Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
The State of IT Security: Its Broken
Threaded  |  Newest First  |  Oldest First
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/16/2013 | 12:17:15 PM
Tailored approach
John, your indictment of the security industry -- and your call to action about taking advantage of technology that is available NOW to reduce risk is quite compelling. But I also wonder if there is also a knowledge gap withiin the InfoSec community. Do practitioners have the analytical skills to make the analytical judgements to develop the tailored approach you advocate? 
danielcawrey
50%
50%
danielcawrey,
User Rank: Apprentice
12/16/2013 | 2:33:03 PM
Re: Tailored approach
I like this dynamic vs. static approach. If everyone is conducting security in the same way, then how is it even possible to properly be on top of risks? Malicious actors, in this way, have a window that allows them to simply go against the grain of samenes. It's time to think differently. 
JohnPirc
50%
50%
JohnPirc,
User Rank: Author
12/19/2013 | 10:06:02 PM
Re: Tailored approach
Thank you Daniel and I couldn't agree with you more.
Susan Fogarty
50%
50%
Susan Fogarty,
User Rank: Apprentice
12/16/2013 | 2:36:45 PM
Re: Tailored approach
John, my question is related to Marilyn's, I believe. Are you suggesting this analysis be done as an automated process? It seems like it would need to be in order to be current and dynamic. In my experience, security pros tend to distrust most types of automated systems.
JohnPirc
50%
50%
JohnPirc,
User Rank: Author
12/19/2013 | 10:34:15 PM
Re: Tailored approach
Thank you Susan. The analysis needs to be performed in real or near-real time.  I agree with your point that most security pros tend to distrust automated systems. I use to think the same way about automated systems and that was something that I learned from the industry as a best practice.  The question I would ask is: "how is that working for you today?".  I don't mean that to sound harsh but we have to do something different and approach the problem from a different angle. 
Susan Fogarty
50%
50%
Susan Fogarty,
User Rank: Apprentice
12/23/2013 | 12:55:21 PM
Re: Tailored approach
John, Thanks for your response. I believe the distrust of automation is something IT folks are going to need to reach beyond in order to progress. In order to keep up with the pace of modern day threats and even simple business processing speed, we can't rely on manual human reaction time anymore.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
12/16/2013 | 3:53:07 PM
Re: Tailored approach
Suggesting security is broken impies that it can be fixed, that some state of perfect security will be achieved. I doubt that's possible (and were it possible, it would be subverted by the NSA, for the sake of national security). The best we can hope for is to keep pace with malware innovation and to remain vigilant enough that some other organization gets attacked.
anon5605928117
50%
50%
anon5605928117,
User Rank: Apprentice
12/17/2013 | 9:34:33 AM
Re: Tailored approach
While it may not be fixable, certainly the conceit that individuals can memorize a hundred different long random passwords (provided they remember their incompatible userIDs) is as irrational as Mr. Spock's surprise when people act like people.    We need to understand people first.
JohnPirc
50%
50%
JohnPirc,
User Rank: Author
12/19/2013 | 10:47:06 PM
Re: Tailored approach
Thank you Thomas. I would have to disagree with you.  I'm not advocating "perfect security" but a reasonable pragmatic approach to the problem.  If we rely on "hope" and remain vigilant with current security practices than we will never keep pace with the threat.
JohnPirc
50%
50%
JohnPirc,
User Rank: Author
12/19/2013 | 10:04:06 PM
Re: Tailored approach
Thank you Marilyn. Sorry for the delayed response...I've been traveling. I think you will always have knowledge gaps within any industry.  I think practitioners have the skills to adopt my approach.  The biggest hurdle is doing something that seems radically different from current defensive approaches. I will admit that what I wrote just scratches the surface and I plan on adding even more context after the Holiday break with a white paper.   
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/20/2013 | 7:29:11 AM
Re: Tailored approach -- change is hard!
I'm glad to hear that what you're advocating doesn't require a ginoromous jump in skills for security practitioners, John. But I agree that change is hard and it will be challenging for many people and organizations to move off the status quo to a variable risk model  that is radically different.

For readers, I'm curious:  What do you think would be the hardest aspect of shifting from a static to a dynamic security risk assessmsent strategy?
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
12/16/2013 | 8:01:20 PM
What about the data?
I'm surprised that no one brought up one of the key fundamentals of security that would help (hopefully) reduce a lot of the complexity of securing data: asset identification.  I personally find that a lot of the confusion and security points of failure relate to not understanding what data exists, where it is, and how it is used.  It seems like a basic idea that if we have a good idea about what we have, we can build better security policies around it instead of trying to protect everything by throwing everything and anything at the problem and hoping nothing gets through.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/17/2013 | 3:34:04 PM
Re: What about the data?
That's a great point Stratustician, about classifying data in order to know how to protect it. In fact, I have a columnist who will be writing about that topic very soon. (So stay tuned!)

In the meantime, maybe you can share some of your experiences dealing with data classification & security -- good and bad!

 
JohnPirc
50%
50%
JohnPirc,
User Rank: Author
12/19/2013 | 10:52:41 PM
Re: What about the data?
Thank you Stratustician.  I couldn't agree with you more on data identification and classification.  Having an understanding of where data resides and the value of that data is more than half the battle.  This goes hand and hand with knowing your attack surface. I didn't want to boil the ocean in this paper but you bring up very good points that should not be overlooked!


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.