I already had the answer locked and loaded: security culture.

I was in the military for 22 years.  From the first day of basic training to the last day of service, every member of the military forces learns what security means.  Security concepts become ingrained into life even beyond the installation gates.  Military service is a security oriented service with a security oriented culture.
If a practice is deemed unsecure for even the smallest detail, it is remedied faster than most civilians can imagine possible.  If a new security control is to be put in place there are questions (contrary to popular belief, the military troops are allowed to ask questions) but the answers to those questions are quickly (if not already) prepared and communicated so the troops can efficiently digest the information and begin to make any necessary adjustments to operations in order to accomodate the new control.  Exceptions to security policies are well documented, heavily monitored, and NEVER considered permanent.  There is flexibility, but with attention to detail and an expectation of remediation to the common standard so that a solution can be better managed long term.  Too many variations and exceptions make it difficult to manage any security program.
Even with all that...  bad things happen. 
The military fully understands that there is always a chaos quotient in any hostile environment or encounter.  The need to mitigate damages through thoughtful design and planning and preparation is key to the military security doctrine.  Some call it defense-in-depth or environment hardening or "improving the fighting position".  Whatever one calls it, the goal is to make it so that every malicious effort an attacker wants to make has a heavy cost with (hopefully) reduced gains and added risk to their own plans and resources.

It is apparent that SPE executive and corporate board members simply had not grasped the concepts regarding risk management and IT.  Their actions (or non-action) demonstrate to me they did not believe they needed to take strong and specific steps to implement practices in order to improve their security profile.  They had not engaged in a security culture that should exist throughout the organization.
BTW...  security culture concepts always pour from the top of the mountain and every effort should be made to have it run all the way down all slopes and into adjacent valleys (if possible, splash some on adjoined mountains as well).

Without the establishment of a security culture, the only security controls that will likely work well are those that are fully automated.  And those automated controls will likely be at risk due to people who feel that the control is not necessary or a burden to their operations.  The most common source for problems I had to remediate were people who simply did not take security controls seriously.

Some would say that too much security culture can hamper most private sector businesses.  I say that is just a perception from those who do not understand and appreciate security culture. 
Banks conduct business constantly, yet many (not all) have some very mature security programs. 
Apple Inc. is famous for keeping their new product projects under a relatively (not perfect) effective security umbrella. 
Businesses that know that their IP is valuable also know that their systems holding their IP must be protected and handled properly.  
Security culture in the private sector exists...  but only as small, quiet islands of light in a sea of darkness.  SPE was apparently not one of those islands.  It remains to be seen if things will change for SPE.  That will be the task of SPE leadership going forward. 

Enough of my rambling....  I have more security culture establishment to work to do here... as is always the case.

Happy holidays to you and yours.  :-)

 


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-34595
PUBLISHED: 2022-07-06
Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function setipv6status.
CVE-2022-34596
PUBLISHED: 2022-07-06
Tenda AX1803 v1.0.0.1_2890 was discovered to contain a command injection vulnerability via the function WanParameterSetting.
CVE-2022-34597
PUBLISHED: 2022-07-06
Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vulnerability via the function WanParameterSetting.
CVE-2022-34598
PUBLISHED: 2022-07-06
The udpserver in H3C Magic R100 V200R004 and V100R005 has the 9034 port opened, allowing attackers to execute arbitrary commands.
CVE-2022-26078
PUBLISHED: 2022-07-06
Gallagher Controller 6000 is vulnerable to a Denial of Service attack via conflicting ARP packets with a duplicate IP address. This issue affects: Gallagher Gallagher Controller 6000 vCR8.60 versions prior to 220303a; vCR8.50 versions prior to 220303a; vCR8.40 versions prior to 220303a; vCR8.30 vers...