Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Security Concerns (Part 2)

DZone 's Guide to

Security Concerns (Part 2)

Sophistication of attacks, lack of ownership, and many "other" concerns.

· Security Zone ·
Free Resource

To understand the current and future state of the cybersecurity landscape we spoke to, and received written responses from, 50 security professionals. We asked them, "What are your concerns with the state of security management?"

In part one, we learned that lack of talent and training, complexity, and lack of strategy were the top three concerns. Here's the second set of concerns:

Sophistication of Attacks

  • Cyber-crime-as-a-service demonstrates the current gap between the sophistication of the criminals, who seem more agile to adopt modern cloud-enhanced and enable techniques versus companies that are managing legacy systems that were not designed for this environment. Unfortunately, when systems fail or technology lets us down, people get blamed. We need to protect and support the security staff who are on the frontline; a culture of blame is potentially the highest security risk in a company.
  • For smaller businesses – and even some larger ones – security is too often an afterthought and given last priority both in terms of investment and attention. At the same time, many attackers have honed their craft to the level of delivering threats with professional-grade sophistication. It takes a certain level of understanding and focuses to protect an organization from even the common threats out there today, and cybersecurity news stories are full of businesses that are blindsided by attacks well beyond what they prepared for, which result in data breaches.
  • In the cloud, security management is too often focused on the wrong things, like perimeter security and endpoint security. Security hasn’t fully understood the change that cloud brings and what’s needed to adapt. You can’t just continue to run a SOC with manual reactions. Bad actors are using automation and code, and code is faster than humans can ever be, and it scales far beyond what humans can ever manage.

Image title

Ownership

  • Security has finally become a board room concern but the lack of IT security leaders who are both comfortable on technology and business issues is a major concern.  
  • In some organizations, security is still not being taken seriously enough. InfoSec has become table stakes cost of doing business. It cannot be pushed aside any longer. It is much more prevalent in regulated industries; they are further ahead.
  • It’s come a long way, but we still see quite a bit of belief that security is someone else’s problem. Security awareness has come quite a ways, but it still has a way to go. The security risks are evolving more quickly than the enterprise is adapting. We see a lot of customers who think meeting the minimum requirements of compliance means they are secure. Companies need to look beyond compliance to make security a priority.
  • 1) Most of my concern goes not to the security personnel but to the top management. Security specialists actually know what they are doing most of the time. Top management often prefers to ignore security at large, risking the loss of business to a security incident. We hear of security incidents that cost hundreds of millions of dollars, sometimes billions. Why does the top management think that it can happen only to others and not to their company? The risk is there, for some companies, it is a risk of a huge loss, for others – it is a risk of bankruptcy. Think what would your company do if tomorrow you had a security incident and the cost would run to, let’s say, half a billion? 2) Unfortunately, this line of thought is almost always dismissed with a wave of hand and companies get back to the business as usual. Some companies even declare this as the “right thing”. I was shocked a few years ago when the Chief Security Officer of one of the prominent American companies announced in a security conference that he thinks they do not need to fix security problems after their discovery. His advice was: “don’t fix anything until several customers complain about it.” That’s the line of thought that may cost a company its existence in the worst case. 3) Most of the top management does not come from the security background, they are not aware of the risks. Besides the risk of security accidents, there is also the cost of fixing security problems in products on the market. Often companies must fix something at a great cost that should have been done right from the beginning at the fraction of the effort. 4) These concerns are often not factored into management decisions. Like with the quality efforts half a century ago, now we have to educate the management about security. We must understand the risks and costs of bad security and make sure the security gets its rightful place in the design and production, just like the quality did.
  • There are several factors worth noting, all of which are issues of critical importance to leadership teams and boards. First, organizations must be vigilant, as the cybersecurity threat is dynamic and ongoing. While many organizations worry about flaws and shortcomings in the technology, they must also keep an eye on the people who have authorized access to the company such as employees, third parties and supply chain partners. Boards can play an important role here. While the board’s role is not cybersecurity risk management, they do need to provide this oversight and should be asking if the companies they advise have the right controls and processes to limit access to the right people, for the right purposes. Boards may need to restructure their committees and develop new charters to adequately oversee cybersecurity risk management. 2) Additionally, leadership teams should consider whether the corporate culture is permissive or strict when it comes to security concerns and stay consistent. This can aid in making sure that the right controls and processes are in place across the supply chain. 3) Also, organizations can engage the third party to independently and objectively assess whether the company’s cybersecurity risk management program and controls are effective and meeting their objectives. Companies can work toward a robust plan for a cybersecurity crisis, including having an arrangement with third-party specialists in place before a crisis hits and routinely practicing their cybersecurity response plan. 4) Finally, the growing cybersecurity talent gap is a major concern for the state of security management. While the demand for cybersecurity professionals is increasing at a breakneck pace, the pipeline of candidates is not keeping up, leaving organizations potentially vulnerable and often without top-talent. To bridge this gap, incumbent employees need to be re-tooled and re-trained to keep up with evolving technologies while still retaining their institutional knowledge, which is extremely beneficial or an organization. In addition, employers need to utilize automation, balanced with the human element required, to optimize the cybersecurity workforce.Image title

Other

  • It is still too manual. We need a lot more automation, orchestration, continuous regression, and security testing. Better processes and tools constantly improving. Understand and detect all changes in the environment has to be understood, detected, logged, and evaluated. Situational awareness about behavior and infrastructure. The volume of the information and sensor data is mind-blowing and growing exponentially.
  • Containers are revolutionizing application development and deployment, but it’s remained far too easy to lose focus around security when the dev pipeline has become so automated. That said, it’s also now becoming easier to automate the application security policy part of this, which hopefully will make this concern fade a bit.
  • Operators today have limited visibility to security threats originating in the home or SOHO’s. It has now become a priority to find trusted automated solutions to give them further insights and clear data. We have the ability to automatically isolate a connected device on the network which has been infected or shown unusual patterns and prevent it from affecting the other connected devices.
  • We used to think about security as trusted zones. Whatever is running in my DMZ, I can trust.  Today with cloud, microservices, IoT, mobile, the number of devices increasing exponentially. Zoning devices will not work in the future. We need to work on identity management. When signing in as a personal user you have credentials.  This system doesn’t apply to automated actors yet since machines are connecting to machines. As the number of machines increases, you need to manage the identity of different machines. A lot of stuff is happening around identity management, but it needs to go faster to stay ahead of the curve and prevent security incursions that might happen.
  • A recent Ponemon Institute study commissioned found that only one in three organizations are confident they can avoid data breaches. The study also found 67 percent of organizations do not have the time and resources to mitigate all vulnerabilities, 63 percent struggle to act on a large number of resulting alerts and actions from vulnerability scans, and only 15 percent say their patching efforts are highly effective. To address these issues, organizations want security tools and platforms that automatically and comprehensively assess cyber-risk at a business level, and then prioritize actions to achieve the most results and security posture improvement. For example, that could be identifying the most vulnerable and highest risk assets (e.g. a DNS server) and prioritizing their patches first -- vs. trying to patch 100s or 1000s of servers at a time. Or fixing the weak or shared passwords of privileged users before addressing all employees.
  • Failure to patch is the one we’re focused on the most. We also see a lot of need and desire to be able to respond to things that were not anticipated. Tools that help triage are becoming more relevant and important to sec ops.
  • Being user- and data-agnostic does not work in the new world. Technologies fail to take into consideration the context of data. Alarm bells need to sound if files are financial statements or intellectual property. We need to be data-aware so we don’t treat all data as equal. Understanding the data helps you look at it from a different lens.
  • 1) Despite some significant progress in embedding security staff and functions throughout the application development pipeline (whether or not you call this DevSecOps), there is still a perception that security is slowing down the process in many organizations. To truly operate at speed, deep integration and automation are key. For example, instead of scanning for vulnerabilities as a separate step before rolling to production, scan upfront as part of the build cycle. Or, rather than installing security controls as the last step in your infrastructure deployment, can you integrate with your orchestration tools to implement it automatically when services are provisioned. 2) The reliance on open-source applications or code snippets creates another security vulnerability. No one's writing new code from scratch, they're grabbing components from GitHub, DockerHub, and other open-source repositories, leveraging other code written earlier for other projects inside the company. The people writing the code may not be as familiar with what they're starting with, nor with any vulnerabilities that may be present (or show up later after they embedded the borrowed code). They also use general-purpose apps that encompass many more capabilities and privileges than their specific applications actually require - creating a large attack surface.
  • 1) A major piece of the solution is the transformation of DevOps into DevSecOps, a secure DevOps. It is a combination of technologies and practices that enable development and operation specialists to embed security into the software lifecycle. 2) Also, technology, for example, machine-learning tools to automate tasks, can help ease the strain for stressed employees as well as help narrow the skills gap to an extent. But until that takes place at scale, the cyber battle rages on, which means the defenders of the cyber universe need to be looked after, and reinforcements are desperately needed. 3) To combat this issue, a large number of U.S. military veterans could be put to work towards a common cause, protecting the country’s cybersecurity, while acquiring InfoSec skills in the highest demand.
  • Underestimating the potential impact of compromised staff credentials — and not just your administrators. Entry-level employees are often the face of the company to consumers, as well as adversaries, making them the most accessible vector for social engineering campaigns. Secure every employee account as if it were the CEO. Leverage two-factor authentication for application logins and require the use of an encrypted virtual private network (VPN) for all remote employees.
  • Most security teams need to do a better job working collaboratively across all organizational functions, including, but not limited to Engineering, Legal, People Ops, Finance, and for product companies, security teams need to provide requirements and guidance for the company’s products, including making feature proposals, all from a security practitioner’s perspective.
  • The duplication of work that happens at the code creation level, which results in the consistency in vulnerabilities across codebases, happens at the management level as well. Because there is no coordination or communication among the vendors who are producing code, it’s difficult to share learnings in the spirit of improving code overall. The lack of coordination among major enterprise consumers of open source components means that each does their own security assessment which results in a lack of communication in learnings. There’s simply not enough openness in security management today. CVEs are nice, but they don’t contain enough information to describe what went wrong in the coding process, or takeaways to educate others on preventing it from happening again. For example, in open source, CVE data rarely includes a link to the commit that fixes the problem. As the industry shifts towards open source, there needs to be a greater degree of openness and communication around security management.

Please see part one for the top three security concerns.

Here’s who shared their insights:

Topics:
security ,devsecops ,data ,awareness ,afterthought ,vulnerability ,github

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}