Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/2/2018
02:00 PM
Carol Clark
Carol Clark
Commentary
Connect Directly
Facebook
Twitter
RSS
E-Mail vvv
50%
50%

The Cybersecurity 'Upside Down'

There is no stranger thing than being breached. Here are a few ways to avoid the horror.

Like many in cybersecurity, I'm more than a bit of a sci-fi fan and was easily reeled in by Netflix's Stranger Things. Stranger Things' Upside Down is an alternative reality where none of us wants to be. Landing in the Upside Down diverts circumstances in different, unintended directions and, in some cases, permanently changes lives.  

As breach headlines and the resulting fallout of these compromises continue to stream in, it's easy to imagine that the affected companies are now experiencing their own alternative, unintended reality. This wasn't the business plan they started the year with, but it is what will be managed for months, and likely a few years, to come. It's more than a bit… upside down. 

The Cybersecurity Upside Down is the alternate reality organizations enter once they have been materially compromised. It stops business, costs millions, and can have an incalculable impact on current and future customers. It's the inevitable, not-so-alternative reality for organizations if they don't take a strategic approach to security, especially as they transform their businesses. Small changes and more investments in new, disparate tools without a seismic shift in strategy will take you to the Cybersecurity Upside Down. 

What Does the Cybersecurity Upside Down Look Like?
In two words, "reactive chaos." You have no control of your environment and most of your efforts are diverted into understanding what happened, containing the damage, and remediating the issue. New projects, including cloud development and mergers and acquisitions, are significantly stalled. An organization new to the Cybersecurity Upside Down will quickly realize it is blind to what is happening on the network, unaware of where the weaknesses are and without the ability to quickly assess risk.

How Can You Stay Out of the Upside Down?
Do whatever you can to get visibility of your entire security posture and be able to measure it easily and, preferably, continuously so you can take proactive action. Many security organizations have started instrumenting for visibility at endpoints and networks. This is important and useful in monitoring, responding to, and, in some cases, being able to block potential exploits. But this is only a start.

Understanding and establishing true visibility for code and application security is a must for today's enterprises. Most companies are developing technology and using many different infrastructure providers and third-party components, and they're accelerating development practices due to competition and new methodologies such as DevOps. If organizations are not integrating security into the entire development lifecycle, they are exposed. Practices of manual pen testing twice per year, and/or siloed testing within development provide no visibility and painful remediation in an Upside Down event. 

Make sure to ask questions. Knowing how organizations in your supply chain are developing and protecting your products gives you a line of sight into issues and areas of potential risk. How easily can they update you on the security of their solutions? How will they handle remediation for the solutions? Do they continuously test? 

Systemically Avoid the Cybersecurity Upside Down
Weaknesses and vulnerabilities can be insidious. So, how can organizations root out the unintended consequences of how their company is operating?  Automate wherever possible to provide better visibility. Automating code and application security, for example, takes the burden off of siloed teams and developers. More-secure software is delivered faster, and automation enables a continuous view of your security posture.  

Embed the Culture of Security
Just one trip to the Upside Down will highlight quickly how well or how ineffectively DevOps, security, and development teams are working together. Embedding security champions within development teams and automating and orchestrating security are good examples of how to advance the culture of security in an organization. Threat modeling and red teaming are also good exercises to go through, as long as the results are embedded in the security posture going forward and improve overall operations. By integrating security early and often into the application development process, you can have the visibility and assurance that you need for the best defense against the Cybersecurity Upside Down. 

Related Content:

Carol Clark has over 17 years of experience in the software security industry. She is currently Vice President of Marketing at CYBRIC, where she is responsible for customer success programs. She has also held numerous leadership roles at RSA Security, including vice president ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15246
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build 469 (v1.0.469) and v...
CVE-2020-15247
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permi...
CVE-2020-15248
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the ...
CVE-2020-15249
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG ...
CVE-2020-28927
PUBLISHED: 2020-11-23
There is a Stored XSS in Magicpin v2.1 in the User Registration section. Each time an admin visits the manage user section from the admin panel, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.