Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/1/2019
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
0%
100%

KISS, Cyber & the Humble but Nourishing Chickpea

The combination of simple, straightforward, and methodical ingredients are the keys to developing a balanced and well-rounded security program.

In recent years, hummus has become a trendy food. Once considered a mere dip-like side dish in many western countries, hummus has recently found a seat at the table as a serious and tasty main course option. It raises the question: What is it about hummus that has made it a star?

In my opinion, what sets hummus apart from other foods is its uncanny ability to be both simple and fulfilling at the same time. Hummus is humble, yet nourishing. It is plain, yet flavorful. It is inexpensive, yet filling.

To fully understand the magic of hummus, we need to break it down to its essence. While there are many different hummus recipes and varieties, the core ingredient of hummus is chickpeas — plain old garbanzo beans. Chickpeas have no need to get fancy or showy; they simply get the job done, time after time, with minimal cost and waste.

So, what does my obsession with hummus have to do with information security? More than you might initially be inclined to believe. Allow me to explain:

1. KISS: The KISS principle (Keep it simple, stupid!) states that most systems work best if they are kept simple rather than complicated. More often than not, there is a simple, straightforward way to solve a problem. If you design a solution that is cumbersome and overcomplicated, chances are you don't understand the problem well enough to solve it elegantly. There is almost never a need to get fancy. That merely creates an opportunity to introduce error unnecessarily.

2. Slow and steady wins the race: It may be tempting to chase after the item "du jour," or the latest fad in security, but during the course of my career, I've watched the quick rise and hurried fall of one trendy topic after another. At the end of the day, security teams need to remain focused on improving security posture and reducing risk. That involves applying people, process, and technology strategically over the long term and solving in a repeatable manner over time. Getting distracted by bright, shiny objects doesn't help in the least.

3. Minimize cost: It's always fascinated me how the default response to solving a problem almost always seems to be to throw more money at it. Obviously, proper funding is required to ensure that a security organization can accomplish its goals and that security challenges get addressed at scale. But what about when funding isn't the problem? Or, to ask the question differently, what about situations where problems can be solved by leveraging or optimizing existing investments? Looking to be frugal and resourceful, when appropriate, can be surprisingly effective. It's not always necessary to make large investments to get the job done. In fact, doing so can sometimes have exactly the opposite effect. How so? In the near term, it can divert resources and attention away from important work. In the longer term, it can introduce additional levels of complexity that will draw scarce resources away from other tasks.

4. Minimize waste: I've lost count of the number of times in my career that I've seen complex, expensive systems procured, deployed, operated, maintained, replaced, and then decommissioned. The cost of running through this process can grow quite large. Granted, risk changes, technology matures, and priorities adapt over time. But even taking all this into account, some technologies are discarded simply because they were procured three or four years ago. Does the age of a solution affect whether or not it can address a modern challenge? In some cases, perhaps. But instead of considering a technology's age, what if we considered its relevance to the goals and priorities we are looking to address? From this perspective, you might want to hold on to some of what you have before giving it the boot.

5. Cover the essential nutrients: A security program has many different limbs to feed, nurture, and sustain. It's important to take care of and provide for all of these essential elements in accordance with their needs. Focusing too much on one particular aspect of security comes at the expense of the others. A simple, straightforward, and methodical way to nourish all parts of the security program produces a far more balanced and well-rounded approach. There is nothing to be gained by focusing on a small number of elements, and in fact, there is quite a bit to be lost. When important security functions are neglected, the organization's security posture suffers.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
CVE-2012-1592
PUBLISHED: 2019-12-05
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.