DZone Research: Problems With Security (Part 1)
DZone Research: Problems With Security (Part 1)
Want to know the modern problems with security? Check out this post on lack of compliance, human error, and lack of skills and knowledge.
Join the DZone community and get the full member experience.Join For Free
To gather insights on the current and future state of security, we talked to 47 executives from 43 companies about security in their own organizations and for the clients with whom they are working. Given all of the breaches that have appeared in the news and the enforcement of GDPR, response to this topic was unlike any we have seen for previous security research guides.
We asked them, "What are the most common issues you see affecting security?" Here's what they told us:
- Data security is a challenge super prevalent to how permissions propagate and how many users. Our platform provides a lot of tools to secure data. Need data governance defined. This can be complex and challenging.
- Compliance is a major issue impacting the cybersecurity industry. The problem is that companies don’t use security as an economic factor, impacting the bottom line until after a breach occurs. If we change the mindset about cybersecurity and become more proactive, we can stop these issues before they happen.
- For highly sensitive, they come to us, because they trust us. For less sophisticated, we help them build out their environment and train their people. We like to put in the best practices so their people will protect their own data.
- The first issue relates to the motives and tools available to threat actors. Financial gains or government interference are high on the list of the reasons why we see new and creative ways emerging where breaches can be forced. Once public, these are exploited widely. The second issue relates to the ease of use and access to the tools users need; however, these must be freed from high-cost proprietary single-vendor lock-ins. Encryption must be easy to use; if it is not, then, people find other ways to share information. As always, people and normal behavior represent the highest risk.
- Human errors when developing APIs with endpoints developers do copy paste which creates holes.
- Human element — everyone has a well-defined policy, but enforcement and compliance are a challenge.
- Human error — building managers leaving door open to the router and server room. Security guards are going out for a smoke and propping the door open. A lot of IT security personnel have a tendency to focus on network when adding new devices, but, then, they don’t focus as much after the fact. Humans can only watch streams for so long before they stop paying attention. Use computer vision to analyze IoT device data and unstructured video data into structured data. Enable people to pay attention to what’s relevant, moving from reaction to proactive and preventive.
- Human behavior and habits in a digitally-connected world is the most common issue that affects security. It was much easier securing applications prior to the Internet era. The current threat landscape is changing. Virus infections, as we remember them, changed to mining tools that take the victims’ resources and turn them into digital currency. These malwares work silently, ensuring that the user will not notice them. On the other hand, there are cryptos or ransomware — malware that encrypts the host system and asks for money in exchange for a decryption key. Both malwares affect home and business. At the business level, there are DDOS extortion attempts, where the attacker demands money from the business. This scenario is more common than we think, simply because corporations choose to keep such events silent. To complete the picture, privacy has become a major player in the last few years. GDPR regulation, for example, is impacting security as it relates to user awareness.
- The misconfigured solutions setup and configurations don’t restrict employee access rights to a “need-to-know” basis is a common concern across security solutions , leading to unauthorized access and possible data breaches. However, an even greater concern is in managing the human factor. Human Factor Security runs the gamut, varying from organization to organization. Employee security awareness training or lack thereof can make a difference in an organization’s security posture as employees are the last line of defense at stopping targeted spear phishing attacks that reach the inbox. But, training is just that; so, managing the human factor not only requires scenario-based simulations but also means providing employees with a “no-brainer” way to block or stop targeted one-to-one attacks right from the inbox in real-world scenarios. This, in our opinion, means layering an expert anti-phishing (email incident response) service like what we offer.
- Lack of encrypted data. Lack of comprehension and understanding. Encryption is not just check the box and you’re done. Another misconception is that there’s a magic wand that solves the problem. The type of encryption does not make it secure; it’s about the security strategy. Systems are secure within a set of parameters. Developers need to be educated on what they are doing and the limits to the security.
- Awareness and security training is lacking. There is a shortage of qualified security professionals and developers to put the right security measures in place. Even though we all know IT managers, we need to update our software. It's not done as well as it should be. A lot of updates are a function of vulnerabilities. Environments are becoming more complex and interconnected, especially the many devices being brought into work. We just need one way in to compromise the organization.
- Lack of skills and manpower. Lack of technology and automation. Right combination between people and technology and automation will take the security of your organization years ahead.
- Lack of awareness since we work with SMEs. We are conditioned to think that they are not the target. On a much broader scale, small businesses are being compromised.
- Developers are not security experts, and there is some movement to try to train them about security. In some companies, this is reasonable, but, for others, a new type of operations person that combines operations with security must manage security, which is typically being called DevSecOps.
- We need to be on the look-out for types of cultural barriers, lack of leadership, inappropriate metrics, lack of tool integration, and lack of training.
- Obviously, data breaches continue to be a major issue that are difficult to tackle because they are multi-faceted. Poor security practices make it easy for bad actors to exploit vulnerabilities in your applications to steal or ransom your data. Security really must be comprehensive and baked into your strategy from the design phase — all the way to implementation. It cannot be an afterthought and simply applied at certain points. For example, this could be at the access level but not at the architecture level. As you’re migrating from on-premises to the cloud, think about what dependencies are built into your applications that you need to migrate. Before lifting and shifting, you need to make sure that you’ve looked closely at everything, especially your open source tools, to make sure there are no vulnerabilities hidden away. Organizations have to be starting from a comprehensive security approach, and, then, they’ll be able to add on more advanced services along the way. I also think that the speed at which we’re developing and deploying is impacting an organization’s ability to do all of the above very well (or to do it at all). Inside the enterprise, migration timelines are often underestimated in the push to deliver cloud solutions quickly. This is especially true for organizations with no prior experience migrating to the cloud. As a result, business deliverables often take priority over taking the time to establish a comprehensive cloud security strategy. This means production applications and sensitive data are being deployed to meet key business milestones but without the best practice security principles and methodologies to govern these solutions. Hackers are fully aware of human fallibility, and they are perfectly positioned to exploit security vulnerabilities when a business takes shortcuts. Again, I will bring this back to skills and the need for a security directive from the top of the organization. It’s important for all teams and roles to be educated about security basics and have an understanding of all of the actions that they can take at their level, with the tools and applications they are responsible for. Teams need to have a full understanding of the services available to protect the infrastructure, applications, and data across the infrastructure stack.
Check out tomorrow's post where we discuss more research findings on the major problems in security. Stay tuned!
Here’s who we talked to:
- Jim Souders, CEO, Adaptiva
- Murali Palanisamy, CTO, AppViewX
- Amir Jerbi, Co-founder and CTO, Aqua Security
- Andreas Pettersson, CEO, Arcules
- Dave Mariani, CEO and Co-founder, and Bruno Aziza, CMO, AtScale
- Andrew Avanessian, COO, Avecto
- Nitzan Miron, Vice President Product Management, Barracuda Networks
- Mo Rosen, GM, CA Security, Sam King, GM, CA Veracode, Mark Curmphey, CA SourceClear
- Stuart Scott, AWS Trainer /Cybersecurity Expert, Cloud Academy
- Cliff Turner, Senior Solutions Architect, CloudPassage
- Mark Forrest, CEO, Cryptshare
- Antonio Challita, Director of Product Management, CyberSight
- Doug Dooley, COO, Data Theorem
- Patrick Lightbody, SVP Product Management, Delphix
- OJ Ngo, CTO, DH2i
- Reid Tatoris, Vice President Product and Outreach Marketing, Distil Networks
- Paul Kraus, CEO, Eastwind Networks
- Don Lewis, Senior Marketing Manager, EdgeWave
- Anders Wallgren, CTO, Electric Cloud
- Venkat Ramasamy, COO, FileCloud
- Jesse Endahl, CPO, CSO and Co-Founder, Fleetsmith
- Tom Sela, Head of Security Research and Matan Kubovsky, Vice President R&D, Illusive
- Roy Halevi, CTO and Co-founder, Intezer
- Darren Guccione, CEO, Keeper Security
- Andrew Howard, Chief Technology Officer, Kudelski Security
- Rajesh Ganesan, VP Product Development, ManageEngine
- John Omernik, Distinguished Technologist, MapR
- James Willet, Vice President of Engineering, Neustar
- Gary Duan, CTO, NeuVector
- Randall Degges, Head of Developer Advocacy, Okta
- Dan Koloski, Vice President, Security and Systems Management, Oracle
- Heather Howland, CEO, Preempt
- Randy Battat, CEO, PreVeil
- Arkadiy Miteiko, CEO, QbitLogic
- Linus Chang, Founder, Scram Software
- Altaz Valani, Research Director, Security Compass
- Ed Adams, CEO, Security Innovation
- Neill Feather, CEO, SiteLock
- Oded Moshe, VP Products, SysAid
- Gaurav Deshpande, Vice President of Marketing, Todd Blaschka, COO, TigerGraph
- Matthew Vernhout, Director of Privacy and Industry Relations, 250ok
- Setu Kulkarni, Vice President of Product and Corporate Strategy, Whitehat Security
- Erik Nordmark, Co-founder and Chief Architect, Zededa
Opinions expressed by DZone contributors are their own.