Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Most Companies Expect To Be Hacked In The Next 12 Months
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/4/2015 | 8:01:44 PM
Re: Is it 'Game Over'? In my mind, no
Two points: 1) Obviously, if a breach has occurred, it's difficult to determine exactly what data has been "taken" -- so you have to assume that everything accessed or accessible has all been compromised, and 2) whether or not the data was "taken," if it was viewed or otherwise accessed, there are still compliance/regulatory issues to address -- regardless of what the actual facts are about what data was "taken"/recorded by the breacher.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/4/2015 | 7:58:56 PM
Re: Break the CISO Role in Two
My philosophy is that it's all a matter of risk assessment, and therefore one ought take a holistic approach to both technical compliance and actual security.  At the end of the day, it's all a matter of risk and ROI.  Neither should be ignored, but should definitely be viewed through the scope of the needs of the whole organization.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/19/2015 | 4:35:31 PM
Re: Is it 'Game Over'? In my mind, no
Good point, @xmarksthespot. The study didn't specify DATA breach, but a breach of network or systems. We don't know about stolen information per se. 
ODA155
50%
50%
ODA155,
User Rank: Ninja
3/19/2015 | 2:42:09 PM
Re: Break the CISO Role in Two
I stand corrected. have a good one.
Paladium
50%
50%
Paladium,
User Rank: Moderator
3/19/2015 | 2:40:54 PM
Re: Break the CISO Role in Two
So far we are tracking. I was implying that the "General" was the Cyber Security Officer and he/she was a fully trained and deeply experienced Sr. Cyber Security Professional. They actually have a clue!!
ODA155
50%
50%
ODA155,
User Rank: Ninja
3/19/2015 | 1:41:14 PM
Re: Break the CISO Role in Two
I agree, IT Security and Compliance should be separate departments AND neither should report up through the CIO, as is becoming the common thing to do. Working together with IT, setting (physically) with IT is fine, but to keep objectivity in reporting and deciding what is best for the company they need to report to the same person as the CIO or someone of equal ranking.

But, I would go a step further to say that there should be a third "peer" added to that mix, internal audit. If you have people who understand how to look at the business systems and configurations and what security measures\processes have been put into place there and also understand what the compliance regulations are for those business systems and what levels of security are acceptable and if that is articulated properly then the company should be golden, or they should at the very least know what their problems are and what they need to do to address them. And by keeping these three departments separate from IT would mean that everything should not have to come from the IT budget. Security and compliance should have their own budgets, because how many times have we all seen security recommend something and IT says no because they don't want to pay for it... but if security, compliance and audit could be involved in the development of these systems then some of those costs could possibly be charged off to the business as requirements.

One last thing, security and compliance were not always under the same hat, this only came about because CISO's and CIO's knew that sometimes the best way to get the funding for something security related was to play the "compliance card" when neither had the budget nor the "horsepower to get it down, so senior management said, OK, then we'll lump the two of you together and let you share a budget.

"You want the cyber war won?  Put a General trained in cyber security warfare in charge, not a compliance or risk weeny!"

After 22 years service, been there done that, got the tee-shirt. In my opinion, that's the LAST thing we need... another high level diva playing high level diva games... besides, that's probably what someone said about the "War on Drugs", and how's that working out.
xmarksthespot
100%
0%
xmarksthespot,
User Rank: Strategist
3/19/2015 | 2:02:40 AM
Is it 'Game Over'? In my mind, no
Highlighting the uphill battle facing security professionals is important, and this article does that well.

Statistics can show one thing but be misleading.  "70% of organizations say they suffered a successful cyberattack".  If I took it at face value, meaning '70% of all the companies I do business with lost all my personal data to organized crime', I would immediately build a bunker in Alaska right now, and wait out the end.  I think the definition of 'successful cyberattack' should be clarified. Breach disclosures are mandated by laws in every state, and if 70% of all organizations needed to report breaches, the daily newspaper would be an inch thick the whole year, with the reports breaches.

Methodologies for information security are sound.  They work well at many companies.  Unfortunately, many companies, some of them in the 'too big to fail' category, can't get it right.  Generally speaking, improperly protected ones will suffer large financial consequences for breaches.

I believe that what the report really means by 'successful cyberattack' might mean that a hacker got into at least one computer, and may not have stolen anything.  The definition may have been left up to a cyber-security professional taking a survey.   If you include small breaches with no loss of data, sure the number's going to be huge.

It's not 'game over' when a foothold is gained.  It's only 'game over' when a personally identifiable information or a significant amount of other valuable data are exfiltrated, in my mind.

That's what defense-in-depth is for; the attacker was stopped at their foothold with defense in depth.  Encrypted network communications, encrypted data, network segmentation, hardened hosts throughout.

 If I heard that 97% of companies suffered from successful endpoint breach with no loss to personally identifiable information (PII) or business data, I would deem that a rousing success.

 
Paladium
100%
0%
Paladium,
User Rank: Moderator
3/18/2015 | 5:57:22 PM
Break the CISO Role in Two
As the author states most security budgets are unfortunately tied directly to compliance requirements.  Since compliance standards are NOT security frameworks the hacks will continue until morale improves!

In other articles here on Dark Reading authors have suggested that the current security model is broken, or that Security Operations is at fault for the many, many security breaches over the past couple of years.  I see it far, far differently.

Riddle me this Batman.... When will compliance and security be broken into two separate, but equal peer roles?

The days of the traditional CISO are over and insisting on keeping them creates real added risk to organizations due to the existential cyber threat we face today.  They are not prepared! (yes, there are rare exceptions...)

Decouple compliance from security and make them peers.  Break the role into Operational Risk Officer and Cyber Security Officer, both reporting to sr. executive leadership, both with direct board access, and both with separate budgets.

Until we decouple cyber from compliance, 1) cyber will continue to suffer across the board, 2) be restricted to only compliance driven security requirements instead of real cyber security frameworks, and 3) companies will continue to have their cyber security run by compliance people that have zero clue into the world of true cyber security, resulting in more breaches and more finger pointing.

You want the cyber war won?  Put a General trained in cyber security warfare in charge, not a compliance or risk weeny!

Rgr Out!

 

(Let the flaming begin....)
ODA155
100%
0%
ODA155,
User Rank: Ninja
3/18/2015 | 4:45:37 PM
Re: Good.
I have two things to comment on...
    
"Most Companies Expect To Be Hacked In The Next 12 Months"
OK... so the question is what are they doing to "lessen" the impact, because like AA, admitting that you have a problem is the first step.

...and...

"Security is finally waking up to the new reality that's more of a question of 'when' than 'if,'" says Steve Piper, CEO of CyberEdge Group..."
I don't think anyone has been sleeping, especially not security, but more attention is always paid to the business versus anything that doesn't make money...
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
3/18/2015 | 8:24:03 AM
Re: Good.
Well, there's only so much you can do to cure stupid...  ;)
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20803
PUBLISHED: 2020-11-23
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10; v3.4...
CVE-2019-14586
PUBLISHED: 2020-11-23
Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access.
CVE-2019-14587
PUBLISHED: 2020-11-23
Logic issue EDK II may allow an unauthenticated user to potentially enable denial of service via adjacent access.
CVE-2020-0569
PUBLISHED: 2020-11-23
Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
CVE-2020-12351
PUBLISHED: 2020-11-23
Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.