Cybersecurity Week in Review: A Bad Week for the Good Guys and Plenty of Food for Thought
June 12, 2015 By: Peter Bernstein
Let’s start with the headlines. As the week closes we are becoming increasingly aware that the of the U.S. government Office of Personnel Management (OPM) data breach that was revealed last week was much larger than previously thought. We also found out that internationally respected data security solutions provider Kaspersky Lab (News - Alert) discovered a new nation-state attack, attributed to members of the infamous Stuxnet and Duqu gang, and the victim of the malware exploit was Kaspersky. And, there were plenty of comments on the latest hack of celebrity photos as more than 570 iCloud accounts were compromised. As you can imagine my inbox was over-flowing.
This week also saw a flood of new reports and surveys from security firms which are worth a read. What follows is a sampling of recent research you might wish to review.
Lieberman Software is out with a survey that says complicated IT security solutions are not being properly deployed and, for most organizations, compliance trumps security. Highlights, if you wish to call them that from the survey conducted at the annual RSA (News - Alert) event, include: 69 percent of respondents did not feel they are using their IT security products to their full potential. As a result, 71 percent believe this is putting their company, and possibly customers, at risk. Plus, when survey respondents were asked why they don’t use their IT security products to their full potential, 62 percent revealed they either found the products too complicated to deploy, too time consuming to deploy, or didn’t think they had the expertise to properly deploy them.
Limited mobile security and risk factor awareness among end users is the single greatest concern of IT respondents (52 percent).
The attack vectors that IT worries about the most: malicious file downloads (57 percent), malicious apps (50 percent), intentional/inadvertent leakages of sensitive data (49 percent) and email (48 percent).
The top malware target inside corporate networks—the Web browser—was a concern of only 29 percent of respondents, signaling that both IT professionals and end users may not be aware that mobile browsers are no less immune to malware infections.
Device and network security is a key issue: 52 percent of respondents' organizations allow (or do not prohibit) corporate network access over unknown off-premise 3G/4G networks, and 31 percent similarly allow privately-owned devices on it.
Skyhigh Networks’ new report, “Cloud Adoption & Risk in the Government Report, revealed that the vectors of vulnerability are increasing in the U.S. as a result of the growing use of cloud services. The repost found shadow cloud services 20 times more prevalent than sanctioned cloud – adding pressure to CIOs responsible for FedRAMP and FITARA compliance regulations.
Security firm Venafi did some survey work at RSA as well, and released the results of its fourth annual RSA conference survey. Here too things are problematic to say the least. Key findings include:
Respondents are ill informed on how to remediate a Sony-like breach involving theft of keys and certificates. Following a breach, over three-quarters (78 percent) of those surveyed would still only complete partial remediation that would leave them vulnerable to further attacks. They would conduct standard practices such as re-imaging servers, reviewing logs, removing malware, installing patches and changing user passwords. However, only 8 percent indicated they would fully remediate against a Sony-like attack by replacing potentially compromised keys and certificates to prevent further access.
IT security professionals simply don’t know how to protect keys and certificates and their organizations have no clear understanding or strategy for doing so. Only 43 percent of respondents reported that they are using a key management system. Another 16 percent have no idea at all, 14 percent said they are using a manual process to try and manage them, and 22 percent placed the responsibility elsewhere.
Many IT security professionals can’t or don’t know how to detect compromised keys and certificates. The survey results show that 38 percent of respondents can’t or don’t know how to detect compromised keys and certificates and 56 percent of the other respondents said they use a combination of next generation firewalls, anti-virus, IDS/IPS and sandboxes to detect these types of attacks.
More than half of IT security professionals admit that they cannot quickly respond to an attack on SSH keys. Almost two-thirds (64 percent) of security professionals admit that they are not able to respond quickly (within 24 hours) and most said it would take three or more days, or up to a week, to detect, diagnose and replace keys on all hosts if breached.
Last but not least of the report sampling is an intriguing focus relating to big data. The first survey and research report from SANS was sponsored by Cloudera which was powered by Apache Hadoop. The study, Enabling Big Data by Removing Security and Compliance Barriers, reveals key use cases for big data applications, how sensitive data access is managed, how effective their security controls are, and that the C-level should be taking responsibility for data governance and security. Highlights of the responses included:
54 percent integrate with existing identity and access management systems to manage sensitive data access and 45 percent authorize user access based on roles (RBAC). 78 percent of those able to rank security control effectiveness said host-based security technologies were the most effective.
72 percent of those able to rank security control effectiveness said network-based security technologies were the most effective.
40 percent of those able to rank security control effectiveness said encryption technologies were very effective.
25 percent (highest percentage) of respondents said that the CIO and CTO are responsible for big data governance.
8 percent (second highest percentage) said that the CSO and CISO are responsible for big data governance.
Less than 5 percent said system administrators, security administrators and app developers and managers held responsibility.
Suffice it to say the percentages cited are not reason for rejoicing.
Since this is the season for security firms to report on what they are seeing in looking at data breaches of all types, there is going to be more news about the challenges of dealing with the increased frequency and sophistication of hacks of every variety. There is also going to be a lot more pleas for both better visibility to avoid the long periods of time it is taking to detect many of these bad boys and calls for more data sharing. This is a good thing if the good guys are to bend the curve on quickly detecting, protecting and remediating what has been a constant and consistent upward spike in malicious activities. We will keep you posted.