Concerns About Security
Concerns About Security
Attackers are winning the war by becoming more sophisticated and spending more money on hacking tools than companies are spending on security.
Join the DZone community and get the full member experience.Join For Free
We spoke to 25 IT security executives and asked them about their concerns regarding the current state of security. Here's what they told us:
Lack of Understanding and Vision
- Tremendous concerns with senior executives failing to put sufficient emphasis on security and the number of applications already on the internet with vulnerabilities that aren’t being patched. There’s also the lack of emphasis and education on security, as well as the lack of security professionals. Simple failure to follow best practices is a huge concern.
- A “big picture” concern in the U.S. and most other countries is that the economy relies on technology and the people in policy making positions don’t understand how technology works. I don’t know if we have a government application capable of securely managing our digital economy. My “micro” concern is the difference between IT companies and security companies. IT companies open and close tickets – they take a short-term view of security. Security companies open and close cases – they take a long-term view of security. Also, I’m a big fan of attribution. I think we need to know who attacked, how they attacked, and if they were successful so we can address it as we move forward.
- Our innate sense of trust. When we send an email, we trust that all the servers won’t have techniques to read the email and trust the encryption algorithm. But Edward Snowden showed there are a lot of things that cannot be trusted. Google is not using encryption between its data centers. There’s no way to validate trust. The solution is to have end-to-end encryption.
- I have more concerns about privacy that I do security. Good security addresses privacy by making the data secure. The way software is made is broken. It takes too long to get fixes and there are no automatic updates.
- A majority of the InfoSec industry has it backward with reactive orchestration. Focus on breach prevention. Build more protected solutions.
- Running proof of concepts by installing our product in customers’ infrastructure. Prior to doing this, the customer thinks they have sound security – maybe a couple of small holes. We can identify a lot of threats lurking within the network. The biggest problem is their state of mind. Companies need to assume they’ve already been breached.
- Many organizations are just thinking about security as a perimeter defense strategy. To really solve this problem, however, security has to be designed into the IT architecture, and not just on the perimeter. It’s tempting to approach security by creating a centralized defense on the outside and having one or more tightly controlled entry points that the CISO oversees. Recent events across several organizations have proven this approach is not reliable, scalable, or adaptable.
Lack of Best Practices
- A lot. Companies will continue to proceed without security best practices until a dramatic event occurs – the electric grid is brought down, someone dies, or someone loses a substantial amount of money. Attorneys are working on ways to hold companies accountable for stolen, personally identifiable information (PII). St. Jude Medical Devices produced an implantable defibrillator that could be hacked wirelessly. This was detected by MedSec. Security at St. Jude dismissed the claim while a hedge fund shorted the stock and used the security report to drive down the stock price of the company. After several lawsuits, the FDA stepped in and verified that the device could be hacked and St. Jude needed to fix the problem and issue security patches to several other products.
- Vulnerability reporting. People learning security claim that something is a vulnerability when it’s something simple to fix. The media propagates a lot of security issues that aren’t. As more research and audit process of bugs and vulnerability reporting needs to change so that companies have a window of opportunity to address.
- My biggest concern is that so much buzz is focused on threat detection because the number of attacks is increasing. Without a doubt, it's important to detect attacks, but we should not forget that the core cause of most of attacks is unpatched vulnerabilities. So, first, the essential step is to mitigate all known issues and only then try to detect attacks on vulnerabilities that can't be easily patched.
- Lack of secure code and apps is a risk that companies need to be aware of. A small minority haven’t figured out its importance yet. Attacks are more sophisticated, as are the people and the technology performing those attacks. There is an opportunity to improve through machine learning and deep learning. Ensure security testing is embedded in the QA process. Have appropriate penetration testing. Integrate security into use and abuse testing. Radically improve by codifying testing best practices.
- IoT devices manufactured elsewhere are cheap and have insufficient memory and CPU for security controls making them vulnerable to DDoS attacks.
Lack of Resources
- Companies are not investing enough in application security given the number of breaches that are occurring and their cost and risk to management. There’s a lot of security investment in networks with firewalls, intrusion detection, and security hardware. However, there’s been a sea change in how enterprises are deploying software in the cloud, SaaS, and mobile. As such, the on-premise network is going away or becoming much less important. Companies need to move dollars from network security to application security.
- My concerns center around burnout of the security people. There is a lot of turnover and burnout. Inability to keep up with the software development pipeline. Code pushed at you faster than you feel like you can test the code thoroughly. Combat by becoming less reactive. The more you can eliminate production surprises to examine code before production get arms around the risk before it becomes real.
- Lack of available people. Millions of vacancies for security professionals. The number of people available isn’t keeping pace.
- The biggest risk in application security is the inability to keep up with the speed of application development. Mobile and IoT devices introduce a whole other level of problems.
Sophistication of Hackers
- The ability for attackers to out invest organizations. Ransomware as a service. Co-funded models make it easy for attackers to use malware and modify it to meet their needs. Companies bought a lot of “shelf ware” and didn’t use it to its full capacity. They still have gaps in their networks and are inefficient in addressing hacks. Cloud adoption with a lack of standards opens more opportunities for attackers.
- We see, hear, and learn more every day. The bad guys are outsmarting the good guys. I’m less concerned with a nuclear attack than I am state-funded cyber-attacks. Attack vectors are where we need to have more insight and controls. The cloud has changed the dynamics of everything.
- Attackers continue to innovate. The changes organizations are undergoing is changing the nature of the threats they face. Companies have adopted a new way of computing and security hasn’t kept up. We need to protect applications built on top of containers and microservices. We need new approaches and platforms to address today’s issues.
Do you have any concerns regarding the current state of security not raised above?
Following are the executives that shared their perspectives on this question:
- Kevin Fealey, Principal Consultant and Practice Lead Automation and Integration Services, Aspect Security
- Carolyn Crandall, CMO and Joseph Salazar, Technical Marketing Engineer, Attivo
- Amit Ashbel, Director of Product Marketing and Cyber Security Evangelist, Checkmarx
- Ash Wilson, Strategic Engineering Specialist, CloudPassage
- Paul Kraus, CEO, Eastwind Networks
- Anders Wallgren, CTO, Electric Cloud
- Alexander Polyakov, CTO, ERPScan
- Patrick Dennis, President and CEO, Guidance Software, Inc.
- Craig Lurey, CTO, Keeper Security
- Boaz Shunami, CEO, Komodo Consulting
- Eric Tranle, Global CMO, Darrin Bogue, Senior Solutions Engineer, LogTrust
- David Waugh, V.P. Sales, ManagedMethods
- Mat Keep, Director of Product Marketing and Analysis, MongoDB
- Aaron Landgraf, Senior Product Marketing Manager and Kevin Paige, Head of Security, MuleSoft
- Fred Wilmot, CEO, PacketSled
- Gary Millefsky, CEO, Snoopwall
- Wei Lien Dang, V.P. of Products, StackRox
- Cody Cornell, Co-founder and CEO, Swimlane
- Terry Dunlap, Founder and CEO, Tactical Network Solutions
- Chris Wysopal, Co-Founder and CTO, Veracode
- Yitzhak Vager, V.P. Cyber Product Management and Business Development, Verint
- Prabath Siriwardena, Director of Security Architecture, WSO2
Opinions expressed by DZone contributors are their own.