This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
    • The Risk Matrix
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2019
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
    • Continuing Education
  • InfoCenters
    • Building AppSec in Enterprises
  • Contact
    • Editorial Guidelines
  • Advertise
Home » Closing Cybersecurity Gaps
Cyber Security NewsSecurity Talk Column

Closing Cybersecurity Gaps

Dave Frymier
Dave Frymier

November 1, 2014
Diane Ritchey
KEYWORDS Bring Your Own Device (BYOD) / business unit cybersecurity / cyber security awareness / mobile device security
Reprints
No Comments

There is a common plot line that underlies most of the breach stories in the news. Software written by bad guys gets into places on the corporate network where it shouldn’t be. It looks around, finds vulnerable systems, grabs valuable data and transmits it off the network. The term most commonly used to describe this behavior is Advanced Persistent Threat (APT). 

“Besides the APTs themselves, some of the big risks security professionals face today are the things that enable these sophisticated attacks in the first place,” says Dave Frymier, Chief Information Security Officer at Unisys. “Much has been made of the extent to which the traditional corporate network perimeter has been made porous by such things as the consumerization of IT and the advent of BYOD and BYO-app – either sanctioned or not. Also, the corporate belt-tightening that happened as a result of the financial shocks in the last 10 years have left plenty of skeletons in the digital closet.” Those include:

•  Legacy systems– These could be running on outdated platforms and were perhaps created in a time before modern security controls and defensive programming techniques. Usually very expensive to replace, these apps tend to just live on – the older they get, the more vulnerable they become.

•  Dark matter– In physics, dark matter is material/mass we infer exists, but can’t find.  Many corporate networks are full of it as well – PCs and servers that are on our networks, but not participating in inventory, patch management and anti-virus/malware environments. These systems are there, but they generally can’t be seen. Where do they come from? Some of them are personal machines; some may be systems that weren’t properly disposed of after a refresh.  Also, the larger an organization, the more likely there are business units that will buy their own computers and put them on the network.

•  Shadow IT– Business units decide that corporate IT processes are too slow, too bureaucratic and too restrictive for what they want to do, so they create their own. This is a bonanza for the bad guys, since these systems are connected to the main corporate network and are almost never properly monitored. Once compromised, these systems can be used as a base for exploiting the rest of the corporate environment. 

•  Phishing emails and MS domain credentials – It has been estimated that as much as 80 percent of workstation infections come from employees clicking on something they shouldn’t in a phishing email. Once malware has a toe-hold on a Windows workstation or server, it is ridiculously easy to dump the local password store and capture any credentials stored there. If it contains domain credentials – and it usually does – these can be used to log into other computers on the network. 

•  Third-party interfaces– The trend toward outsourcing all sorts of service functions from sales force automation to print services to HVAC monitoring means that other companies have access to at least parts of the corporate network. These interfaces should be firmly controlled, limiting their access to specifically the functions they need and nothing else.

 

What has been the biggest APT to date? Could it be Shellshock?

The biggest APT to date would probably be Home Depot, followed by Target. Shellshock isn’t an APT – it’s a vulnerability. It could provide an opening for an attack, but it’s not the attack itself.

 

How can a security enterprise executive stop employees from clicking on something they shouldn’t in a phishing email?

Security awareness training is the best way to stop negligence, but this has been historically insufficient. More attention is being paid to this area now, and some companies are making a business of it (SANS, Digital Defense). Unfortunately, it tends to be a dry topic.

 

What do you mean when you say that business units create their own IT processes? Doesn’t that add to the complexity of a network?  

In this day and age of BYO-everything, all a business unit needs is a couple of tech-savvy people and a willingness to break the corporate rules. They can take a credit card and inexpensively buy an entire virtual IT infrastructure from Google, Amazon or any other cloud provider, load software on it – and away they go. This is how most startups handle their IT these days. In a larger organization, sooner or later, if such an initiative is successful, it will grow beyond the capabilities of a couple of tech-savvy people to handle – and then the fire alarm goes out to the real IT department.  

 

How can third-party outsourcing be controlled? 

How to exert due diligence without cramping the capabilities of the outsourcer that led you to engage them in the first place is a major issue as well.  First, you need a good contract. Second, you need some sort of audit rights – so they know you will be watching. Third, there are some emerging technical controls that could be used to hide sensitive data from third-party service providers using encryption techniques. Unisys Stealth and products from NetApp and Vormetric are examples of this.  

Subscribe to Security Magazine

Recent Articles by Diane Ritchey

Security’s Choice: Our Favorite Articles From 2019

Fighting Natural Disasters With AI

Jerry D. Loghry: The Road to Security

Vaping and Students: Enterprise Security Needs to Lead the Charge

Managing Risk and Threats at the Exelon Corporation

Diane-2016-200

Diane Ritchey has been Editor, Communications and Content for Security magazine since 2009. She has an experienced background in publishing, public relations, online content and communications. Within her role at Security, Ritchey authors the annual Security 500 Report, exclusive cover stories and the monthly Security Talk column.

Related Articles

Cybersecurity Workforce Needs to Grow 145% to Close Skills Gap

The Smart City Talent Gap

Why the Security Talent Gap Is the Next Big Crisis

Public and Private Security: Bridging the Gap

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

cybersecurity breach

The Top 12 Data Breaches of 2019

Mark Hargraves

Security Industry Mourns Passing of Mark Hargraves

ransomware-enews

British American Tobacco Suffers Data Breach and Ransomware Attack

Dispelling the Dangerous Myth of Data Breach Fatigue; cyber security news

Major Retailer Macy's Is Hacked

SEC1219-Cover-Feat-slide1_900px

Contracted vs. In-House Guarding: No Universal Right Answer

360x184customcontent_1.23Everbridge

Events

December 17, 2019

Conducting a Workplace Violence Threat Analysis and Developing a Response Plan

There are few situations a security professional will face that is more serious than a potential workplace violence threat. Every security professional knows and understands that all employers have a legal, ethical and moral duty to take reasonable steps to prevent and respond to threats of violence in their workplace.
January 23, 2020

The Value of a Unified Approach to Critical Event Management

From extreme weather to cyberattacks to workplace violence, every organization will experience at least one, if not multiple, critical events per year. And in today’s interconnected digital and physical world, the cascading safety, brand, and revenue impacts of critical events are more severe. Organizations need to be prepared through a unified and rapid response to these events.
View All Submit An Event

Poll

Emergency Communications

What does your enterprise use to communicate emergencies to company employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
SEC500_250x180 clear

Security Magazine

SEC-December-2019-Cover_144px

2019 December

This month, Security magazine brings you the 2019 Guarding Report, featuring David Komendat, Boeing CSO, and many other public safety leaders to discuss threats and solutions for 2020 and security officer training. Also, we highlight Hector Rodriguez, Director of Public Safety and Security at Marymount California University, CCPA regulations, NIST standards, VMS and much more.

View More Create Account
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing