Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/10/2006
07:30 PM
Patricia Keefe
Patricia Keefe
Commentary
50%
50%

Same Old Security Song And Dance? Yes And No

The results of InformationWeek's annual Global Security Survey got me to thinking that the more things change, the more they stay the same.

The results of InformationWeek's annual Global Security Survey got me to thinking that the more things change, the more they stay the same.By which I mean there's a certain amount of same-old same-old here, which is to be expected. On one level, the story is that the security story doesn't change much. The issue is a continuum, playing out over and over again. Companies may be spending more money, but they still aren't spending enough money. (They never do unless they've been publicly embarrassed). For the most part, they don't set up or fully follow security procedures unless a news story scares the pants off them. They plow ahead with new technologies even though they know they're not secure. (Hey, you gotta do what you gotta do to keep a competitive edge.)

And users keep doing stupid things, too. Mom was right, if their laptops weren't screwed to their desks, they'd lose them. No wait, they aren't nailed down, and they do lose them! Hackers continue to have their way, IT shoulders the blame, and researchers reap much publicity in the race to ferret out application flaws. If I never see another survey that brightly announces that users don't change their passwords enough, or should stop using birthdays and pet names as passwords, it won't be soon enough. (It's stuff like this, BTW, that will probably help propel biometric access methods into the mainstream.)

In fact, the only things that seem to change in this ongoing saga are the targets, the technology, and the attitudes of the public, legal, and regulatory sectors.

For example, it used to be that users of Macintosh or open-source systems didn't have to worry so much. Not anymore. Maybe blowing holes through Windows got to be too easy, but the bad guys have finally gotten 'round to training their sights on Apple and Linux. And hackers too--even and especially white-hat ones--also didn't used to have to worry so much. Not anymore. You get caught today, even with the best of intentions, and you face the highest chance ever of going to jail.

Law enforcement has taken an increasingly harder view of cybercrimes of all ilk, and it's showing up in tougher laws, cross-agency and cross-national teamwork, and more arrests and more jail time.

Congress at least thinks more about addressing high-tech issues, but the very thought of more action on the hill ought to give pause, given the knowledge base we're dealing with there. Take that key senator who brightly announced that the Internet is not a truck. Very good, sir, you may sit down now. On the other hand, if companies can't be scared straight, so to speak, into enacting needed reforms to protect the data they collect, well, maybe it would be better if Congress stepped in.

One obvious change is the evolution in publicizing hacks, data breaches, and vulnerabilities. Yeah, we still don't hear about this stuff in as timely a manner as we should, and the source of that information is often not the affected party (which it should be), but we're seeing more cybercrimes and computer flaws reported and publicized. Which is a good thing. It's good because it will spur at least some readers into action, and because knowing how each event happened and knowing how it was dealt with adds to our knowledge base.

The area of biggest change is, of course, technology itself. Be it the frighteningly fast evolution of viruses, Trojans, worms, and other forms of attack, old and new, or the technologies being used to defend against such attacks, the pace of change has been furiously fast.

At the end of the day, this should mean a major ratcheting up in turns of the seriousness of this issue. It means even if the number of attacks falls, the cost of those attacks is escalating up and up. The fallout from a successful enterprise breach or data loss carries a higher probability of being more devastating. The cost of cleaning up after such an attack, and defending against the increasingly more complex and sophisticated efforts to break in, are going to rise to painful levels.

So even if your company is more secure today than it was a year ago, it won't necessarily help you going forward. IT needs to make sure all the security bases are fully covered, deployed, and in use, and then determine to remain on alert going forward, updating and changing policies and technology as needed. Be honest, does this describe your company?

This is a different kind of war on terror, but like its political counterpart, it's never going to be over. So don't wait for the next big news story to start looking over your security setup. Be proactive now because you never know--yours could be the next company splashed across the headlines.

** For another take on our annual global security survey, read Larry Greenemeier's summary of what he sees as the five biggest surprises from the survey and his cover story package on that survey. You can see the full package of survey results, reader tools, and stories by going to our special topic page on the subject.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22893
PUBLISHED: 2021-04-23
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse...
CVE-2021-31408
PUBLISHED: 2021-04-23
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after t...
CVE-2021-31410
PUBLISHED: 2021-04-23
Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request.
CVE-2021-31539
PUBLISHED: 2021-04-23
Wowza Streaming Engine through 4.8.5 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords.
CVE-2021-31540
PUBLISHED: 2021-04-23
Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.