Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/30/2017
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Internet's Security Woes are Not All Technical

Google engineer Halvar Flake told Black Hat Asia attendees that flaws in organizational structure and market power put enterprises at risk.

BLACK HAT ASIA - Singapore - Technical shortcomings aren't the only flaws in today's Internet. Organizational structure and the balance of market power are also poking holes in an already fragile system.

Google engineer Halvar Flake discussed the actors, incentives, and industry challenges impeding Internet security as part of his keynote "Why We Are Not Building A Defendable Internet" here this week at Black Hat Asia 2017. Protected devices are part of the solution, but there's more to risk management, he said.

Flake began his discussion by describing the way businesses, security vendors, and customers should interact. Ideally, a business' CISO and their team develop security requirements and communicate their needs to the organization. Leaders make requests of vendors to provide products they need.

But in reality, that's not happening today. "This is not how purchasing works in any way, shape, or form," he explained. "The reality is, software vendors and the entire supply side for IT is entirely scale-driven."

The enterprise has little market power in shaping the design of security products they use, he noted. Few companies can give input to software or hardware vendors to influence the design process.

If businesses have little say in product features, CISOs have even less. Security leaders want to buy reliable products for their teams, but there aren't many available. Vendors and cyber insurance companies realize security leaders can't get exactly what they want, so they sell other products and services to fill the gap, he said.

Much of today's security tech exists to protect the CISO, Flake said. Functionality comes second. The biggest risk to the CISO is being perceived as missing a threat to the business. It doesn't matter whether the product performs; it simply has to seem like a reasonable choice. Purchasing security products often relies on marketing and manageability, he admitted.

"Security products may not help all that much, but they look like they could plausibly reduce the risk of the enterprise," Flake explained. "If you've bought a product, and the product fails to stop the risk, at least it's not your fault."

This contributes to the rise of cyber insurance, which offers to mitigate the cost of a breach and ensuing cleanup, he said. Cyber insurance is a new and evolving field. Many companies don't know policies often don't insure loss of reputational risk, user trust, or critical intellectual property.

There are a few ways cyber insurance could change the game for security teams, according to Flake. Insurers may need to acquire new levels of expertise to help differentiate good security products, or offer lower premiums to companies buying legitimately secure products.

That said, there are many cyber insurance factors that could lead to negative outcomes. Evaluating cyber-risk is hard because there is little historical data, he said. Technology changes so quickly that data collected years ago may not accurately predict risk today. Further, risks can be great. If a large breach occurs, "replace all devices" could be a feasible -- and expensive -- outcome.

All of this leads us to a bigger question: How to manage risk until better products come along. Flake notes how security leaders have adopted a defeatist attitude: "'Whatever we do, we'll always have many, many bugs.'"

This isn't actually true, though, he said. The ability to understand the attack surface and implement strong risk management are what sets apart experienced security pros.

One way to do this is to view IT infrastructure like a financial balance sheet, Flake said. As a whole, it provides daily benefits, but each component of the infrastructure has a risk of blowing up and becoming a liability. Installing software means incurring risk on your "balance sheet." Adding code to software is like adding risk to the balance sheet of each customer.

Most organizations don't know how to incentivize security. Employees are quick to add new software features because it will yield praise and promotions, but additional code broadens the attack surface, according to Flake.

Few people offer to reduce privileged code because it doesn't offer the same reward. The truth is, software has so many features and components that cutting code would be beneficial because it decreases the attack surface, he said.

"Too few people understand the equivalence between code and risk, or treat it as such," Flake said. Businesses need to recognize the role of incentive structure and pay to cut code where it's necessary.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
3/31/2017 | 3:07:03 PM
Re: Cyber insurance policies
Because cybersecurity, data stewardship, and related matters are such nascent issues for insurers to contend with, don't expect any merger of these considerations with general E&O umbrella policies anytime soon.
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
3/31/2017 | 10:11:43 AM
Re: Cyber insurance policies
Cyber, Security, Ethical policies should be tied together.  All it takes is one nasty incident for the company to look for a fall guy; then employees realize they need to careful with what they are doing.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/30/2017 | 11:28:51 AM
Cyber insurance policies
> "Many companies don't know policies often don't insure loss of reputational risk, user trust, or critical intellectual property."

There are policies out there that may cover these things, but -- of course -- you have to ask for them.

The real key here is for businesses to imagine all of the possible consequences of something going wrong, do a risk-management assessment, and then ask the broker about coverage accordingly.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29040
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
CVE-2021-29041
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
CVE-2021-29047
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
CVE-2021-22668
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
CVE-2021-29039
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.