Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Most Companies Expect To Be Hacked In The Next 12 Months
Threaded  |  Newest First  |  Oldest First
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
3/16/2015 | 6:01:32 PM
what would happen...
...if we started referring to Big Data as "Big Liability."
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/17/2015 | 8:49:36 AM
Re: what would happen...
Im not opposed. Especially if we fail to incorporate more effective cataloging and safeguarding procedures of big data sets.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/17/2015 | 6:06:54 PM
Re: what would happen...
If does not matter if you are a big data environment or not, data needs to be secured period. The big data itself is not the main issue.
xmarksthespot
100%
0%
xmarksthespot,
User Rank: Strategist
3/19/2015 | 2:02:40 AM
Is it 'Game Over'? In my mind, no
Highlighting the uphill battle facing security professionals is important, and this article does that well.

Statistics can show one thing but be misleading.  "70% of organizations say they suffered a successful cyberattack".  If I took it at face value, meaning '70% of all the companies I do business with lost all my personal data to organized crime', I would immediately build a bunker in Alaska right now, and wait out the end.  I think the definition of 'successful cyberattack' should be clarified. Breach disclosures are mandated by laws in every state, and if 70% of all organizations needed to report breaches, the daily newspaper would be an inch thick the whole year, with the reports breaches.

Methodologies for information security are sound.  They work well at many companies.  Unfortunately, many companies, some of them in the 'too big to fail' category, can't get it right.  Generally speaking, improperly protected ones will suffer large financial consequences for breaches.

I believe that what the report really means by 'successful cyberattack' might mean that a hacker got into at least one computer, and may not have stolen anything.  The definition may have been left up to a cyber-security professional taking a survey.   If you include small breaches with no loss of data, sure the number's going to be huge.

It's not 'game over' when a foothold is gained.  It's only 'game over' when a personally identifiable information or a significant amount of other valuable data are exfiltrated, in my mind.

That's what defense-in-depth is for; the attacker was stopped at their foothold with defense in depth.  Encrypted network communications, encrypted data, network segmentation, hardened hosts throughout.

 If I heard that 97% of companies suffered from successful endpoint breach with no loss to personally identifiable information (PII) or business data, I would deem that a rousing success.

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/19/2015 | 4:35:31 PM
Re: Is it 'Game Over'? In my mind, no
Good point, @xmarksthespot. The study didn't specify DATA breach, but a breach of network or systems. We don't know about stolen information per se. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/4/2015 | 8:01:44 PM
Re: Is it 'Game Over'? In my mind, no
Two points: 1) Obviously, if a breach has occurred, it's difficult to determine exactly what data has been "taken" -- so you have to assume that everything accessed or accessible has all been compromised, and 2) whether or not the data was "taken," if it was viewed or otherwise accessed, there are still compliance/regulatory issues to address -- regardless of what the actual facts are about what data was "taken"/recorded by the breacher.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/17/2015 | 6:04:35 PM
Re: what would happen...
I hear you but I do not want to see data as liability. There is a value in every piece of data we hold, it is up to us how we can put into action to drive the business.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/17/2015 | 11:35:05 AM
Good.
This is good news.  Top security experts advise that these days, it's not so much a matter of if you get hacked, but when.  Taking the approach of "something is going to happen" will help cut down on so-called "M&M security" (i.e., hard on the outside, soft on the inside), allowing enterprises to be better prepared and secured when a breach occurs.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/17/2015 | 6:09:43 PM
Re: Good.
That may also backfire, take a look at this scenario: "if we are going to get hack regardless what we do, what is the point, let's wait and see and we can take it from there"
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
3/18/2015 | 8:24:03 AM
Re: Good.
Well, there's only so much you can do to cure stupid...  ;)
ODA155
100%
0%
ODA155,
User Rank: Ninja
3/18/2015 | 4:45:37 PM
Re: Good.
I have two things to comment on...
    
"Most Companies Expect To Be Hacked In The Next 12 Months"
OK... so the question is what are they doing to "lessen" the impact, because like AA, admitting that you have a problem is the first step.

...and...

"Security is finally waking up to the new reality that's more of a question of 'when' than 'if,'" says Steve Piper, CEO of CyberEdge Group..."
I don't think anyone has been sleeping, especially not security, but more attention is always paid to the business versus anything that doesn't make money...
hykerfred
50%
50%
hykerfred,
User Rank: Apprentice
3/17/2015 | 11:54:50 AM
Time to start acting
2014 was the year when the hacker side took the lead in the ongoing cyber war. New technologies and new methods are being developed on an industrial scale.

2015 must be the year when the good side wakes up and starts to do something about it. Peripheral security is not enough anymore.

We need to securely authenticate the users instead of using simple passwords, we need to protect and authenticate the data in transit, and we need to build security in the applications, not just trust the network to handle it. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/17/2015 | 6:02:21 PM
Some wants to be hacked
Some companies are actually looking forward to be hacked. It is a good deal for most small startups which want to make names, thanks to us and media and no consequence of being hacked in any way. SnapChat would not be a SnapChat if it was not hacked, they were hacked and they increased their user base.
Paladium
100%
0%
Paladium,
User Rank: Moderator
3/18/2015 | 5:57:22 PM
Break the CISO Role in Two
As the author states most security budgets are unfortunately tied directly to compliance requirements.  Since compliance standards are NOT security frameworks the hacks will continue until morale improves!

In other articles here on Dark Reading authors have suggested that the current security model is broken, or that Security Operations is at fault for the many, many security breaches over the past couple of years.  I see it far, far differently.

Riddle me this Batman.... When will compliance and security be broken into two separate, but equal peer roles?

The days of the traditional CISO are over and insisting on keeping them creates real added risk to organizations due to the existential cyber threat we face today.  They are not prepared! (yes, there are rare exceptions...)

Decouple compliance from security and make them peers.  Break the role into Operational Risk Officer and Cyber Security Officer, both reporting to sr. executive leadership, both with direct board access, and both with separate budgets.

Until we decouple cyber from compliance, 1) cyber will continue to suffer across the board, 2) be restricted to only compliance driven security requirements instead of real cyber security frameworks, and 3) companies will continue to have their cyber security run by compliance people that have zero clue into the world of true cyber security, resulting in more breaches and more finger pointing.

You want the cyber war won?  Put a General trained in cyber security warfare in charge, not a compliance or risk weeny!

Rgr Out!

 

(Let the flaming begin....)
ODA155
50%
50%
ODA155,
User Rank: Ninja
3/19/2015 | 1:41:14 PM
Re: Break the CISO Role in Two
I agree, IT Security and Compliance should be separate departments AND neither should report up through the CIO, as is becoming the common thing to do. Working together with IT, setting (physically) with IT is fine, but to keep objectivity in reporting and deciding what is best for the company they need to report to the same person as the CIO or someone of equal ranking.

But, I would go a step further to say that there should be a third "peer" added to that mix, internal audit. If you have people who understand how to look at the business systems and configurations and what security measures\processes have been put into place there and also understand what the compliance regulations are for those business systems and what levels of security are acceptable and if that is articulated properly then the company should be golden, or they should at the very least know what their problems are and what they need to do to address them. And by keeping these three departments separate from IT would mean that everything should not have to come from the IT budget. Security and compliance should have their own budgets, because how many times have we all seen security recommend something and IT says no because they don't want to pay for it... but if security, compliance and audit could be involved in the development of these systems then some of those costs could possibly be charged off to the business as requirements.

One last thing, security and compliance were not always under the same hat, this only came about because CISO's and CIO's knew that sometimes the best way to get the funding for something security related was to play the "compliance card" when neither had the budget nor the "horsepower to get it down, so senior management said, OK, then we'll lump the two of you together and let you share a budget.

"You want the cyber war won?  Put a General trained in cyber security warfare in charge, not a compliance or risk weeny!"

After 22 years service, been there done that, got the tee-shirt. In my opinion, that's the LAST thing we need... another high level diva playing high level diva games... besides, that's probably what someone said about the "War on Drugs", and how's that working out.
Paladium
50%
50%
Paladium,
User Rank: Moderator
3/19/2015 | 2:40:54 PM
Re: Break the CISO Role in Two
So far we are tracking. I was implying that the "General" was the Cyber Security Officer and he/she was a fully trained and deeply experienced Sr. Cyber Security Professional. They actually have a clue!!
ODA155
50%
50%
ODA155,
User Rank: Ninja
3/19/2015 | 2:42:09 PM
Re: Break the CISO Role in Two
I stand corrected. have a good one.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/4/2015 | 7:58:56 PM
Re: Break the CISO Role in Two
My philosophy is that it's all a matter of risk assessment, and therefore one ought take a holistic approach to both technical compliance and actual security.  At the end of the day, it's all a matter of risk and ROI.  Neither should be ignored, but should definitely be viewed through the scope of the needs of the whole organization.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...
CVE-2020-25791
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
CVE-2020-25792
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
CVE-2020-25793
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>.