Chuck Leaver – It’s Time To Get Paranoid About Your Security

Written By Chuck Leaver Ziften CEO

Whatever you do don’t ignore cyber security hackers. Even the most paranoid “normal” person would not stress over a source of data breaches being stolen qualifications from its heating, ventilation and a/c (A/C) professional. Yet that’s exactly what occurred at Target in November 2013. Hackers got into Target’s network using qualifications given to the contractor, probably so they might track the heating, ventilation and a/c system. (For a great analysis, see Krebs on Security). And then hackers had the ability to utilize the breach to spread malware into point-of-sale (POS) systems, then unload payment card details.

A number of ludicrous mistakes were made here. Why was the HEATING AND COOLING contractor provided access to the enterprise network? Why wasn’t the A/C system on a separate, entirely isolated network? Why wasn’t the POS system on a different network? Et cetera, et cetera.

The point here is that in a very intricate network, there are uncounted potential vulnerabilities that could be exploited through carelessness, unpatched software applications, default passwords, social engineering, spear phishing, or insider actions. You get the point.

Whose task is it to discover and repair those vulnerabilities? The security team. The CISO’s team. Security experts aren’t “regular” individuals. They are paid to be paranoid. Make no mistake, no matter the particular technical vulnerability that was made use of, this was a CISO failure to expect the worst and prepare appropriately.

I cannot speak with the Target A/C breach specifically, however there is one frustrating reason that breaches like this happen: A lack of financial concern for cybersecurity. I’m unsure how frequently businesses cannot fund security merely since they’re inexpensive and would rather do a share buy-back. Or possibly the CISO is too timid to request for exactly what’s required, or has been told that he gets a 5% boost, irrespective of the requirement. Perhaps the CEO is worried that disclosures of big allocations for security will startle investors. Perhaps the CEO is merely naïve enough to believe that the business won’t be targeted by hackers. The problem: Every business is targeted by cyber criminals.

There are substantial competitions over spending plans. The IT department wants to finance upgrades and enhancements, and attack the backlog of demand for new and better applications. On the flip side, you have line-of-business leaders who see IT tasks as directly helping the bottom line. They are optimists, and have great deals of CEO attention.

By contrast, the security department frequently needs to fight for crumbs. They are viewed as an expense center. Security reduces company danger in such a way that matters to the CFO, the CRO (chief risk officer, if there is one), the general counsel, and other pessimists who appreciate compliance and track records. These green-eyeshade individuals think about the worst case scenarios. That does not make good friends, and budget dollars are designated grudgingly at a lot of companies (up until the company gets burned).

Call it naivety, call it established hostility, but it’s a genuine obstacle. You cannot have IT offered great tools to move the enterprise forward, while security is starved and making do with second-best.

Worse, you don’t wish to wind up in scenarios where the rightfully paranoid security teams are working with tools that do not fit together well with their IT counterpart’s tools.

If IT and security tools do not mesh well, IT might not have the ability to quickly act to react to dangerous situations that the security teams are monitoring or are worried about – things like reports from threat intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user behaviors that indicate dangerous or suspicious activity.

One suggestion: Find tools for both departments that are designed with both IT and security in mind, right from the start, instead of IT tools that are patched to offer some minimal security capability. One spending plan item (take it out of IT, they have more money), but two workflows, one created for the IT professional, one for the CISO team. Everyone wins – and next time someone wants to give the HEATING AND COOLING specialist access to the network, maybe security will observe what IT is doing, and head that catastrophe off at the pass.

 

~leaverchuck1


No Responses Yet to “Chuck Leaver – It’s Time To Get Paranoid About Your Security”

Leave a Reply