Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/8/2019
10:30 AM
Grant Wernick
Grant Wernick
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

We Need More Transparency in Cybersecurity

Security has become a stand-alone part of the corporate IT organization. That must stop, and transparency is the way forward.

In college, I was assigned to write a paper for a political science class to argue what would be the greatest national threat our upcoming generation would face. I wrote what I believed to be a solidly reasoned and articulate essay positing that cyber terrorism would be the major issue with which the United States would need to grapple.

It was the only time I received a D grade during my college tenure.

The professor, a renowned political science teacher, told me that although the logical structure of the essay was sound and it was overall well written, cyberterrorism was not a threat. Nor would it be in the near future, therefore making the position I took to be based upon a flawed premise and not worthy of serious inquiry. He wanted assessments on weapons of mass destruction, chemical or biological warfare, political instability, and such.

It was an unintended lesson that those of us who had not grown up riding the early waves of the Internet did not fully understand about the looming danger of a world that would become increasingly enveloped by software.

Though this was many years ago, the essential problem still exists today. From the boardroom to the Senate chamber, there is a fundamental and widespread underappreciation of the real-world, global-scale consequences of the technology-powered Pandora's box we've opened in becoming a digital society.

The beginning stages of the Internet were based on the idealism of trust among the digital pioneers that were both mapping and creating the new frontiers of a world where information would be shared openly and freely. This gave rise to a societal revolution where everyone could have equal access to the totality of human knowledge.

Yet, as with nearly every new exploratory venture throughout history, there came those who look to take advantage and exploit vulnerabilities in newly charted territories and societal structures. Then came those who must defend against it.

In the Shadows
Cybersecurity was born in the shadows by three-letter acronym agencies — NSA, CIA, DoD, etc. —  as an effort to combat a new type of villain who could produce massive damage with minimal risk. A new era of battles were fought on the digital theater with an enemy into whose eyes you could not see; instead, you would catch a glimpse of the enemy through the zeros and ones of the virtual world.

For many years, cybersecurity professionals embraced the clandestine nature of their work, living in tribal communities that shunned outsiders. The IT security groups existed in a separation of church and state framework, removed from the business side of the companies they protected. This environment of being "in the know" and harboring threat intel, remaining secretive, following spy-craft methodologies, and keeping the techniques of information security in the shadows influenced the culture of the cybersecurity professional from the early era. 

As a result, security has become a stand-alone part of the corporate IT organization. Teams became self-siloed and disassociated from the larger organizational objectives they are tasked with protecting, keeping the business side of organizations at arm’s length. Without an understanding between the various departments that create a business, and a holistic security strategy, many companies defaulted to rely solely on regulatory checkboxes for the sake of maintaining the compliance status quo versus placing focus on proactive security measures that protect the organization responsibly, mitigate risk, and adapt to an ever-changing world.

Operating a business becomes more complex daily, as organizations move to hybrid clouds and multicloud platforms, distributing information broadly beyond the network perimeter by nontechnical employees that neither have the time nor understanding to consider the security outcomes. At the same time, threats are becoming increasingly sophisticated and organized. While this ought to be a call to action to elevate the role of security to have a seat at the executive table, there still exists a mentality that security is a compliance requirement rather than a need-to-have. And from the security side, there is often the notion that "no one could possibly understand what I do, so why bother telling them about it?"

Nearly every business today is now a technology business. The problem is that we've developed a culture that doesn't recognize the necessity to have open lines of communication and shared responsibility across the organization to make cybersecurity not only a priority but a standardized part of daily operational procedures.

In a world where the click of an email link can jeopardize an entire network, everyone is responsible for maintaining a secure environment.

Transparency and open lines of communication between all sides of the house — security, DevOps, and business units from financing to marketing to HR — will be the only way to successfully move forward to protect against the never-ending evolution of the threat landscape.

The way forward starts with breaking down the communication barriers between data and people. Anyone in an organization should be able to speak directly with their data and ask questions of it without needing the technical expertise to write data queries. And the data should be able to respond in real time, providing live answers. 

Data transparency is the first step. Once this is achieved, it becomes far easier to create cultural transparency among the separate lines of business because there is a shared language across the organization.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Grant Wernick is the co-founder & CEO of Insight Engines. Insight Engines is a leader in natural language search technologies. The company builds products to augment human intelligence with machine intelligence via their patented NLP and ML technology. Insight Engine's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
TPM-Fail: What It Means & What to Do About It
Ari Singer, CTO at TrustPhi,  11/19/2019
Ransomware Surge & Living-Off-the-Land Tactics Remain Big Threats
Jai Vijayan, Contributing Writer,  11/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19227
PUBLISHED: 2019-11-22
In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.
CVE-2019-10203
PUBLISHED: 2019-11-22
PowerDNS Authoritative daemon , all versions pdns 4.1.x before pdns 4.1.10, exiting when encountering a serial between 2^31 and 2^32-1 while trying to notify a slave leads to DoS.
CVE-2019-10206
PUBLISHED: 2019-11-22
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.
CVE-2018-10854
PUBLISHED: 2019-11-22
cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper sanitization of user input in Name field.
CVE-2019-13157
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.