Most Common Security Fails (Part 1)

To understand the current and future state of the cybersecurity landscape we spoke to, and received written responses from, 50 security professionals. We asked them, "What are the most common security fails you see today?"

Following are the three most common:

Fundamentals/Basics

• 1) One of the basic ones is keeping your data exposed to the web. If you Google search 16-digit numbers on Google, you start to get credit cards. In a hurry, you may not think security matters but then you forget to encrypt the data later on. You create a scenario following other companies who have put their data on Amazon S3 with no encryption exposing themselves and their customers to the world. Computer sciences and security companies have figured out that the moment you have sensitive data you need to encrypt it. If you don’t encrypt early on it just makes life harder. 2) As companies work in multiple environment infrastructure, security on-prem doesn’t work for GCP and IBM cloud. Security controls need to change from one environment to another. Infrastructure independent security controls are critical.
• 1) One of the biggest cybersecurity fails I observe today is a fundamental misunderstanding of security needs like compliance and the evolving threat landscape. Organizations need to fully understand the specific rules and regulations that apply to them, as well as remain up-to-date about both existing and emerging threats.  This can be addressed through awareness and regular training sessions, as well as by engaging the right tools and processes to bring structure and verification to the cybersecurity program. 2) Another common failure is the misconception that an organization is “too small” or insignificant to be a target for cybercriminals and ransomware. No business or organization is exempt from being a potential target.  Known and emerging threats are constantly evolving, and wherever there’s money to be made, cybercriminals will not discriminate.  The problem is that too many people are stuck in a traditional mindset when it comes to cybersecurity, which it primarily reactive — the idea that simple measures like firewalls, antivirus, etc. will be sufficient protection.
• Ignoring the basics, like DNS, time, routing and certificate issues. These underlying systems underpin the security which Applications rely on to provide application-layer security.
• 1) People use default passwords or simple, breakable passwords. 2) Users to do not update software. We protect the user even when passwords are left on default. Users purchase IoT devices that have no software updates and have clear security flaws that a user has no visibility or control over.
• Our team sees several common risky security behaviors including 1) Absence of threat intelligence which leads to not being able to proactively stop a threat. 2) Nonexistent or insufficient security training for employees: Infiltration by malware, ransomware, phishing, and other malicious attacks. 3) Poor employee screening: Generates internal threats. 4) Irregular penetration testing: Creates gaps in infrastructure security. 5) Lack of logging: Leaves an organization without the ability to look back at previous events to determine what happened or diagnose a problem.

Training

• Not training their staff. Falling prey to a phishing email. Simple attack prevention strategies. Not remediating vulnerabilities when they are found at vulnerability scans. So many systems taking care of cannot address vulnerabilities as quickly as they need to. Our system scales to meet 30 employee shop to the large enterprise with 10,000+system. We prioritize vulnerabilities based on what poses the greatest threats. Help prioritize and set up SLAs to manage and remediate vulnerabilities. We help IT security work with IT ops to remediate and set expectations when something is found.
• Many developers are not inherently security experts, so many of those who have security responsibilities need to be better trained in best practices. Or, for organizations that don’t want to add more responsibilities to existing dev teams’ plates, they probably need a new type of operations person than combines operations with security (DevSecOps).
• The biggest has to be lack of persistent professional development opportunities for staff. With a widening skills gap haunting CISOs at night, companies cannot afford to keep putting off their employee’s professional development programs. Failure to upskill staff means they don’t have the skills and knowledge necessary to defeat today’s attacks. Hacker’s aren’t taking a break from attacking, cyber teams shouldn’t pause learning efforts either. There is a lot of great training methods that are available today to demystify cyber to the C-Suite and let them get ahead of cyber risk. When armed with this knowledge, the organizational leadership can ask the right questions of their technical staff and understand where it makes sense to invest in people, processes or technology to reduce cyber risk.
• A false sense of security is worse than not doing security at all. We need to educate customers. It depends on the industry. In financial services, there is a  high interest but still have a false sense of security, not doing security, and only including one perspective. If you just focus on one perspective into your code, a lot of time is lost trying to get to 100 percent coverage. By adding a different perspective to get a higher security level in less time and for less money.
• Ignorance is the most common cause of security failures. I think we could benefit a lot from simply raising awareness throughout the industry. You would be surprised how many developers still do not know what security means and how many more do not know if it is relevant to their work. Security is relevant to everyone but not everyone is aware of it. This should change if we want to remove this most common cause of failure.
• 1) The global cybersecurity workforce gap is widening to nearly 3 million jobs. This means that many skilled professionals are taking on more work and pressure to cover unfilled positions. According to a worldwide survey published in 2017, 38 percent of cybersecurity professionals admitted that the skill shortage was the main culprit causing high rates of burnout and turnover. 2) The speed at which cybercriminals operate and change their ‘tools of the trade’ means that many individuals employed in the industry are woefully underprepared and inadequately trained for the role they’re required and expected to fulfill, which can cause significant stress.

Vision

• 1) When employing Kubernetes (K8s), just relying on a single feature like vulnerability scanning. If this is your end game, you are going to lose. You need to do more than just scanning vulnerabilities in CI. 2) Overlooking the importance of network security as a source of truth and the ability to leverage as a deep security mechanism to address many security threats like the exfiltration of data (e.g. Equifax). Don’t stick your head in the sand by ignoring network fundamentals.
• Not knowing what you have out there and knowing what you have to mitigate. Some app somewhere is running a vulnerable piece. The other is the inability to detect someone is in there and is exfiltrating data. 
• On the application security side, we customers struggle with the madness of all of the tools and overlap. If you are developing applications internally, you are using web application testing and static code analysis testing. And since these are separate tools, you are getting different reports. It’s important to bring that together to see if you have any correlation between the different type of vulnerabilities, we are able to see those relationships. Able to see overlaps due to duplicates then we’re doing a good job managing the deduplication process. With application security, in particular, people have a problem with the data management side of things. Asset inventory is also an important part of the puzzle to solve the problem. Everyone needs to do a better job maintaining their asset inventory — applications, hardware, data classification, type of data processed, who owns the data.

Please see parts two and three for more thoughts on common security fails.

Here’s who shared their insights:

• Josh Mayfield, Director of Security Strategy, Absolute
• Jim Souders, CEO, and Anne Baker, V.P. of Marketing, Adaptiva
• Steven Aiello, security and compliance solutions principal, AHEAD
• Gadi Naor, CTO and Co-founder, Alcide
• Omer Benedict, Senior Director of Product Management, Aqua Security
• Tom Maher, CTO, Asavie
• Gaurav Banga, CEO and Founder, Balbix
• Nitzan Miron, V.P. Product Management, Application Security Services, Barracuda
• Cam Roberson, Director of the Reseller Channel, Beachhead Solutions
• Anurag Kahol, CTO, Bitglass
• Syed Abdur, Director of Product Management and Design, Brinqa
• Laura Lee, Executive Vice President of Rapid Prototyping, Circadence
• Andrew Lev, CEO, Cliff Duffey, Founder and President, Bethany Allee, Vice President Marketing, Cybera 
• Brian Kelly, Head of Conjur Engineering, CyberArk
• Doug Dooley, COO, Data Theorem
• Jason Mical, Cyber Security Evangelist, Devo Technology
• OJ Ngo, CTO, DH2i
• Tom DeSot, EVP CIO, Digital Defense, Inc.
• Chris DeRamus, Co-founder and CTO, DivvyCloud
• Alan Weintraub, Office of the CTO, DocAuthority
• Tom Conklin, CISO, Druva
• Anders Wallgren, CTO, Electric Cloud
• Satish Abburi, founder, Elysium Analytics
• Sean Wessman, Americas Cyber Markets, Sectors and Business Development Leader, EY
• Ambuj Kumar, Co-founder and CEO, Fortanix
• Josh Stella, co-founder and CTO, Fugue
• Kathy Wang, Senior Director of Security, GitLab
• Amith Nair, VP Product Marketing, HashiCorp  
• Mike Puglia, Chief Customer Marketing Officer, Kaseya
• Nathan Turajski, Director of Product Marketing, Micro Focus
• Gary Duan, Chief Technology Officer, NeuVector
• Gary Watson, CTO and Founder, Nexsan
• Stephen Blum, CTO and Co-founder, PubNub
• Chuck Yoo, President, Resecurity
• Roey Eliyahu, CEO and Co-founder, Chris Westphal, Head of Product Marketing, Salt Security
• Sivan Rauscher, CEO and Co-founder, SAM Seamless Networks
• Igor Baikalov, Chief Scientist, Securonix
• Oege de Moor, CEO and Co-founder, Semmle
• Dana Tamir, VP Market Strategy, Silverfort
• Logan Kipp, Technical Architect, SiteLock
• Albert Zenkoff, Security Architect, Software AG
• Tim Brown, V.P. Security Architecture, SolarWinds
• Todd Feinman, Co-founder and Chief Strategy Officer, Spirion
• Tim Buntel, VP of Application Security Products, Threat Stack
• Andrew Useckas, Founder and CTO, ThreatX, Inc.
• Joseph Feiman, Chief Strategy Officer, WhiteHat Security
• Vincent Lussenberg, Director of DevOps Strategy, XebiaLabs
• Robert Hawk, Operations Security Lead, xMatters