Vulnerabilities / Threats

1/17/2018
02:00 PM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Living with Risk: Where Organizations Fall Short

People tasked with protecting data are too often confused about what they need to do, even with a solid awareness of the threats they face.

I am the first to admit that I possess a robust naivety about the general public's appetite for risk. How can people agree that there is a risk and then exhibit behaviors that would seem to indicate that they find the risk irrelevant or that they are immune? I eagerly consume any report or survey that might shed some light on "how" and "why" someone could justify living with (or even exacerbating) security risks.

While the news always seems to be filled with examples of companies being woefully underprepared for breaches, my discussions with the corporate security practitioners who attend IT industry conferences show me an impressively nuanced understanding of risk. This leads me to assumptions about the factors that are causing the increasingly grotesque breaches we read about. But perhaps my preconceptions need adjusting.  

The 2017 Ernst & Young Global Information Security Survey, for example, is a resource that asks a lot of questions, with answers that I find fascinating and sometimes unexpected. This survey covers many aspects of security incident preparedness, and it represents the responses of almost 1,200 C-suite leaders as well as information security and IT executives/managers. These participants come from companies of all sizes, revenue levels, and industry sectors.

Unsurprisingly (to me), the surveyors found that budget, skill, and executive support are items of concern; who among us doesn't feel we could do a better job with fancier tools and unlimited funds? But the numbers in this case are less dire than I expected. Slightly more than half of respondents expressed these woes: 59% cite budget constraints and 58% lament a lack of skilled resources. I was even more surprised by how few people feel a lack of support from higher-ups; only 29% of respondents complain about a lack of executive awareness or support.

Despite these seemingly encouraging numbers, the survey results don't translate into concrete action from a security perspective. According to respondents, 56% said either that they have made changes to their business strategies to take account of the risks posed by cyber threats, or that they are about to review strategy in this context. Only a meager 4% of organizations are confident they have fully considered the information security implications of their current business strategies and that their risk landscape incorporates all relevant risks and threats. While this may speak to the complexity of the threatscape, it also indicates how many organizations feel completely overwhelmed by the task of addressing all the risks in their environments.

Low Grades on Data Protection, Vulnerability Identification
Most organizations don't seem to know where to start in creating proactive security postures: 35% of the survey's respondents describe their data protection policies as ad hoc or nonexistent. Consequently, it's understandable that 75% of respondents rate the maturity of their vulnerability identification as very low to moderate. 

Most organizations do at least have reactive processes in place for determining whether they've been attacked; only 12% have no breach detection program in place. But the most worrying finding of the Ernst & Young survey is that some organizations may be confused about their legal responsibilities: 17% of respondents say they would notnotify allcustomers, even if a breach affected customer information, and 10% would not even notify customers knownto be affected.

What I take from all this is that the people who are tasked with protecting data within organizations are often deeply confused or misinformed about what they need to be doing, even when there's adequate awareness of risk and support for correcting it. Rather than preparing in advance, most organizations are reacting to alarm bells only after the damage has been done. This bodes poorly for the industry when a diverse range of organizations are one unlucky day away from serious disruption.

Given the increasing complexity of technology, the persistent obscurity of digital security regulation, and the growing sophistication of threats, this problem is sure to increase. Rather than focusing on helping businesses assemble a collection of the fanciest widgets in all the land, we as security educators and professionals should instead focus on the everyday processes of security that are as banal and crucial as regular janitorial service. While counting machines and planning network structure may be less exciting than the blinky lights of advanced gadgetry, it would seem that this is precisely what would most benefit many organizations.

Related Content:

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
The Data Security Landscape Is Shifting: Is Your Company Prepared?
Francis Dinha, CEO & Co-Founder of OpenVPN,  8/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1712
PUBLISHED: 2018-08-16
IBM API Connect's Developer Portal 5.0.0.0 through 5.0.8.3 is vulnerable to Server Side Request Forgery. An attacker, using specially crafted input parameters can trick the server into making potentially malicious calls within the trusted network. IBM X-Force ID: 146370.
CVE-2018-10139
PUBLISHED: 2018-08-16
The PAN-OS response page for GlobalProtect in Palo Alto Networks PAN-OS 6.1.21 and earlier, PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier may allow an unauthenticated attacker to inject arbitrary JavaScript or HTML. PAN-OS 8.1 is NOT affected.
CVE-2018-10140
PUBLISHED: 2018-08-16
The PAN-OS Management Web Interface in Palo Alto Networks PAN-OS 8.1.2 and earlier may allow an authenticated user to shut down all management sessions, resulting in all logged in users to be redirected to the login page. PAN-OS 6.1, PAN-OS 7.1 and PAN-OS 8.0 are NOT affected.
CVE-2018-11771
PUBLISHED: 2018-08-16
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream,...
CVE-2018-1715
PUBLISHED: 2018-08-16
IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 14700...