Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/8/2019
10:30 AM
Grant Wernick
Grant Wernick
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

We Need More Transparency in Cybersecurity

Security has become a stand-alone part of the corporate IT organization. That must stop, and transparency is the way forward.

In college, I was assigned to write a paper for a political science class to argue what would be the greatest national threat our upcoming generation would face. I wrote what I believed to be a solidly reasoned and articulate essay positing that cyber terrorism would be the major issue with which the United States would need to grapple.

It was the only time I received a D grade during my college tenure.

The professor, a renowned political science teacher, told me that although the logical structure of the essay was sound and it was overall well written, cyberterrorism was not a threat. Nor would it be in the near future, therefore making the position I took to be based upon a flawed premise and not worthy of serious inquiry. He wanted assessments on weapons of mass destruction, chemical or biological warfare, political instability, and such.

It was an unintended lesson that those of us who had not grown up riding the early waves of the Internet did not fully understand about the looming danger of a world that would become increasingly enveloped by software.

Though this was many years ago, the essential problem still exists today. From the boardroom to the Senate chamber, there is a fundamental and widespread underappreciation of the real-world, global-scale consequences of the technology-powered Pandora's box we've opened in becoming a digital society.

The beginning stages of the Internet were based on the idealism of trust among the digital pioneers that were both mapping and creating the new frontiers of a world where information would be shared openly and freely. This gave rise to a societal revolution where everyone could have equal access to the totality of human knowledge.

Yet, as with nearly every new exploratory venture throughout history, there came those who look to take advantage and exploit vulnerabilities in newly charted territories and societal structures. Then came those who must defend against it.

In the Shadows
Cybersecurity was born in the shadows by three-letter acronym agencies — NSA, CIA, DoD, etc. —  as an effort to combat a new type of villain who could produce massive damage with minimal risk. A new era of battles were fought on the digital theater with an enemy into whose eyes you could not see; instead, you would catch a glimpse of the enemy through the zeros and ones of the virtual world.

For many years, cybersecurity professionals embraced the clandestine nature of their work, living in tribal communities that shunned outsiders. The IT security groups existed in a separation of church and state framework, removed from the business side of the companies they protected. This environment of being "in the know" and harboring threat intel, remaining secretive, following spy-craft methodologies, and keeping the techniques of information security in the shadows influenced the culture of the cybersecurity professional from the early era. 

As a result, security has become a stand-alone part of the corporate IT organization. Teams became self-siloed and disassociated from the larger organizational objectives they are tasked with protecting, keeping the business side of organizations at arm’s length. Without an understanding between the various departments that create a business, and a holistic security strategy, many companies defaulted to rely solely on regulatory checkboxes for the sake of maintaining the compliance status quo versus placing focus on proactive security measures that protect the organization responsibly, mitigate risk, and adapt to an ever-changing world.

Operating a business becomes more complex daily, as organizations move to hybrid clouds and multicloud platforms, distributing information broadly beyond the network perimeter by nontechnical employees that neither have the time nor understanding to consider the security outcomes. At the same time, threats are becoming increasingly sophisticated and organized. While this ought to be a call to action to elevate the role of security to have a seat at the executive table, there still exists a mentality that security is a compliance requirement rather than a need-to-have. And from the security side, there is often the notion that "no one could possibly understand what I do, so why bother telling them about it?"

Nearly every business today is now a technology business. The problem is that we've developed a culture that doesn't recognize the necessity to have open lines of communication and shared responsibility across the organization to make cybersecurity not only a priority but a standardized part of daily operational procedures.

In a world where the click of an email link can jeopardize an entire network, everyone is responsible for maintaining a secure environment.

Transparency and open lines of communication between all sides of the house — security, DevOps, and business units from financing to marketing to HR — will be the only way to successfully move forward to protect against the never-ending evolution of the threat landscape.

The way forward starts with breaking down the communication barriers between data and people. Anyone in an organization should be able to speak directly with their data and ask questions of it without needing the technical expertise to write data queries. And the data should be able to respond in real time, providing live answers. 

Data transparency is the first step. Once this is achieved, it becomes far easier to create cultural transparency among the separate lines of business because there is a shared language across the organization.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Grant Wernick is the co-founder & CEO of Insight Engines. Insight Engines is a leader in natural language search technologies. The company builds products to augment human intelligence with machine intelligence via their patented NLP and ML technology. Insight Engine's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12928
PUBLISHED: 2019-06-24
The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
CVE-2019-12929
PUBLISHED: 2019-06-24
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
CVE-2019-12936
PUBLISHED: 2019-06-23
BlueStacks App Player 2, 3, and 4 before 4.90 allows DNS Rebinding for attacks on exposed IPC functions.
CVE-2019-12937
PUBLISHED: 2019-06-23
apps/gsudo.c in gsudo in ToaruOS through 1.10.9 has a buffer overflow allowing local privilege escalation to the root user via the DISPLAY environment variable.
CVE-2019-12935
PUBLISHED: 2019-06-23
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.