Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/22/2015
10:45 AM
Bill Brenner
Bill Brenner
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Security Surveys: Read With Caution

I'm skeptical of industry surveys that tell security practitioners what they already know. Don't state the obvious. Tell us the way forward.

Last week, a number of industry publications, including Dark Reading’s sister site Information Week, ran a story about the security risks of Big Data.

Specifically, the articles warned, Big Data systems are loaded with sensitive data and potential security exposures. They cited a SANS Institute survey of 206 companies. Of those polled, 43% of respondents were from companies with 10,000 or more employees and 53% said they held positions in their organization’s IT security operation.

Among the survey highlights:

  • 73% said they use Big Data applications "to store personal data on customers" 
  • 72% said they store such important business data as employee records (64%), intellectual property (59%), and payment card information (53%).

As for the security exposures, the specifics are unclear. There’s an overall warning about the risk of exposure, but few specifics are listed.

I’ve long trusted the SANS Institute. Its surveys are generally useful, and its Internet Storm Center site is required reading for anyone whose job is to stay abreast of security threats. Some great minds work for the organization. But I find this survey hard to swallow.

I could harp on the lack of actual news, because journalists have been chronicling the risks of Big Data for a couple years now (For example, this CSO article from 2012). But I’ve also seen enough to know that repeating warnings is important because companies often don’t get the message the first few times.

No, my problem is that this survey was sponsored by Cloudera, a supplier of Hadoop and other Big Data technologies. Hadoop is often cited as a major tool for managing Big Data securely, and it’s in Cloudera’s best interests to get behind a report saying Big Data security is precarious. For the company, this revelation carries the potential for sales across its product line.

I’ve been skeptical of vendor-sponsored security surveys for a long time. The bias is strong right out of the gate. If the SANS polling had produced a more muted threat scenario, I have to suspect the sponsors wouldn’t be happy. If everything is stable, why invest in more security technology?

Fortunately, the writer of the Information Week article didn’t stop with the raw survey results. He tied the “news” in with some perspective that came out of a panel discussion at the recent Hadoop Summit. The article quotes Anil Varma, VP of data and analytics for Schlumberger, who said imposing user access controls based on identity and roles is one way to improve big data security. Varna also said, "The next two to three years will be really important on that (data governance).” Due to worries over security, a lot of data still hasn't been brought in, he added.

For those running Big Data systems, there’s an expanding wealth of information out there to help assess the risks and take protective measures. I’m particularly interested in case studies where security practitioners outline how they’re using Big Data. Many such articles, including this one I wrote two years ago, focuses on how Big Data is used as a security tool itself. A 2012 paper from the Cloud Security Alliance (CSA) on the “Top 10 Big Data Security and Privacy Challenges” is still useful for assessing the big picture.

And while I’m skeptical of vendor-sponsored studies measuring how big a threat Big Data users face, I do like when vendors focus instead on raw security tips, like this “Six Security Tips for Retailers in the Age of Big Data” article from IBM’s Security Intelligence site. Articles like these offer far better guidance than a survey that states the obvious. Don’t tell us what we already know. Tell us the way forward.

Writer. Father. Husband. Blogger. History buff. Heavy Metal fanatic. Rebellious Catholic. Frequent traveler. In his day job, Brenner writes about threats to Internet security as seen from his vantage point as Senior Security Tech Writer at Akamai Technologies research center. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BillB734
50%
50%
BillB734,
User Rank: Apprentice
7/7/2015 | 6:15:01 AM
Re: Maybe I am biased, but I think this article is an example of non sequitur
I'm glad we agree that in general, security surveys are flawed. And while your defense of a vendor-sponsored survey is understood and appreciated, my position is unchanged. Put a vendor's name on it and the validity of the content immediately comes into question. The only way to remove the appearance of bias is to do these studies independent of vendor involvement, period. That other organizations are doing it this way doesn't make it ok.
StephenN798
50%
50%
StephenN798,
User Rank: Apprentice
6/22/2015 | 8:14:13 PM
Maybe I am biased, but I think this article is an example of non sequitur
Bill Brenner is a great guy and a consumate Chinese hot pot white T-shirt contest judge, but I think this post misses the mark.

Let's start with the danger of big data. Other than the fact my health care is Care First, that I had a Target credit card, that I am a veteran and that I was a government employee, I have no hard evidence there is any danger. But I will take an action to see if I can get some actual news :)

Second, let's go to your problem that the "survey was sponsored by Cloudera, a supplier of Hadoop and other Big Data technologies." Personally, I think it is great that Miller-Coors has a number of programs encouraging responsible drinking. Ruger's blue book on firearms safety seems quite rational to me. If Schaefer Pyrotechnics was to hire a company to examine the dangers of large fireworks even though no OSHA violations were discovered in the Vienna VA mishap, I would think that was good.

Next let's consider, "I've been skeptical of vendor-sponsored security surveys for a long time. The bias is strong right out of the gate. If the SANS polling had produced a more muted threat scenario, I have to suspect the sponsors wouldn't be happy. If everything is stable, why invest in more security technology?"

Third, you should be skeptical of all surveys. The title of your post is quite accurate. It is hard to craft objective questions, it is hard to target the right people and it is very hard to get past the law of small numbers. I don't know about you, but if I take my Mustang GT 5.0 in for an oil change and get a 50 question survey on my experience, I get irritated. I also get irritated if the link in the email says a "short survey" and I am not done by the third page. I already have an iPad, I didn't  start the survey to be entered into a contest. I did it so the organization that is running the survey can acquire critical knowledge. In the case of the Big Data survey, employees from 206 companies answered the questions for the same reason.

Fourth, the sponsors "wouldn't be happy". That might be true. However, we have all seen surveys that have been "bought". It is really obvious, i.e. Which of the following explains why ACME products are vastly superior to the compeition. I don't think that is what you are saying. 

Fifth and finally, "Don't tell us what we already know. Tell us the way forward." Securing big data requires big money. You can't expect good results if the security guy/gal tells the senior business executives that they need to authorize an expense of a million dollars without some supporting evidence of why.

 
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23394
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.