My entrance into the world of
technology and cybersecurity coincidentally occurred in simultaneous fashion
with what Symantec has coined the Big Boom age[1]
of data breach. It was March 2005 that the world witnessed the first data
breach to include over one million compromised records at DSW Shoe Warehouse.
Since then and as of today, Privacy Rights Clearinghouse[2]
has recorded an additional 9,093 data breaches that have been made public; an
average of nearly two per day (1.78) over the past 5,100+ days.Hearing about, learning about,
and subsequently talking about data breach events has more or less been my
daily routine for the better part of 14 years. Having held or performed the
functions of a wide variety of positions within a security-focused software
company for as long as I have, I’ve been fortunate to have had exposure to people
of all types and in virtually every conceivable position within customer,
partner, and other technology organizations. While I feel like I’ve heard it
all in terms of what the root cause of our collective data breach problem is, I
think there are two things in particular that are suffocating our collective
ability to slow down and stifle this unsurprising outcome – people that can’t
comprehend or appreciate the information they’re being told and people not
being allowed to focus on what they know really matters.Let me be clear. This is not a
finger-pointing exercise. This is a reality check. I’m not saying this is the
be-all end-all solution either. Protecting the information attackers seek to
steal is among the most complex problems we’ve ever had to deal with as a
species, but surely there are some pragmatic measures that can be taken to stop
the bleeding (scratch that, hemorrhaging) of data from our organizations on
again a daily basis. Right?
Trust in our new “Zero Trust” world (to the Board)Technology is complicated.
Whether we’re talking about consumer electronics in our homes or
enterprise-grade technologies in our offices and datacenters, if you’re not
into it, if you’re not exposed to it, then you probably don’t understand it.
It’s not your fault if you’re not among the technically-inclined, but you can’t
fight it either. This is the world we live in. Your smartphone might become
even easier to use, but it will assuredly become more difficult to secure as
time goes on.If you’re in a decision-making
position that affects the funding of technology (especially cybersecurity)
purchases for your organization and you can’t say you truly grasp or appreciate
the imminent dangers “The Business” faces right now, then there’s only one
thing you can do. Trust. There are people around you that do know what’s going
on. Unfortunately, these people aren’t always the best at communicating
incredibly complex subject-matter in terms you understand (i.e. money, and how
this makes you more money), but rest assured you will be losing a boatload of
it when Brian Krebs gives you a call to let you know your network and your
customer’s data has been “pwned”.And trust me, I thought GDPR was
going to fizzle out too, but boy was a wrong. It’s got legs and it just leaped
over the pond in the form of the CCPA. Now it’s making its way across America
and you will be fined for
non-compliance. No more slaps on the wrist. They’re coming for your piggybank.Cybersecurity needs more funding.
Cybersecurity professionals are burned out. There are too few people to do the
job and the tools they’re forced to use are rarely adequate enough to address
the modern threats they face. That said, you’ve hired people that speak the
language. Trust them when they tell you what they need to defend your
organization from harm. Honestly, you’re just a sitting duck otherwise.Discipline and bringing it back to the basics (to the Security
Professional)Every year, we all rejoice in the
release of Verizon’s latest Data Breach Investigations Report (or the DBIR for
the cool kids). It’s such a great read, what with all their witty quips and
section headings. But what do we always see? It’s the same old stuff biting us
in the butt every time. Missing patches, an overabundance of administrative
access rights, credentials in memory, social engineering, Pass-the-Hash, and so
on.We’ve got to turn our focus back
to the blocking and tackling. It starts with education for your employees
(don’t click it!), proper hygiene and alignment with best practices across your
systems for when they click it anyway (why do 135 people have local admin
rights to this desktop again?), least privilege rights to your data (so Joe
Schmoe from the Mail Room’s account doesn’t grant god rights to your quarterly
financials), and control over the granddaddy of them all, the directory.If you want to secure your data,
you need to know where it is, what it is, who has access to it, and figure out
whether or not they should. Once you do that, you need to ensure the thing
that’s responsible for controlling access to all that data (probably Active
Directory for 90% of you) is clean, understood, configured properly, monitored
closely, and controlled tightly. Don’t stop there though. AD is most commonly
compromised due to misconfigurations, vulnerabilities, and an inappropriate
number of people with administrative access rights to your desktop and server
infrastructure.This is the blocking and
tackling. Fix these problems and you’re going to be in a much better position
to defend your organization’s assets.We aren’t doing ourselves any favors (to All of Us)I don’t want this to sound too
harsh and again, I don’t want this to be perceived as finger-pointing
either. I want this to be a rallying cry
to us all because we’re all in it together, but I feel like right now we’re not
doing ourselves any favors.Excuse the painful football
analogy, but it’s halftime in this game we’re playing, we’re losing, and it’s
time to make some adjustments. We need more resources and we need more focus on
fixing the things that make it so easy for attackers to make us all look like
fools. If we can trust each other, we can make this epic comeback happen.Adam Laub is SVP, STEALTHbits Technologies
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
