Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/18/2018
02:30 PM
Joel Fulton
Joel Fulton
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Make Security Boring Again

In the public sector and feeling overwhelmed? Focus on the basics, as mind numbing as that may sound.

Cybersecurity is a fast-moving target, particularly in the public sector. With constantly changing mandates and compliance requirements, it is hard to keep up. Since the Office of Personnel Management compromise in 2015, government security leaders have been in overdrive trying to strengthen their organizations' security measures to stave off the next major breach. This focus on cybersecurity in the public sector has also made the "government needs to be more like industry" cry louder than ever. Unfortunately, it is also more wrong than ever.

I know this because I routinely hear from and ask questions of security leaders from both commercial and public sector organizations, and the top problems are categorically identical: talent recruitment and retention, skills gaps, budget challenges, and a constant stream of new threats for which to look out.

The hard truth is, despite 30-day cyber sprints, creating a promising Continuous Diagnostics and Mitigation Program, acquiring the latest tech and checking off every other "best practices" box, we are playing catch-up with our adversaries. And we will continue down that path until we change tack.

What is the solution I offer to end your adversarial woes? First, discard that question. Your route to success: Go back to basics and roll up your sleeves.

You Can't Protect What You Can't See
Past midnight, a beat cop comes upon a chief information security officer (CISO) on his hands and knees under a bright street lamp. The CISO is searching the road for dropped keys. After 30 fruitless minutes of assisting with the search, the impatient officer asks, "Where did you lose them?"

"Over there," the CISO says, pointing at a darkened alley, "but the light's much better here."

I won't win any plaudits for this pearl of wisdom: You cannot secure that which you cannot see. Nor for this: What you need to secure may not be where you're looking. Before you nod in obvious agreement, check in with your security operations centers. Do they lack visibility across the IT, network, cloud, and security infrastructure stacks? To paraphrase Donald Rumsfeld, how would they know their unknown unknowns?

"But," you answer, "I have visibility and monitoring tools… a dozen of them!" Do those tools give you a holistic view of your infrastructure? Have you evaluated both gaps and overlaps or duplicates? Is your infrastructure complete but fragmented?

By the time you piece together that puzzle, has your environment changed? In my experience, dealing with a tangled mess of wires in a data center is more appealing than facing the answer to those questions. I've been there.

Identity Matters
How do you begin to sort out your data? The most critical step is starting with a thorough risk assessment of your practices by asking the boring but right questions. For starters:

  • Where is your data?
  • Who and what have access to that data?
  • How complete is your inventory?
  • How thorough is your configuration management database (CMDB)? How up to date is it?
  • Are you seeing what is necessary or simply what is convenient?

Also, determine what success looks like for your agency. Is it enhancing the way you collect and use data to guard against inbound risks? What level of breach or compromise are you comfortable with? This last question is one I find most people hesitant to address but perhaps is the most significant.

This work is tedious. It looks less like vendor dinners or rolling out a new tool and more like listening to your team, comparing notes with other CISOs, and reading, learning, doing. But I promise it will be worth the work, and even more, now is the best time to be conducting this effort. Your success is in the excellent delivery of monotonous tasks.

Artificial Intelligence and Machine Learning Can Help
Once your agency has determined its goals and figured out what you can see and need to protect, it is time to put your talent into action, define your tactics, and finally line up supporting technology.

Remember that CMDB? Now that the grunt work is complete, your confidence in it should be higher than ever and well placed. The law of entropy assures us that the universe tends toward chaos. A massive expenditure of energy is needed to halt and reverse that natural degradation. That brute force and total commitment to the rudiments and fundamentals will buy you breathing room to deploy scripting and automation to hold the new line.

Now you have a path to those shiny artificial intelligence (AI) and machine learning (ML) tools you've been eyeing. When they are properly deployed, relying on the solid foundation established by your earlier diligence, you may find those tools will even help alleviate the stress on your overworked security team. A refreshed and re-engaged security team focusing on higher-order questions and problems is a game changer you'll not soon forget.

But AI and ML are only as good as the data you can provide. That's why the tedious stuff is imperative — so the fun stuff can be even more fun.

Act Now 
I know there are a lot of people in both the public and private sectors who will read this and say "Obviously." But I also know there are more who will get nervous thinking about how much mind-numbing work I just prescribed. I would remind both of the truism: Well done is better than well said.

Because again: I've been there. In fact, I'm still there, because the nature of security is never-ending and there is always more to be done.

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Joel Fulton, Ph.D., is Chief Information Security Officer for Splunk, leading the Splunk Global Security teams, where he also supports product development as well as customer and partner relationships. Prior to joining Splunk, Joel held security leadership positions at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...