Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/8/2019
10:30 AM
Grant Wernick
Grant Wernick
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

We Need More Transparency in Cybersecurity

Security has become a stand-alone part of the corporate IT organization. That must stop, and transparency is the way forward.

In college, I was assigned to write a paper for a political science class to argue what would be the greatest national threat our upcoming generation would face. I wrote what I believed to be a solidly reasoned and articulate essay positing that cyber terrorism would be the major issue with which the United States would need to grapple.

It was the only time I received a D grade during my college tenure.

The professor, a renowned political science teacher, told me that although the logical structure of the essay was sound and it was overall well written, cyberterrorism was not a threat. Nor would it be in the near future, therefore making the position I took to be based upon a flawed premise and not worthy of serious inquiry. He wanted assessments on weapons of mass destruction, chemical or biological warfare, political instability, and such.

It was an unintended lesson that those of us who had not grown up riding the early waves of the Internet did not fully understand about the looming danger of a world that would become increasingly enveloped by software.

Though this was many years ago, the essential problem still exists today. From the boardroom to the Senate chamber, there is a fundamental and widespread underappreciation of the real-world, global-scale consequences of the technology-powered Pandora's box we've opened in becoming a digital society.

The beginning stages of the Internet were based on the idealism of trust among the digital pioneers that were both mapping and creating the new frontiers of a world where information would be shared openly and freely. This gave rise to a societal revolution where everyone could have equal access to the totality of human knowledge.

Yet, as with nearly every new exploratory venture throughout history, there came those who look to take advantage and exploit vulnerabilities in newly charted territories and societal structures. Then came those who must defend against it.

In the Shadows
Cybersecurity was born in the shadows by three-letter acronym agencies — NSA, CIA, DoD, etc. —  as an effort to combat a new type of villain who could produce massive damage with minimal risk. A new era of battles were fought on the digital theater with an enemy into whose eyes you could not see; instead, you would catch a glimpse of the enemy through the zeros and ones of the virtual world.

For many years, cybersecurity professionals embraced the clandestine nature of their work, living in tribal communities that shunned outsiders. The IT security groups existed in a separation of church and state framework, removed from the business side of the companies they protected. This environment of being "in the know" and harboring threat intel, remaining secretive, following spy-craft methodologies, and keeping the techniques of information security in the shadows influenced the culture of the cybersecurity professional from the early era. 

As a result, security has become a stand-alone part of the corporate IT organization. Teams became self-siloed and disassociated from the larger organizational objectives they are tasked with protecting, keeping the business side of organizations at arm’s length. Without an understanding between the various departments that create a business, and a holistic security strategy, many companies defaulted to rely solely on regulatory checkboxes for the sake of maintaining the compliance status quo versus placing focus on proactive security measures that protect the organization responsibly, mitigate risk, and adapt to an ever-changing world.

Operating a business becomes more complex daily, as organizations move to hybrid clouds and multicloud platforms, distributing information broadly beyond the network perimeter by nontechnical employees that neither have the time nor understanding to consider the security outcomes. At the same time, threats are becoming increasingly sophisticated and organized. While this ought to be a call to action to elevate the role of security to have a seat at the executive table, there still exists a mentality that security is a compliance requirement rather than a need-to-have. And from the security side, there is often the notion that "no one could possibly understand what I do, so why bother telling them about it?"

Nearly every business today is now a technology business. The problem is that we've developed a culture that doesn't recognize the necessity to have open lines of communication and shared responsibility across the organization to make cybersecurity not only a priority but a standardized part of daily operational procedures.

In a world where the click of an email link can jeopardize an entire network, everyone is responsible for maintaining a secure environment.

Transparency and open lines of communication between all sides of the house — security, DevOps, and business units from financing to marketing to HR — will be the only way to successfully move forward to protect against the never-ending evolution of the threat landscape.

The way forward starts with breaking down the communication barriers between data and people. Anyone in an organization should be able to speak directly with their data and ask questions of it without needing the technical expertise to write data queries. And the data should be able to respond in real time, providing live answers. 

Data transparency is the first step. Once this is achieved, it becomes far easier to create cultural transparency among the separate lines of business because there is a shared language across the organization.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Grant Wernick is the co-founder & CEO of Insight Engines. Insight Engines is a leader in natural language search technologies. The company builds products to augment human intelligence with machine intelligence via their patented NLP and ML technology. Insight Engine's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.