Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/9/2017
10:30 AM
Mike Baukes
Mike Baukes
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Your Information Isn't Being Hacked, It's Being Neglected

To stop customer information from being compromised, we must shore up the most vulnerable parts first, the day-to-day IT operations work that builds, configures, and changes systems.

A shadowy figure sits in a dark room, lit only by a laptop, tapping away at a command line. Disheveled clothes hang on him, a hood over the headphones covering his ears.

This person is about to cause one of the biggest data breaches of the year.

But he isn't a hacker — he's a system administrator, setting up a new database to ship customer data to a third party. The request to build this came in at the last minute, needed to be done yesterday, and the sysadmin — already managing an overstuffed data center — had to construct and deliver the system outside of the usual process. But he forgot a crucial configuration to secure the database from public connections, leaving it exposed to the Internet.

This scenario, as anyone who has worked in IT knows, is far more common than that of a breach caused by an elite hacker who cracks encryption and busts through firewalls — a nightmare that, comparatively, almost never happens. Overwhelmingly, your information is not being hacked. It’s being left out in the open where anyone can find it. The hacker narrative serves the fortunate purpose of placing the burden of data security on a vague, threatening attacker, instead of on the companies that acquire, maintain, and transfer the information every single day to make money.

The statistics are astounding. Gartner states that through 2020, 99% of all firewall breaches will be due to misconfigurations, not vulnerabilities. "Breach" is a word that gets used a lot in cybersecurity, but it may not accurately reflect the true nature of most data loss. Breach implies an active force working to overcome an obstacle or defense.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

In reality, most "breaches" are caused by companies inadvertently posting sensitive information on Internet-exposed databases, websites, and servers. Likewise, "hacking" implies the same idea, and most people would probably agree that browsing somewhere on the Internet and reading publicly available data doesn't fit the accepted definition.

Protect the Vulnerable
This isn't meant to be pedantic but to illustrate that if we want to solve the problem of customer information being compromised, we need to shore up the most vulnerable parts first, and those are not zero-day exploits and advanced malware chains (though those do exist) but the day-to-day IT operations work that builds, configures, and changes systems.

Business risk, like business operations, has shifted away from the physical and into the digital. Companies exploit technology to the fullest so they can take advantage of the increased throughput, scale, and feedback to better compete in the market. But this same technology carries its own risks that can undermine the business as a whole if not addressed. More importantly, the consequences of this risk tend to fall on the customers, whose identities and information are being sold or otherwise misused.

Cyber-risk is business risk; breaches and outages are business problems. Customers establish trust with the business as a whole, the brand, not the IT department, and certainly not with third-party data handlers. When a breach occurs, no matter how it happened technically, the relationship between the company and the customer is damaged. Incidents that are large enough usually call for a sacrificial figure from among the C-suite, occasionally even the CEO, to satisfy the appearance that the company is taking the problem seriously. Then cybersecurity projects are launched, with plenty of public relations help, to ensure the right optics to control the reputational damage done to the company by the breach. But what is being done to really stop the problem?

The silver bullet of cybersecurity is a myth. There's no new fortification, no new defense, that's going to prevent the majority of problems that lead to breaches and outages, because attacks aren't the main problem. Only a new perspective on business technology, and a new relationship between business leaders and IT departments, can begin to close the cyber-risk gap.

This is what we call cyber resilience — a holistic way to account for the risks posed by the technology on which we all depend. Cyber resilience is about building hardened and tested procedures into every step of IT operations, creating maximum visibility into IT assets and their risks, and automating processes to minimize those risks as much as possible.

The burden for protecting customer information must fall to the companies that use it to do business. Otherwise, the risk incurred by the technology a business uses is passed wholesale to the customer, while the benefits of that technology are retained by the business — an arrangement most customers aren't willing to endure for long. Enacting a cyber resilience strategy is a win/win for customers and businesses, but it requires change, something harder to crack in the enterprise than any password or encryption.

Related Content:

Mike Baukes is co-founder and co-CEO of UpGuard, a cyber resilience company based in Mountain View, California. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/9/2017 | 1:14:57 PM
Time to Market Considerations
I couldn't agree more, especially coming from a fast-paced environment where clinical data, patient health records and research materials are in the charge of many users, from programmers, testers and production support staff.  We are pushed to our limits on a regular basis to release new code, to fix production issues and so forth, and at many steps of the process data that must be kept secure has potential to become vulnerable.

A project requirement I see missing from many a project plan is exactly the things you are referring to, including milestones for data integrity checks before, during and after projects, whether they are one-off requests for an overnight tweak or a year-long project.  Luckily for my team we work hand-in-hand with teams like Security and Compliance.  We treat all requests the same, we care for the data in the same manner regardless the project.  But the requirements should still be documented as many projects may overlook such "minutia".

Time to Market should not compromise integrity and all considerations related to Security and Compliance should be built into the day-to-day operations of every team member who has charge over sensitive data.  And, the requirements for such data management written into project plans, no matter how small large, and the operational mind-set of every user with access well trained to avoid breaches of this type.

 

 

 
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10100
PUBLISHED: 2019-07-16
NASA CFITSIO prior to 3.43 is affected by: Buffer Overflow. The impact is: arbitrary code execution. The component is: over 40 source code files were changed. The attack vector is: remote unauthenticated attacker. The fixed version is: 3.43.
CVE-2019-10100
PUBLISHED: 2019-07-16
BigTree-CMS commit b2eff67e45b90ca26a62e971e8f0d5d0d70f23e6 and earlier is affected by: Improper Neutralization of Script-Related HTML Tags in a Web Page. The impact is: Any Javascript code can be executed. The component is: users management page. The attack vector is: Insert payload into users' pro...
CVE-2019-10100
PUBLISHED: 2019-07-16
PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type. The impact is: get webshell. The component is: data/inc/images.php line36. The attack vector is: modify the MIME TYPE on HTTP request to upload a php file. The fixed version is: after commit 09f0ab871...
CVE-2019-13612
PUBLISHED: 2019-07-16
MDaemon Email Server 19 skips SpamAssassin checks by default for e-mail messages larger than 2 MB (and limits checks to 10 MB even with special configuration), which is arguably inconsistent with currently popular message sizes. This might interfere with risk management for malicious e-mail, if a cu...
CVE-2019-10100
PUBLISHED: 2019-07-16
Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: the victim must open a ticket. The fixed version is: 2.3.1, 2.2.2 and 2.1.3.