Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/19/2020
10:00 AM
Jim Ivers
Jim Ivers
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cybersecurity Extends Far Beyond Security Teams & Everyone Plays a Part

Security isn't about tools or technology; it's about establishing a broad, fundamental awareness and sense of responsibility among all employees.

The COVID-19 pandemic has provided everyone a fresh lesson that security truly is everyone's job.

As governments began issuing stay-at-home orders and people adapted to working remotely, suddenly, Zoom was on everyone's lips. The platform became a staple of both working from home and keeping in touch with friends and family. Predictably, researchers started discovering security and privacy vulnerabilities, and soon "Zoombombing" entered the conversation. While Zoom worked to secure the product, its users — many neophytes to video calls — had to figure out how to configure their Zoom instances to prevent hackers from hijacking calls.

Traditionally, the concept that "security is everyone's job" has been an essential part of education and awareness campaigns against phishing and other email-related attacks. And rightfully so, as these attacks are often the first step for attackers working their way to their ultimate target. But the Zoom example shows that awareness and diligence are important at every level. Further, in many organizations, collaboration tools such as Slack are replacing email as the preferred method to share content and data. In organizations that impose size limits on email attachments, for example, employees can freely pass around files 10 times that size in Slack sessions.

A former CISO of a prominent intelligence agency once told me, "The most dangerous cybersecurity vulnerability is the carbon-based life-form." Attackers rarely employ a frontal assault on technology to penetrate protected networks. People provide a considerably simpler and often faster path by which to initiate an attack. To attackers, technologies change and organizations adapt to new security vulnerabilities, but humans represent a consistent vulnerability they can exploit.

Thankfully, measures are being taken to safeguard deliverables against human error. Let's take developers as an example. Development teams build the software that powers businesses all over the world. They bridge the gap between man and machine. But what's being done to ensure that issues aren't making their way into the code that drives our power grid, loved ones' pacemakers, or software supporting national elections because it can be hijacked by attackers via known vulnerabilities?

There are plugins available for the developer's integrated development environment that scan for known vulnerabilities as developers code. Once vulnerabilities are identified, developers are notified immediately so that the issue can be resolved before the code is checked in. Another aspect to such solutions is education. Developers are able to identify repeat errors they're making, learning to avoid them in the first place.

Employees must learn that very few hacks occur in a straight line. Hacks often start with small, seemingly inconsequential steps that give attackers a toehold in some organizational system. But that toehold allows the hack to begin in earnest, as the attackers can then pivot within the network to get to their ultimate prize. History has numerous examples of high-profile attacks that originated with what appeared to be trivial breaches. The keys to the second door may be directly behind the door you left unlocked.

Prioritizing security doesn't come easily for someone whose job does not involve sensitive data or systems. But that attitude changes when workers realize they do hold the missing pieces that enable attackers to penetrate key organizational systems. After education, this is the next key step in creating a security-literate workforce: making sure employees understand that any data or credentials they expose, regardless of how inconsequential they seem, can become a toehold for attackers to pivot toward prizes of much greater value.

For this reason, the security strategy of your vendors is also very much your business. Ask questions so you're able to understand where and how security mechanisms are in place. Software supply chain attacks are on the rise, so be certain that any vendors you're bringing into your business have a robust security stance. It could make all the difference.

This awareness must make the transition to the remote workplace. Security awareness has become part of the physical office culture, as many offices have visual reminders and posters to reinforce the messages that employees get in training. The very act of working in an office is a constant reminder of security-related responsibilities. Badging in, sitting in an office chair, and logging in to the organizational network all imbue a sense of responsibility that may not be as prominent when employees are working from the comfortable confines of home in sweatpants.

Working remotely can also lead employees to drop their guard regarding data protection. The discipline required to keep work- and home-related data and devices segregated becomes harder to maintain when people are working from home, with constant, easy access to personal devices. Organizations must remind employees of their responsibilities for security as they work through this phase of the pandemic.

The bottom line is that security is not about tools or technology; it is about establishing a broad, fundamental awareness and sense of responsibility among all employees. Building this awareness creates a workforce that is security literate regardless of circumstances. Education is a cornerstone of creating security awareness, and many organizations have done an admirable job in helping employees learn how to identify security threats such as phishing attacks. But that awareness has to get to a more personal level to be truly effective.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jim Ivers is a vice president for the Software Integrity Group at Synopsys. Jim joins us from Cigital, where he was the chief marketing officer and led all aspects of Cigital's global marketing strategies, branding initiatives, and programs as well as product management and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17479
PUBLISHED: 2020-08-10
jpv (aka Json Pattern Validator) before 2.2.2 does not properly validate input, as demonstrated by a corrupted array.
CVE-2020-17480
PUBLISHED: 2020-08-10
TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.
CVE-2020-9078
PUBLISHED: 2020-08-10
FusionCompute 8.0.0 have local privilege escalation vulnerability. A local, authenticated attacker could perform specific operations to exploit this vulnerability. Successful exploitation may cause the attacker to obtain a higher privilege and compromise the service.
CVE-2020-9243
PUBLISHED: 2020-08-10
HUAWEI Mate 30 with versions earlier than 10.1.0.150(C00E136R5P3) have a denial of service vulnerability. The system does not properly limit the depth of recursion, an attacker should trick the user installing and execute a malicious application. Successful exploit could cause a denial of service co...
CVE-2020-9245
PUBLISHED: 2020-08-10
HUAWEI P30 versions Versions earlier than 10.1.0.160(C00E160R2P11);HUAWEI P30 Pro versions Versions earlier than 10.1.0.160(C00E160R2P8) have a denial of service vulnerability. Certain system configuration can be modified because of improper authorization. The attacker could trick the user installin...