Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/19/2020
10:00 AM
Greg Clark
Greg Clark
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

A New Risk Vector: The Enterprise of Things

Billions of devices -- including security cameras, smart TVs, and manufacturing equipment -- are largely unmanaged and increase an organization's risk.

When FedEx subsidiary TNT Express was hit by ransomware in 2017, its delivery units were crippled and much of its shipping operations ground to a halt. In addition to delaying services to customers, the attack cost FedEx approximately $300 million, according to public filings.  

It's a story that is unfortunately becoming more commonplace today. Ransomware is ravaging businesses around the world, bringing manufacturing plants to a standstill, preventing hospitals from treating patients, and even keeping students from remote schooling during this pandemic. Meanwhile, attackers continue to steal data and credentials from companies of every size in every industry and leverage them for profit. 

As cybercrime damages are expected to reach $6 trillion by 2021, a growing number of breach notification laws and regulations like the EU's General Data Protection Regulation are bringing transparency to the direct financial impact of a cyberattack. Corporate directors are increasingly pushing company leaders for an improved understanding of cyber-risk, as well as a mitigation strategy and plan. The potential sudden and material impact of cyberattacks have pushed cybersecurity to the top of the risk register for many enterprises. Most boards and executive teams lack familiarity with these risks, so board-level cybersecurity education is typically the first step, quickly leading to questions on how the enterprise can buy down cyber-risk. 

Related Content:

The Security Risk Lurking in the Board of Directors

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Open Source Threat Intelligence Searches for Sustainable Communities

As directors ask these questions, many boards are finding that the organization has invested in controls such as antivirus and firewalls for years. However, these tools do not address one of the largest cybersecurity blind spots today: the Enterprise of Things. Billions of devices, including security cameras, smart TVs, and manufacturing equipment, are connecting to enterprises. When you look at the risk management fabric of any company of significance, the risk posed by these resident unmanaged devices and systems is high. 

In many cases, this proliferation of the Enterprise of Things devices pushes productivity and innovation forward, factors that are very important to a board of directors in its obligation to drive shareholder value and reduce their risk profile. However, a single poorly secured device connected to the corporate network could be the weak link that negates those benefits, instead causing significant financial and reputational harm. That weak link could be a single laptop, a sensor monitoring a nuclear plant, a printer, a medical device, or, in the case of a Las Vegas casino, a fish tank thermometer

Boards need to understand the company's cyber-risk exposure, quantify the potential impact if hit by a cyberattack, and take steps to ensure that every dollar spent on cybersecurity directly buys down that enterprise risk. To do that, they need to build a defense inside of their cyber castle walls, with a real-time, continuous, and context-rich understanding of the managed and unmanaged assets. If the network were a beach composed of vast numbers of connected entities that formed the grains of sand, the company needs to have the ability to zero in on a single anomalous grain and then analyze it in granular detail. 

Boards must ensure that the security function has the right skills, processes, and technologies to implement an active defense strategy that includes identifying, segmenting, and enforcing compliance of every connected thing from the time a device enters the network and throughout its life cycle. Key to an active defense is having the ability to isolate and automate control and action across any asset, anywhere, anytime to mitigate risk, contain breach impact, and operate fearlessly — without worrying about keeping critical assets online.

The ultimate goal should be the implementation of a process for formal review of cybersecurity risk and readout to the governance, risk, and compliance (GRC) and audit committee. Each of these steps must be undertaken on an ongoing basis, instead of being viewed as a point-in-time exercise. Today's cybersecurity landscape, with new technologies and evolving adversary trade craft, demands a continuous review of risk by boards, as well as the constant re-evaluation of the security budget allocation against rising risk areas. to ensure that every dollar spent on cybersecurity directly buys down those areas of greatest risk. 

We are beginning to see some positive trends in this direction. Nearly every large public company board of directors today has made cyber-risk an element either of the audit committee, risk committee, or safety and security committee. The CISO is also getting visibility at the board level, in many cases presenting at least once if not multiple times a year. Meanwhile, shareholders are beginning to ask the tough questions during annual meetings about what cybersecurity measures are being implemented. 

In today's landscape, each of these conversations about cyber-risk at the board level must include a discussion about the Enterprise of Things given the materiality of risk. New devices, sensors, and other connected entities are constantly entering the enterprise. Attackers have proven their efficacy at using vulnerable devices as an entry point into the broader enterprise. New vulnerabilities and misconfigurations are discovered daily and therefore securing connected devices is not a one-time event, but rather a life cycle of continuous inspection and control. 

Those on the board of directors has a responsibility to ensure they have a thorough understanding of these risks on a continuous basis and that the company has the proper controls in place to address this critical area of risk. As our dependency on the Enterprise of Things grows, so does the associated risk. We have to remain diligent about executing an active defense for the Enterprise of Things. 

Greg Clark served as CEO and member of the Board of Directors of Symantec Corporation between August 2016 and May 2019. Prior to joining Symantec, Clark was CEO of Blue Coat Systems, Inc. from 2011 until its acquisition by Symantec in August 2016. During this period, Clark ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29129
PUBLISHED: 2020-11-26
ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-29130
PUBLISHED: 2020-11-26
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-26936
PUBLISHED: 2020-11-26
Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.
CVE-2020-29042
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
CVE-2020-29043
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.