Charles Leaver – Are You Paranoid About Enterprise Security? This Will Make You.

Written By Charles Leaver Ziften CEO

 

Whatever you do don’t undervalue cyber security criminals. Even the most paranoid “normal” individual would not stress over a source of data breaches being taken qualifications from its heating, ventilation and a/c (HVAC) professional. Yet that’s what occurred at Target in November 2013. Hackers got into Target’s network utilizing qualifications offered to the professional, presumably so they could monitor the heating, ventilation and air conditioning system. (For a good analysis, see Krebs on Security). And after that hackers were able to utilize the breach to inject malware into point-of-sale (POS) systems, and then unload payment card information.

A variety of ridiculous mistakes were made here. Why was the HEATING AND COOLING specialist provided access to the business network? Why wasn’t the HVAC system on a separate, completely separated network? Why wasn’t the POS system on a different network? And so on.

The point here is that in a really complex network, there are uncounted prospective vulnerabilities that could be exploited through recklessness, unpatched software applications, default passwords, social engineering, spear phishing, or insider actions. You understand.

Whose job is it to find and repair those vulnerabilities? The security group. The CISO’s office. Security experts aren’t “regular” people. They are hired to be paranoid. Make no mistake, no matter the particular technical vulnerability that was exploited, this was a CISO failure to anticipate the worst and prepare accordingly.

I cannot speak with the Target A/C breach specifically, however there is one overwhelming reason breaches like this occur: A lack of budgetary concern for cyber security. I’m unsure how often companies fail to finance security just since they’re inexpensive and would rather do a share buy-back. Or maybe the CISO is too timid to request for exactly what’s needed, or has been told that she gets a 5% boost, irrespective of the requirement. Maybe the CEO is worried that disclosures of big allocations for security will alarm investors. Maybe the CEO is simply naïve enough to think that the enterprise will not be targeted by hackers. The problem: Every organization is targeted by cyber criminals.

There are substantial competitions over budget plans. The IT department wants to finance upgrades and improvements, and attack the backlog of demand for brand-new and enhanced applications. On the other side, you have operational leaders who see IT jobs as directly assisting the bottom line. They are optimists, and have lots of CEO attention.

By contrast, the security department too often has to defend crumbs. They are seen as a cost center. Security lowers organization danger in a way that matters to the CFO, the CRO (chief risk officer, if there is one), the basic counsel, and other pessimists who care about compliance and track records. These green-eyeshade individuals think of the worst case circumstances. That does not make buddies, and budget plan dollars are allocated reluctantly at too many companies (till the company gets burned).

Call it naivety, call it established hostility, however it’s a genuine difficulty. You can’t have IT given terrific tools to move the business forward, while security is starved and making do with second best.

Worse, you do not want to wind up in situations where the rightfully paranoid security teams are working with tools that don’t mesh well with their IT counterpart’s tools.

If IT and security tools don’t mesh well, IT might not have the ability to rapidly act to react to risky scenarios that the security groups are keeping an eye on or are worried about – things like reports from risk intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user habits that suggest dangerous or suspicious activity.

One tip: Discover tools for both departments that are developed with both IT and security in mind, right from the beginning, rather than IT tools that are patched to provide some minimal security ability. One budget plan product (take it out of IT, they have more finances), however two workflows, one developed for the IT professional, one for the CISO team. Everybody wins – and next time someone wants to give the A/C contractor access to the network, perhaps security will discover what IT is doing, and head that catastrophe off at the pass.