Most Common Security Fails (Part 2)

To understand the current and future state of the cybersecurity landscape we spoke to, and received written responses from, 50 security professionals. We asked them, "What are the most common security fails you see today?"

The three most common covered in part one were the lack of fundamentals, training, and vision. The following are the next most frequently mentioned failures:

Strategy

• I still think security is an afterthought as opposed to a built-in process throughout the entire program. Think about how security will affect you up front. Look at it holistically. Take a security-first model.  How much do you pay for fire and building security? What is the likelihood of a cyber breach relative to a fire or a building failure?
• Customers that don’t think in terms of end-to-end strategies, like a government agency with multiple stakeholders that haven’t talked to each other before. LOB owner hasn’t talked to security, risk team, the chief data officer. We need to collaborate to get clear on expectations, with good relationships across the organization.
• The most common security failure is not having a process. In addition, there’s also a disconnect between the security and compliance regulations that executives focus on, one being HIPPA’s cybersecurity requirement below: 164.306(a)(1) ensure the confidentiality, integrity, and availability of all electronically protected health information the covered entity creates, receives, maintains, or transmits. The above is such a broad and generic statement and that’s just one statement out of a document that has almost a hundred statements, so it’s no longer meaningful. From the perspective of security failures —which ties into the state of security management — there’s an absolute disconnect between high-level frameworks like ISO, COBIT, and HIPAA and how you actually implement them. Many companies today feel they have a framework that they follow, but that’s not a security program; that’s a document that gives guidance, one that doesn’t even give you detail on how to implement said guidance. For example, you start out with a security framework like HIPAA and you use something like the CIS controls to implement the guidance within HIPAA, that’s the second phase. The third phase is that you need to have a measure of quality for your controls, which would look like this: HIPAA to CIS measured by ISO 33004. So, ISO is a process assessment methodology to do things like vulnerability management. Is it a good process or an ineffective one? Following that methodology allows you to actually build a security program where you’re starting to measure the quality of the security controls that you’ve put in place. So, that’s lacking in every single security program that I’ve seen from our customers. Even the customers that have good security programs don’t take it to that level. You need to ask yourself, “Are these programs producing quality outcomes?” I think it’s undeniable based on the research that’s out there, that even the best security programs are not producing high-quality outcomes.
• 1) Cybersecurity spending is higher than ever — Gartner estimates that the market is forecast to grow 8.7 percent to $124 billion in 2019. Yet, there’s a glaring, and often overlooked, omission that warrants attention: organizations simply are not activating — or are incorrectly using — security tools that are already deployed on their endpoint devices. It’s an oversight that can’t continue to fly under the radar, especially when endpoint devices are the single largest group of devices inside the network today—and the most likely source of a security incident. 2) The answer for CISOs in many cases takes a simple shift in strategy and a new twist on an old adage. President Ronald Reagan first started using the English translation of an old Russian proverb, “trust but verify” as part of the extensive nuclear disarmament talks with General Secretary Mikhail Gorbachev in the 1980s. In cybersecurity, it’s critical to recognize the importance of verifying the security tools you have put on the devices themselves are, in fact, functioning properly and that the data on them is secure.

Old Technology

• This pertains to the inability to put in basic security controls and trying to apply old techniques/tools within modern environments. For example, using traditional endpoint and network-based security techniques/tools that were effective in desktop and on-premise datacenters to secure mobile and cloud-based environments.

Configuration

• 1) The number one failure is the number of companies buying web app firewall, deploying it, configuring it, and leaving it in the passive mode forever. They never get around to activating it. There are many stories of firewalls in a passive mode that are never turned on or looked at for the alerts. 2) Collecting data for the sake of collecting data. Collecting all logs and all data without determining what you need, why, what are you going to do with them is a recipe for disaster.
• Cloud misconfigurations are among the most common security fails. Enterprise attack surfaces are growing and the rapid adoption rate of multi-cloud, containers, microservices and other advanced infrastructures is making security and compliance increasingly complex. Additionally, many companies don’t set forth clear guidelines and policies, let alone adequately enforce those policies. For these reasons, misconfigurations are rampant. It seems there is a new massive data breach caused by a misconfiguration or a database being left unsecured on a weekly--if not daily--basis.
• As technology and tools become easier to adopt within organizations, there is a risk it is not properly configured or maintained. We see this in several areas such as public clouds being misconfigured, and private data being publicly exposed on the internet. It’s important to remember that cloud security is a shared responsibility model, and everyone is responsible for their contribution to make the whole system secure. Another area is the adoption of shadow IT or unmanaged applications that don’t meet company standards.
• Some of the most common and easily avoidable security fails are misconfigurations of cloud infrastructure. Many organizations are still adapting and learning how to operate in the cloud which often leads to simple mistakes in the configuration that end up having a big impact and result in high profile data breaches.

Patching

• 100 percent of clients have live attacks which can be seen within days or weeks after we have been deployed. We expose critical vulnerabilities they didn’t know about so they can patch them.
• 1) Lack of a basic security policy is a glaring issue. Companies need some kind of framework. There are some companies where executive management is still in denial about the value of their data to a hacker. 2) Misconfiguration is an issue, especially when moving services to the cloud and forgetting to turn on basic controls without anyone monitoring access to hundreds of millions of records. It all depends on the maturity of the cybersecurity program. Have basic policies to the restrain user behavior and an obligation for configuration before users get into behavior monitoring. 3) Patching was a problem 20 years ago and it’s a problem today. How many systems have vulnerabilities that are three years old? It doesn’t take a lot of work by hackers. Training is getting better as is awareness thanks to news coverage and personal experience.
• Inconsistent patching of known security vulnerabilities is one of the most common security fails. According to the Verizon Data Breach report more than half of all exploits were from vulnerabilities disclosed over 10 years ago — that is simply too easy.

"Failure to patch. That’s what caused Equifax and WannaCry... If you’re doing a one-to-one patch to every device, and you have hundreds of thousand, you need a solution to do that without impacting other parts of the business."

• Failure to patch. That’s what caused Equifax and WannaCry. There were fixes. We created a workflow identifies vulnerable devices and turns off. Most customers could protect themselves if they just patched in time. ServiceNow study, 57 percent of breaches could have been prevented by installing an available patch. If you’re doing a one-to-one patch to every device, and you have hundreds of thousand, you need a solution to do that without impacting other parts of the business. If general patching prevents you from operating your business, that’s why it isn’t done. We use a peer-to-peer architecture distributes patches without affecting the network.
• 1) Not keeping asset management up to date. 2) Not keeping software patches up to date. 3) Lack of employee security awareness — need to follow best practices of accessing information.

Data

• Hoarding data with no idea what they have or where it is stored. Spending a lot of money trying to protect information that may be of low value from a user perspective. Companies need to spend money on high-value high-risk information.

• Being blind to the data. Spending money in the wrong places putting more firewalls in a location that’s already secure.

Please see parts one and three for more thoughts on common security fails.

Here’s who shared their insights:

• Josh Mayfield, Director of Security Strategy, Absolute
• Jim Souders, CEO, and Anne Baker, V.P. of Marketing, Adaptiva
• Steven Aiello, security and compliance solutions principal, AHEAD
• Gadi Naor, CTO and Co-founder, Alcide
• Omer Benedict, Senior Director of Product Management, Aqua Security
• Tom Maher, CTO, Asavie
• Gaurav Banga, CEO and Founder, Balbix
• Nitzan Miron, V.P. Product Management, Application Security Services, Barracuda
• Cam Roberson, Director of the Reseller Channel, Beachhead Solutions
• Anurag Kahol, CTO, Bitglass
• Syed Abdur, Director of Product Management and Design, Brinqa
• Laura Lee, Executive Vice President of Rapid Prototyping, Circadence
• Andrew Lev, CEO, Cliff Duffey, Founder and President, Bethany Allee, Vice President Marketing, Cybera 
• Brian Kelly, Head of Conjur Engineering, CyberArk
• Doug Dooley, COO, Data Theorem
• Jason Mical, Cyber Security Evangelist, Devo Technology
• OJ Ngo, CTO, DH2i
• Tom DeSot, EVP CIO, Digital Defense, Inc.
• Chris DeRamus, Co-founder and CTO, DivvyCloud
• Alan Weintraub, Office of the CTO, DocAuthority
• Tom Conklin, CISO, Druva
• Anders Wallgren, CTO, Electric Cloud
• Satish Abburi, founder, Elysium Analytics
• Sean Wessman, Americas Cyber Markets, Sectors and Business Development Leader, EY
• Ambuj Kumar, Co-founder and CEO, Fortanix
• Josh Stella, co-founder and CTO, Fugue
• Kathy Wang, Senior Director of Security, GitLab
• Amith Nair, VP Product Marketing, HashiCorp  
• Mike Puglia, Chief Customer Marketing Officer, Kaseya
• Nathan Turajski, Director of Product Marketing, Micro Focus
• Gary Duan, Chief Technology Officer, NeuVector
• Gary Watson, CTO and Founder, Nexsan
• Stephen Blum, CTO and Co-founder, PubNub
• Chuck Yoo, President, Resecurity
• Roey Eliyahu, CEO and Co-founder, Chris Westphal, Head of Product Marketing, Salt Security
• Sivan Rauscher, CEO and Co-founder, SAM Seamless Networks
• Igor Baikalov, Chief Scientist, Securonix
• Oege de Moor, CEO and Co-founder, Semmle
• Dana Tamir, VP Market Strategy, Silverfort
• Logan Kipp, Technical Architect, SiteLock
• Albert Zenkoff, Security Architect, Software AG
• Tim Brown, V.P. Security Architecture, SolarWinds
• Todd Feinman, Co-founder and Chief Strategy Officer, Spirion
• Tim Buntel, VP of Application Security Products, Threat Stack
• Andrew Useckas, Founder and CTO, ThreatX, Inc.
• Joseph Feiman, Chief Strategy Officer, WhiteHat Security
• Vincent Lussenburg, Director of DevOps Strategy, XebiaLabs
• Robert Hawk, Operations Security Lead, xMatters