Stripping the Attacker Naked - Dark Reading

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security

Careers and People

Identity & Access Management

Security Monitoring

Advanced Threats

Insider Threats

Vulnerability Management

To InformationWeek

Network Computing Dark Reading

Advertise

Newest First | Oldest First | Threaded View

[close this box]

50%

50%

BrianN060,
User Rank: Ninja
4/11/2018 | 12:48:40 PM

Re: Not Worth Reading

As an alternative to the "crown jewels" analogy, consider this: "Data is the life's blood of the modern enterprise". If you accept that, just what part of your organization's life's blood isn't worth protecting? How much of a leak is acceptable? Which parts do you need to keep uncontaminated? When is it Ok for any of it not to get to where it's needed?

As to why Information System architects aren't ready, willing or best suited to take point in protecting data assets: the metrics for job performance are skewed toward finding new, better and faster ways to exploit an organization's data. What stakeholders have failed to realize is that their people aren't the only ones good at doing that! The scattered debris field left by all the (well rewarded), shortcuts, design-as-you-go, secure-it-later, data-ecology strip-mining and hope-it-holds patching is a godsend to those who realize what can be made from the bits and pieces.

Reply | Post Message | Messages List | Start a Board

50%

50%

MartinDionCH,
User Rank: Author
4/10/2018 | 2:59:12 PM

Re: Not Worth Reading

Thanks Brian for your feedback! Two things, editorial guidelines limits the article lenght and this article is not claiming to be about cyber security strategy at large. I generally agree with your comment but cyber is not limited to data protection. From my viewpoint, it’s about enterprise resilience, hence crown jewels are broader than data. I also think that although IT have an important role, that security personnel must lead the charge and facilitate the transversal conversation. Finally, it’s important to focus on what is both the most valuable and vulnerable right now since most enterprise don’t have the luxury of securing everything, it’s just sound risk management practices. Best regards Martin

Reply | Post Message | Messages List | Start a Board

50%

50%

BrianN060,
User Rank: Ninja
4/10/2018 | 1:29:03 PM

Re: Not Worth Reading

@Martin: Nothing wrong with suggesting strategy or doctrine, rather than implementation tactics. Too little thought goes into creating a sustainable, orchestrated, holistic and heuristic approach to cybersecurity, in many organizations. Putting tactics first, you can win lots of battles, yet still lose the war.

"First, security personnel must identify the "crown jewels" — the vital data needing protection."

I do have an issue with the "crown jewels" analogy - as it suggests that most (of the now vast amounts of), data that enterprises collect, share, store, transmit or process doesn't require protection. It's impossible to know to what use some entity, at some point in the future, might make of "ordinary" data, especially in combination with data collected from other sources.

Also, I would not task "security personnel" with identifying or evaluating data assets, or establishing the need-to-know access mechanisms - that's a job for the information system's architects.

Reply | Post Message | Messages List | Start a Board

50%

50%

MartinDionCH,
User Rank: Author
4/9/2018 | 2:21:28 PM

Re: Not Worth Reading

I am sorry you feel this way, if you are looking for implementation guidelines, may I suggest you read my other post? As well, you must understand that I do appreciate your feedback and to ensure I do better next time, it would be important for me to understand what you would expect or even to get specific questions so we could interact constructively. Best regards, Martin.

Reply | Post Message | Messages List | Start a Board

ANON1251724318124

50%

50%

ANON1251724318124,
User Rank: Apprentice
4/9/2018 | 1:14:09 PM

Not Worth Reading

There are no insights here just conjecture.

Reply | Post Message | Messages List | Start a Board

Editors' Choice

Edge-DRsplash-10-edge-articles

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry

David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP, 7/9/2021

Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours

Robert Lemos, Contributing Writer, 7/7/2021

It's in the Game (but It Shouldn't Be)

Tal Memran, Cybersecurity Expert, CYE, 7/9/2021

Dark Reading Virtual Event - November 17 - Learn More

Black Hat Europe 2021 - November 8-11 - Learn More

SecTor - Canada's IT Security Conference Oct 30-Nov 4 - Learn More

More Informa Tech Live Events

White Papers

The State of Cloud

Zero Trust and the Power of Isolation for Threat Prevention

Digital Transformation and Data Security

The Transition to Empowered Enterprise Authentication

The Dirty Dozen: The Truth About Privacy Preserving Techniques and Technologies

More White Papers

Cartoon

Latest Comment: I've heard of people walking right out the front door with entire servers...

Cartoon Archive

Current Issue

Enterprise Cybersecurity Plans in a Post-Pandemic World

Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.

Download This Issue!

Back Issues | Must Reads

Flash Poll

Incident Readiness and Building Response Playbook

Incident Readiness and Building Response Playbook

In this special report, learn the Xs and Os of any good security incident readiness and response playbook.

Battle for the Endpoint

How Enterprises are Developing Secure Applications

Assessing Cybersecurity Risk in Today's Enterprises

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Dark Reading - Bug Report

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2021-21742
PUBLISHED: 2021-09-25

There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.

CVE-2020-20508
PUBLISHED: 2021-09-24

Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.

CVE-2020-20514
PUBLISHED: 2021-09-24

A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.

CVE-2016-6555
PUBLISHED: 2021-09-24

OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...

CVE-2016-6556
PUBLISHED: 2021-09-24

OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This iss...

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]