Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
The New Security Architecture
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Susan Fogarty
Susan Fogarty,
 User Rank: Apprentice
11/21/2013 | 5:21:27 PM
Re: Compliance vs. security
Ed, thanks so much for your response. I'm aware that the carriers are constantly monitoring their networks for developing threats. I guess I am surprised that we haven't seen as that much uptake in managed security services by enterprises so that they can take advantage of that. There seems like a lot of potential that could really be leveraged.
Ed Amoroso
Ed Amoroso,
 User Rank: Apprentice
11/21/2013 | 1:09:17 PM
Re: Compliance Testing Doesn't Go Away
Jerry, we actually agree on the first point, but perhaps it wasn't clear before. I was not suggesting that compliance and control testing should go away, but that these tactics alone are not a perfect reflection of your security posture and can distract a security team from critical priorities. For example, you can have the appropriate controls in place and functioning properly, but if an employee is caught by a phishing email and adversaries gain access to your network, they can work around all your controls. This is one reason why network visibility is so important. You need to understand what is going in and out of your network at all times because today's adversaries can adjust their tactics in real-time, so businesses need to have the ability to recognize those tactics and react quickly.
Ed Amoroso
Ed Amoroso,
 User Rank: Apprentice
11/21/2013 | 1:08:44 PM
Re: Compliance vs. security
Susan, for AT&T customers, our network is their first line of defense. In fact, we track hundreds of millions of security events every day to protect our network and our customers from malicious threats. The challenge for businesses is that Internet traffic comes into their corporate networks from a variety of sources, so it's important to have visibility into your organization's specific network. This level of visibility is also critical for detecting unauthorized access to your corporate assets.
Ed Amoroso
Ed Amoroso,
 User Rank: Apprentice
11/21/2013 | 1:07:39 PM
Re: Compliance vs. security
David, compliance is not going away and it's become part of the job for those of us responsible for protecting corporate networks. However, as Jerry points out below, controls are not 100% foolproof and are inadequate when it comes to dealing with a live adversary. Consequently, a business that passes all of its audits can still be extremely vulnerable to attack. I believe effective programs give high priority to security innovation and to developing a team that can mitigate threats in real-time.
Ed Amoroso
Ed Amoroso,
 User Rank: Apprentice
11/21/2013 | 1:04:12 PM
Re: Investment priorites
Marilyn, I think an important first step for senior management is ensuring that CSOs are bringing a solid foundation of networking and cybersecurity expertise to audit discussions. In the future, I expect we'll see more highly technical security professionals sporting PhDs and a deep understanding of networks, infrastructure, and devices. These technical experts know the importance of adopting threat detection and mitigation practices, rather than putting all the organization's time and energy into compliance.
BillatDellSoftware
BillatDellSoftware,
 User Rank: Apprentice
11/21/2013 | 10:29:35 AM
Re: Determining risk calue
Marilyn, Thanks for the tip on the Dave K article.  I really like the last line: "Over the longer term, the only alternative to risk management is crisis management, and crisis management is much more embarrassing, expensive and time consuming." 

We are providing Dave a review of our IAM business in a few weeks.  I'll be sure to bring this one up.  Thanks!

 
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
11/21/2013 | 10:15:11 AM
Re: Determining risk calue
These are all great questions about prioritizing assets and determining risk, Bill. Let's throw them out to the security community to see what risk management strategies and tactics are working and not working in their respective organizations.

Also want to point you to Dave Kearns' column: Understanding IT Risk Management In 4 Steps X 3, which outlines a risk management matrix that combines the probability of harm and the severity of harm. 
BillatDellSoftware
BillatDellSoftware,
 User Rank: Apprentice
11/21/2013 | 8:25:04 AM
Determining risk calue
Ed, this is an excellent article insofar as it looks at the changing IT landscape and how that impacts security in the enterprise both today and in the future.  I work for Dell Software and spend a good deal of time speaking with customers who are experiencing very similar challenges.  One of the topics I would like to hear more about from you is how you go about prioritizing assets.  You mention in the article that you need to invest more to protect "high value" assets than you do for "lower value" assets.  How do you go about determining those risk values?  Do you allow the business to classify apps and content?  Do you have an automated tool that strives to check each document and assign risk to it?
Susan Fogarty
Susan Fogarty,
 User Rank: Apprentice
11/20/2013 | 6:04:42 PM
Re: Compliance Testing Doesn't Go Away
Jerry, I like your analysis. The problem comes when companies equate compliance with security and think if they are complaint, then everything will be fine. But there are a lot of other protections that may be needed. A risk assessment should point those out.
JerryJ
JerryJ,
 User Rank: Apprentice
11/20/2013 | 1:21:33 PM
Compliance Testing Doesn't Go Away
Ed, you wrote "...most basic tenet of today's corporate audit involves testing controls to ensure 100 percent compliance with corporate policy. This mentality needs to change..." It may be semantics, but I respectfully disagree. You always need to test controls. Too often, in my experience, an adversary has take advantage of a failed control that was thought to be in place. That said, you need to be certain you've selected and implemented the correct controls to begin with, recognizing that the technologies we deploy and the motives, skills and modus operandi of the adversary are ever evolving.

You finished your thought with "...so businesses can prioritize investments on protections that will yield the best possible security posture." This I agree with 100%. I was once on a panel speaking on risk management and was asked, "so does risk management eliminate the need for the compliance checklist?" My reply was, "No. Risk management is a way to prioritize the compliance checklist." I would also add that risk management is a way to evolve the compliance checklist.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file