Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/22/2015
10:45 AM
Bill Brenner
Bill Brenner
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Security Surveys: Read With Caution

I'm skeptical of industry surveys that tell security practitioners what they already know. Don't state the obvious. Tell us the way forward.

Last week, a number of industry publications, including Dark Reading’s sister site Information Week, ran a story about the security risks of Big Data.

Specifically, the articles warned, Big Data systems are loaded with sensitive data and potential security exposures. They cited a SANS Institute survey of 206 companies. Of those polled, 43% of respondents were from companies with 10,000 or more employees and 53% said they held positions in their organization’s IT security operation.

Among the survey highlights:

  • 73% said they use Big Data applications "to store personal data on customers" 
  • 72% said they store such important business data as employee records (64%), intellectual property (59%), and payment card information (53%).

As for the security exposures, the specifics are unclear. There’s an overall warning about the risk of exposure, but few specifics are listed.

I’ve long trusted the SANS Institute. Its surveys are generally useful, and its Internet Storm Center site is required reading for anyone whose job is to stay abreast of security threats. Some great minds work for the organization. But I find this survey hard to swallow.

I could harp on the lack of actual news, because journalists have been chronicling the risks of Big Data for a couple years now (For example, this CSO article from 2012). But I’ve also seen enough to know that repeating warnings is important because companies often don’t get the message the first few times.

No, my problem is that this survey was sponsored by Cloudera, a supplier of Hadoop and other Big Data technologies. Hadoop is often cited as a major tool for managing Big Data securely, and it’s in Cloudera’s best interests to get behind a report saying Big Data security is precarious. For the company, this revelation carries the potential for sales across its product line.

I’ve been skeptical of vendor-sponsored security surveys for a long time. The bias is strong right out of the gate. If the SANS polling had produced a more muted threat scenario, I have to suspect the sponsors wouldn’t be happy. If everything is stable, why invest in more security technology?

Fortunately, the writer of the Information Week article didn’t stop with the raw survey results. He tied the “news” in with some perspective that came out of a panel discussion at the recent Hadoop Summit. The article quotes Anil Varma, VP of data and analytics for Schlumberger, who said imposing user access controls based on identity and roles is one way to improve big data security. Varna also said, "The next two to three years will be really important on that (data governance).” Due to worries over security, a lot of data still hasn't been brought in, he added.

For those running Big Data systems, there’s an expanding wealth of information out there to help assess the risks and take protective measures. I’m particularly interested in case studies where security practitioners outline how they’re using Big Data. Many such articles, including this one I wrote two years ago, focuses on how Big Data is used as a security tool itself. A 2012 paper from the Cloud Security Alliance (CSA) on the “Top 10 Big Data Security and Privacy Challenges” is still useful for assessing the big picture.

And while I’m skeptical of vendor-sponsored studies measuring how big a threat Big Data users face, I do like when vendors focus instead on raw security tips, like this “Six Security Tips for Retailers in the Age of Big Data” article from IBM’s Security Intelligence site. Articles like these offer far better guidance than a survey that states the obvious. Don’t tell us what we already know. Tell us the way forward.

Writer. Father. Husband. Blogger. History buff. Heavy Metal fanatic. Rebellious Catholic. Frequent traveler. In his day job, Brenner writes about threats to Internet security as seen from his vantage point as Senior Security Tech Writer at Akamai Technologies research center. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BillB734
50%
50%
BillB734,
User Rank: Apprentice
7/7/2015 | 6:15:01 AM
Re: Maybe I am biased, but I think this article is an example of non sequitur
I'm glad we agree that in general, security surveys are flawed. And while your defense of a vendor-sponsored survey is understood and appreciated, my position is unchanged. Put a vendor's name on it and the validity of the content immediately comes into question. The only way to remove the appearance of bias is to do these studies independent of vendor involvement, period. That other organizations are doing it this way doesn't make it ok.
StephenN798
50%
50%
StephenN798,
User Rank: Apprentice
6/22/2015 | 8:14:13 PM
Maybe I am biased, but I think this article is an example of non sequitur
Bill Brenner is a great guy and a consumate Chinese hot pot white T-shirt contest judge, but I think this post misses the mark.

Let's start with the danger of big data. Other than the fact my health care is Care First, that I had a Target credit card, that I am a veteran and that I was a government employee, I have no hard evidence there is any danger. But I will take an action to see if I can get some actual news :)

Second, let's go to your problem that the "survey was sponsored by Cloudera, a supplier of Hadoop and other Big Data technologies." Personally, I think it is great that Miller-Coors has a number of programs encouraging responsible drinking. Ruger's blue book on firearms safety seems quite rational to me. If Schaefer Pyrotechnics was to hire a company to examine the dangers of large fireworks even though no OSHA violations were discovered in the Vienna VA mishap, I would think that was good.

Next let's consider, "I've been skeptical of vendor-sponsored security surveys for a long time. The bias is strong right out of the gate. If the SANS polling had produced a more muted threat scenario, I have to suspect the sponsors wouldn't be happy. If everything is stable, why invest in more security technology?"

Third, you should be skeptical of all surveys. The title of your post is quite accurate. It is hard to craft objective questions, it is hard to target the right people and it is very hard to get past the law of small numbers. I don't know about you, but if I take my Mustang GT 5.0 in for an oil change and get a 50 question survey on my experience, I get irritated. I also get irritated if the link in the email says a "short survey" and I am not done by the third page. I already have an iPad, I didn't  start the survey to be entered into a contest. I did it so the organization that is running the survey can acquire critical knowledge. In the case of the Big Data survey, employees from 206 companies answered the questions for the same reason.

Fourth, the sponsors "wouldn't be happy". That might be true. However, we have all seen surveys that have been "bought". It is really obvious, i.e. Which of the following explains why ACME products are vastly superior to the compeition. I don't think that is what you are saying. 

Fifth and finally, "Don't tell us what we already know. Tell us the way forward." Securing big data requires big money. You can't expect good results if the security guy/gal tells the senior business executives that they need to authorize an expense of a million dollars without some supporting evidence of why.

 
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Could you pass the hash, I really have to use the bathroom!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12253
PUBLISHED: 2019-05-21
my little forum before 2.4.20 allows CSRF to delete posts, as demonstrated by mode=posting&delete_posting.
CVE-2019-12250
PUBLISHED: 2019-05-21
IdentityServer IdentityServer4 through 2.4 has stored XSS via the httpContext to the host/Extensions/RequestLoggerMiddleware.cs LogForErrorContext method, which can be triggered by viewing a log.
CVE-2019-12251
PUBLISHED: 2019-05-21
sadmin/ceditpost.php in UCMS 1.4.7 allows SQL Injection via the index.php?do=sadmin_ceditpost cvalue parameter.
CVE-2019-10319
PUBLISHED: 2019-05-21
A missing permission check in Jenkins PAM Authentication Plugin 1.5 and earlier, except 1.4.1 in PamSecurityRealm.DescriptorImpl#doTest allowed users with Overall/Read permission to obtain limited information about the file /etc/shadow and the user Jenkins is running as.
CVE-2019-10320
PUBLISHED: 2019-05-21
Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.