Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

8/21/2017
05:50 PM
Philip Lieberman
Philip Lieberman
News Analysis-Security Now
50%
50%

'Good Enough' Probably Isn't

Enterprise cyber defense needs to get better unless we want to see the executive revolving door spin even faster.

For several years now, I have advocated that CEOs must begin acting as the Commander-in-Chief of cyber warfare for their companies. This role would involve the chief executive building resiliency into not only the business itself but also into IT, which is now key to the survival of the business.

But one after another, CEOs still follow the same IT security road of shame that the leadership of Target and other corporations have taken. The lesson is unmistakable: If you provide poor IT security to your customers, you will soon be looking for a new job.

More than a few companies have flawed and unethical business models wrapped into a highly polished patina of legitimacy and compelling imagery that takes them far... until that moment when the covers are pulled off of a company. The misdeeds and deceptions are not all that different from what's now publicly known about what was going on inside the largest financial institutions in the world leading up the financial meltdown in 2007/2008. ("Uh, we really didn't mean what we said about how those mortgages would perform over the next 30 years!")

The problem of poor internal security controls did not end with the financial meltdown. I will not forget speaking with a potential client from a company that had received numerous large fines for repeated IT security violations. As we discussed the pros and cons of one privileged identity management solution versus another, he became more and more agitated as I explained how one solution would help reduce the fines and breaches they've suffered (all public information).

In the end, he told me that I had no idea about how his company handles IT security, and that he was not interested in my suggestions. He then stormed out. Life is ironic: His company showed up in the national news about a month later for another major data breach that affected millions of consumers. This company did not buy my suggested security solution. They went with another "solution" because of that product's pretty interface.

I don't blame the employee. His senior management clearly did not provide the right criteria or incentives to purchase solutions that help with real IT security problems. And pretty user interfaces don't solve critical cybersecurity issues.

We work with a lot of great companies that have embraced acceptable loss as a reasonable and prudent strategy. Yet even with this approach, there is still sometimes bad news from IT about cyberattacks. But there are few surprises -- nor are there long periods of time where hackers nest in the environment and extract data at will.

The leadership of an organization must be up-to-date on cyber warfare threats and how the organization must prepare and operate to minimize losses. This does not mean leadership must know the deep dive details of specific threats, but they must understand how infiltration and exfiltration of data as well as destruction occurs in the cyber field.

Leadership must take action when presented with audit findings to terminate ongoing risks via both organizational changes and the implementation of technology as quickly as possible. Leadership should test the mitigations regularly to confirm the problems found have been resolved and more importantly, recheck the controls to assure that there is no backsliding to old destructive behavior.

There is a clear lack of visibility to the CEO and Board of Directors to the weaknesses and the inability of IT to manage risk and mitigate consequences to known outcomes. From a leadership point of view, many companies are running companies and government agencies with a ticking time bomb and no ability to stop it or reduce the consequences of a breach. Not all of the blame lies with IT, but senior leadership of companies are not building resiliency into their business operations when it comes to IT.

With more corporate board members now taking a hard look at information security, I predict we'll start seeing a revolving door of senior corporate leadership. Many executives will be forced to move on, simply because they don't "get it" when it comes to IT security.

Board level members know that security breaches are inevitable and they may be held liable for their failure to guide the company toward an operational posture that responds appropriately to cyberattacks. In this oversight role, the Board will push the CEO for answers on how the company can achieve acceptable losses via a cyber defense strategy. And while the concept of acceptable loss is not new for the CFO and CEO, when it comes to the spooky and complex world of IT, it appears there is a blind spot they're ignoring at the peril of their careers.

Related posts:

Philip Lieberman, noted cybersecurity expert and founder of Lieberman Software, has more than 30 years of experience in the software industry. He is frequently quoted by international business and mainstream media as well as industry news organizations, and has published numerous books and articles. Lieberman taught at UCLA, and has authored many computer science courses.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...