Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/19/2020
10:00 AM
Jim Ivers
Jim Ivers
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cybersecurity Extends Far Beyond Security Teams & Everyone Plays a Part

Security isn't about tools or technology; it's about establishing a broad, fundamental awareness and sense of responsibility among all employees.

The COVID-19 pandemic has provided everyone a fresh lesson that security truly is everyone's job.

As governments began issuing stay-at-home orders and people adapted to working remotely, suddenly, Zoom was on everyone's lips. The platform became a staple of both working from home and keeping in touch with friends and family. Predictably, researchers started discovering security and privacy vulnerabilities, and soon "Zoombombing" entered the conversation. While Zoom worked to secure the product, its users — many neophytes to video calls — had to figure out how to configure their Zoom instances to prevent hackers from hijacking calls.

Traditionally, the concept that "security is everyone's job" has been an essential part of education and awareness campaigns against phishing and other email-related attacks. And rightfully so, as these attacks are often the first step for attackers working their way to their ultimate target. But the Zoom example shows that awareness and diligence are important at every level. Further, in many organizations, collaboration tools such as Slack are replacing email as the preferred method to share content and data. In organizations that impose size limits on email attachments, for example, employees can freely pass around files 10 times that size in Slack sessions.

A former CISO of a prominent intelligence agency once told me, "The most dangerous cybersecurity vulnerability is the carbon-based life-form." Attackers rarely employ a frontal assault on technology to penetrate protected networks. People provide a considerably simpler and often faster path by which to initiate an attack. To attackers, technologies change and organizations adapt to new security vulnerabilities, but humans represent a consistent vulnerability they can exploit.

Thankfully, measures are being taken to safeguard deliverables against human error. Let's take developers as an example. Development teams build the software that powers businesses all over the world. They bridge the gap between man and machine. But what's being done to ensure that issues aren't making their way into the code that drives our power grid, loved ones' pacemakers, or software supporting national elections because it can be hijacked by attackers via known vulnerabilities?

There are plugins available for the developer's integrated development environment that scan for known vulnerabilities as developers code. Once vulnerabilities are identified, developers are notified immediately so that the issue can be resolved before the code is checked in. Another aspect to such solutions is education. Developers are able to identify repeat errors they're making, learning to avoid them in the first place.

Employees must learn that very few hacks occur in a straight line. Hacks often start with small, seemingly inconsequential steps that give attackers a toehold in some organizational system. But that toehold allows the hack to begin in earnest, as the attackers can then pivot within the network to get to their ultimate prize. History has numerous examples of high-profile attacks that originated with what appeared to be trivial breaches. The keys to the second door may be directly behind the door you left unlocked.

Prioritizing security doesn't come easily for someone whose job does not involve sensitive data or systems. But that attitude changes when workers realize they do hold the missing pieces that enable attackers to penetrate key organizational systems. After education, this is the next key step in creating a security-literate workforce: making sure employees understand that any data or credentials they expose, regardless of how inconsequential they seem, can become a toehold for attackers to pivot toward prizes of much greater value.

For this reason, the security strategy of your vendors is also very much your business. Ask questions so you're able to understand where and how security mechanisms are in place. Software supply chain attacks are on the rise, so be certain that any vendors you're bringing into your business have a robust security stance. It could make all the difference.

This awareness must make the transition to the remote workplace. Security awareness has become part of the physical office culture, as many offices have visual reminders and posters to reinforce the messages that employees get in training. The very act of working in an office is a constant reminder of security-related responsibilities. Badging in, sitting in an office chair, and logging in to the organizational network all imbue a sense of responsibility that may not be as prominent when employees are working from the comfortable confines of home in sweatpants.

Working remotely can also lead employees to drop their guard regarding data protection. The discipline required to keep work- and home-related data and devices segregated becomes harder to maintain when people are working from home, with constant, easy access to personal devices. Organizations must remind employees of their responsibilities for security as they work through this phase of the pandemic.

The bottom line is that security is not about tools or technology; it is about establishing a broad, fundamental awareness and sense of responsibility among all employees. Building this awareness creates a workforce that is security literate regardless of circumstances. Education is a cornerstone of creating security awareness, and many organizations have done an admirable job in helping employees learn how to identify security threats such as phishing attacks. But that awareness has to get to a more personal level to be truly effective.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Jim Ivers is a vice president for the Software Integrity Group at Synopsys. Jim joins us from Cigital, where he was the chief marketing officer and led all aspects of Cigital's global marketing strategies, branding initiatives, and programs as well as product management and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...