Cybersecurity Week in Review: A Bad Week for the Good Guys and Plenty of Food for Thought

By Peter Bernstein June 12, 2015

Let’s start with the headlines. As the week closes we are becoming increasingly aware that the of the U.S. government Office of Personnel Management (OPM) data breach that was revealed last week was much larger than previously thought.  We also found out that internationally respected data security solutions provider Kaspersky Lab discovered a new nation-state attack, attributed to members of the infamous Stuxnet and Duqu gang, and the victim of the malware exploit was Kaspersky.  And, there were plenty of comments on the latest hack of celebrity photos as more than 570 iCloud accounts were compromised. As you can imagine my inbox was over-flowing. 

This week also saw a flood of new reports and surveys from security firms which are worth a read.  What follows is a sampling of recent research you might wish to review.

Lieberman Software is out with a survey that says complicated IT security solutions are not being properly deployed and, for most organizations, compliance trumps security.  Highlights, if you wish to call them that from the survey conducted at the annual RSA event, include:   69 percent of respondents did  not feel they are using their IT security products to their full potential. As a result, 71 percent believe this is putting their company, and possibly customers, at risk. Plus, when survey respondents were asked why they don’t use their IT security products to their full potential, 62 percent revealed they either found the products too complicated to deploy, too time consuming to deploy, or didn’t think they had the expertise to properly deploy them.

Commissioned by Spikes Security and conducted by Spiceworks, a survey of 160 IT security professionals found:

  • Limited mobile security and risk factor awareness among end users is the single greatest concern of IT respondents (52 percent).
  • The attack vectors that IT worries about the most: malicious file downloads (57 percent), malicious apps (50 percent), intentional/inadvertent leakages of sensitive data (49 percent) and email (48 percent). 
  • The top malware target inside corporate networks—the Web browser—was a concern of only 29 percent of respondents, signaling that both IT professionals and end users may not be aware that mobile browsers are no less immune to malware infections.
  • Device and network security is a key issue: 52 percent of respondents' organizations allow (or do not prohibit) corporate network access over unknown off-premise 3G/4G networks, and 31 percent similarly allow privately-owned devices on it. 
Image via Shutterstock

Skyhigh Networks’ new report, “Cloud Adoption & Risk in the Government Report, revealed that the vectors of vulnerability are increasing in the U.S. as a result of the growing use of cloud services. The repost found shadow cloud services 20 times more prevalent than sanctioned cloud – adding pressure to CIOs responsible for FedRAMP and FITARA compliance regulations.

Security firm Venafi did some survey work at RSA as well, and released the results of its fourth annual RSA conference survey. Here too things are problematic to say the least.  Key findings include:

  • Respondents are ill informed on how to remediate a Sony-like breach involving theft of keys and certificates. Following a breach, over three-quarters (78 percent) of those surveyed would still only complete partial remediation that would leave them vulnerable to further attacks. They would conduct standard practices such as re-imaging servers, reviewing logs, removing malware, installing patches and changing user passwords. However, only 8 percent indicated they would fully remediate against a Sony-like attack by replacing potentially compromised keys and certificates to prevent further access.
  • IT security professionals simply don’t know how to protect keys and certificates and their organizations have no clear understanding or strategy for doing so. Only 43 percent of respondents reported that they are using a key management system. Another 16 percent have no idea at all, 14 percent said they are using a manual process to try and manage them, and 22 percent placed the responsibility elsewhere.
  • Many IT security professionals can’t or don’t know how to detect compromised keys and certificates. The survey results show that 38 percent of respondents can’t or don’t know how to detect compromised keys and certificates and 56 percent of the other respondents said they use a combination of next generation firewalls, anti-virus, IDS/IPS and sandboxes to detect these types of attacks.
  •  More than half of IT security professionals admit that they cannot quickly respond to an attack on SSH keys. Almost two-thirds (64 percent) of security professionals admit that they are not able to respond quickly (within 24 hours) and most said it would take three or more days, or up to a week, to detect, diagnose and replace keys on all hosts if breached.

Last but not least of the report sampling is an intriguing focus relating to big data.  The first survey and research report from SANS was sponsored by Cloudera which was powered by Apache Hadoop. The study,  Enabling Big Data by Removing Security and Compliance Barriers, reveals key use cases for big data applications, how sensitive data access is managed, how effective their security controls are, and that the C-level should be taking responsibility for data governance and security.  Highlights of the responses included:

  • 54 percent integrate with existing identity and access management systems to manage sensitive data access and 45 percent authorize user access based on roles (RBAC). 78 percent of those able to rank security control effectiveness said host-based security technologies were the most effective.
  • 72 percent of those able to rank security control effectiveness said network-based security technologies were the most effective.
  • 40 percent of those able to rank security control effectiveness said encryption technologies were very effective.
  • 25 percent (highest percentage) of respondents said that the CIO and CTO are responsible for big data governance.
  • 8 percent (second highest percentage) said that the CSO and CISO are responsible for big data governance.
  • Less than 5 percent said system administrators, security administrators and app developers and managers held responsibility.

Suffice it to say the percentages cited are not reason for rejoicing. 

Since this is the season for security firms to report on what they are seeing in looking at data breaches of all types, there is going to be more news about the challenges of dealing with the increased frequency and sophistication of hacks of every variety.  There is also going to be a lot more pleas for both better visibility to avoid the long periods of time it is taking to detect many of these bad boys and calls for more data sharing.  This is a good thing if the good guys are to bend the curve on quickly detecting, protecting and remediating what has been a constant and consistent upward spike in malicious activities.  We will keep you posted. 




Edited by Dominick Sorrentino
SHARE THIS ARTICLE
Related Articles

Mist Applies AI to Improve Wi-Fi

By: Paula Bernier    11/9/2017

Mist has created an AI-driven wireless platform that puts the user and his or mobile device at the heart of the wireless network. Combining machine le…

Read More

International Tech Innovation Growing, Says Consumer Technology Association

By: Doug Mohney    11/8/2017

The Consumer Technology Association (CTA) is best known for the world's largest trade event, but the organization's reach is growing far beyond the CE…

Read More

Broadcom Makes Unsolicited $130B Bid for Qualcomm

By: Paula Bernier    11/6/2017

In what could result in the biggest tech deal in history, semiconductor company Broadcom has made an offer to buy Qualcomm for a whopping $130 billion…

Read More

How Google's 'Moonshot' Could Benefit Industrial Markets

By: Kayla Matthews    10/30/2017

The term "moonshot" encapsulates the spirit of technological achievement: an accomplishment so ambitious, so improbable, that it's equivalent to sendi…

Read More

After Cisco/Broadsoft, Who's Next for M&A?

By: Doug Mohney    10/27/2017

Cisco's trail of acquisition tears over the decades includes the Flip video camera, Cerent, Scientific Atlantic, Linksys, and a couple of others. The …

Read More