Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/1/2019
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
0%
100%

KISS, Cyber & the Humble but Nourishing Chickpea

The combination of simple, straightforward, and methodical ingredients are the keys to developing a balanced and well-rounded security program.

In recent years, hummus has become a trendy food. Once considered a mere dip-like side dish in many western countries, hummus has recently found a seat at the table as a serious and tasty main course option. It raises the question: What is it about hummus that has made it a star?

In my opinion, what sets hummus apart from other foods is its uncanny ability to be both simple and fulfilling at the same time. Hummus is humble, yet nourishing. It is plain, yet flavorful. It is inexpensive, yet filling.

To fully understand the magic of hummus, we need to break it down to its essence. While there are many different hummus recipes and varieties, the core ingredient of hummus is chickpeas — plain old garbanzo beans. Chickpeas have no need to get fancy or showy; they simply get the job done, time after time, with minimal cost and waste.

So, what does my obsession with hummus have to do with information security? More than you might initially be inclined to believe. Allow me to explain:

1. KISS: The KISS principle (Keep it simple, stupid!) states that most systems work best if they are kept simple rather than complicated. More often than not, there is a simple, straightforward way to solve a problem. If you design a solution that is cumbersome and overcomplicated, chances are you don't understand the problem well enough to solve it elegantly. There is almost never a need to get fancy. That merely creates an opportunity to introduce error unnecessarily.

2. Slow and steady wins the race: It may be tempting to chase after the item "du jour," or the latest fad in security, but during the course of my career, I've watched the quick rise and hurried fall of one trendy topic after another. At the end of the day, security teams need to remain focused on improving security posture and reducing risk. That involves applying people, process, and technology strategically over the long term and solving in a repeatable manner over time. Getting distracted by bright, shiny objects doesn't help in the least.

3. Minimize cost: It's always fascinated me how the default response to solving a problem almost always seems to be to throw more money at it. Obviously, proper funding is required to ensure that a security organization can accomplish its goals and that security challenges get addressed at scale. But what about when funding isn't the problem? Or, to ask the question differently, what about situations where problems can be solved by leveraging or optimizing existing investments? Looking to be frugal and resourceful, when appropriate, can be surprisingly effective. It's not always necessary to make large investments to get the job done. In fact, doing so can sometimes have exactly the opposite effect. How so? In the near term, it can divert resources and attention away from important work. In the longer term, it can introduce additional levels of complexity that will draw scarce resources away from other tasks.

4. Minimize waste: I've lost count of the number of times in my career that I've seen complex, expensive systems procured, deployed, operated, maintained, replaced, and then decommissioned. The cost of running through this process can grow quite large. Granted, risk changes, technology matures, and priorities adapt over time. But even taking all this into account, some technologies are discarded simply because they were procured three or four years ago. Does the age of a solution affect whether or not it can address a modern challenge? In some cases, perhaps. But instead of considering a technology's age, what if we considered its relevance to the goals and priorities we are looking to address? From this perspective, you might want to hold on to some of what you have before giving it the boot.

5. Cover the essential nutrients: A security program has many different limbs to feed, nurture, and sustain. It's important to take care of and provide for all of these essential elements in accordance with their needs. Focusing too much on one particular aspect of security comes at the expense of the others. A simple, straightforward, and methodical way to nourish all parts of the security program produces a far more balanced and well-rounded approach. There is nothing to be gained by focusing on a small number of elements, and in fact, there is quite a bit to be lost. When important security functions are neglected, the organization's security posture suffers.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I feel safe, but I can't understand a word he's saying."
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10374
PUBLISHED: 2020-03-30
A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
CVE-2020-11104
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if...
CVE-2020-11105
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. It employs caching of std::shared_ptr values, using the raw pointer address as a unique identifier. This becomes problematic if an std::shared_ptr variable goes out of scope and is freed, and a new std::shared_ptr is allocated at the same add...
CVE-2020-11106
PUBLISHED: 2020-03-30
An issue was discovered in Responsive Filemanager through 9.14.0. In the dialog.php page, the session variable $_SESSION['RF']["view_type"] wasn't sanitized if it was already set. This made stored XSS possible if one opens ajax_calls.php and uses the "view" action and places a pa...
CVE-2020-5284
PUBLISHED: 2020-03-30
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your applicati...