Threat Intelligence
6/14/2017
02:00 PM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

By the Numbers: Parsing the Cybersecurity Challenge

Why your CEO should rethink company security priorities in the drive for digital business growth.

Digitization is progressing rapidly. From 2013 to 2020, EMC expects the digital universe to grow tenfold — from 4.4 trillion to 44 trillion gigabytes. In fact, the universe more than doubles in size every two years. However, along with that growth, the world becomes exposed to cyber attacks in an order of magnitude that is unprecedented. The tumult around the 2016 US election is just the tip of the iceberg - with a far bigger and growing issue beneath the surface.

Everyone is a potential target
Few are aware that literally every company and individual is a potential target. One in 10 people is now a victim of fraud or online offenses, a study in the UK concluded, as highlighted in The Telegraph. While these numbers appear shockingly high, it’s important to keep in mind that the overwhelming majority of these crimes are believed to remain unreported by the victims for a number of reasons, such as fear, a lack of awareness, or embarrassment.

According to Radware’s 2016-17 Global Application & Network Security report, 98% of organizations experienced cyber attacks in 2016. The perception that criminals only go after large enterprises and the public sector is completely wrong. As much as 31% of these attacks are directed at small and mid-sized companies with fewer than 250 employees. This trend is going to continue in 2017.

Cybercrime is an industry that is evolving exponentially
As reported on Bloomberg, cyber insurance premiums to protect against financial damages resulting from hacking could become a blockbuster product and rise to between $8.5 billion and $10 billion by 2020 from about $3.4 billion currently.

Cisco expects that cybercrime damages could cost up to $6 trillion annually by 2021, up from $3 trillion in 2015. However, these costs are sometimes hard to quantify and vary widely, depending on a number of factors, such as size of the organization, type and extent of the attack, publicity, industry, geography and so on. Most security experts (54%) estimate the impact of each attack at less than $100,000, but as much as 12% estimate the cost of an attack to be $1 million or above, according to Radware’s research.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Shortage of talent, missing attention in the boardroom
When asked about their primary obstacle to counter cyber attacks, more than one-quarter (27%) cited missing manpower, as the Radware report concludes. With 1 million vacancies in 2016, there is a severe workforce gap in cybersecurity, which is getting worse as the digital universe expands. Cybersecurity Ventures estimates the talent shortage will reach 1.5 million vacancies by 2019, which makes the skills rare and drives up wages.

In a 2015 study by PWC, 21% of CEOs asked globally were "extremely concerned" about cyber threats, and nearly 42% were "somewhat concerned." Frankly, these numbers appear surprisingly low, compared to the potential damages and given the workforce gap enterprises have to cope with.

So what's ahead?
Overall, the cybersecurity community seems more pessimistic about what to expect throughout 2017. Cyber attacks will become more sophisticated and catch many by surprise. According to the Radware report, the range is likely to include: Rise of Telephony Denial of Service (TDoS) and Permanent Denial of Service (PDoS) for datacenter and IoT operations; compromised surveillance systems available for rent, enabling intruders to watch through third-party cameras; more targeted and segmented ransom attacks; hijacked personal avatars and personal information for sale, or being auctioned (including medical or criminal records, lawsuit information etc.) as the Darknet goes mainstream.

CEOs should critically review their corporate priorities as the threat of cybercrime seems to be widely underestimated. To prepare their organizations for the future, gearing up and concrete actions are required. This includes technology investments (solid threat prevention and detection capabilities, robust incident response plans etc.) and, more importantly, adequate resources. Since security experts are scarce, requalification programs and formal training of the existing IT workforce plays a critical role in helping to close the gap.

While this might sound fairly intimidating, it would be negligent to trivialize the threat. With the expansion of the digital world, shiploads of data being processed, and the emergence of smart cities, societies will become increasingly dependent upon the availability and resilience of IT systems that affect our everyday lives. More than ever, it’s crucial to properly safeguard IT infrastructure as well as data whenever it's being transmitted (in motion), processed (in use), or stored (at rest).

Related Content:

 

Marc Wilczek is an entrepreneur and senior executive with more than 20 years of leadership experience within the ICT space. He's passionate about all things #digital with emphasis on cloud, big data and IoT services. Before serving as VP portfolio, innovation & ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jesternl
50%
50%
jesternl,
User Rank: Apprentice
6/16/2017 | 2:04:39 PM
Re: Privileged Account Security - Biggest Dirty Secret in Cyberesecurity
There are tools to mitigate this, and an ever growing number of comanies is using them.
My job is to make sure they use ours to the best of their abilities
KristenK
50%
50%
KristenK,
User Rank: Apprentice
6/15/2017 | 9:51:31 PM
Re: Privileged Account Security - Biggest Dirty Secret in Cyberesecurity
You raise good points. I hope the authors will explore this as a topic more in depth. 
imispgh
100%
0%
imispgh,
User Rank: Apprentice
6/14/2017 | 10:44:58 PM
Privileged Account Security - Biggest Dirty Secret in Cyberesecurity
Privileged Account Security – The Giant Dirty Secret in most organizations cybersecurity.  Why isn't it being addressed?  Lack of Courage.

The overwhelming majority of companies and government organizations are avoiding the most critical cyber-security practice of all. Dealing with privileged account security. It's the biggest dirty secret in cybersecurity. Which is extremely unfortunate because virtually every hack on record was accomplished by someone gaining access to a privileged account then moving through the system. This usually occurs due to a successful phishing expedition. (Of which 22% are successful. Keep in mind only one is needed).

Of the small fraction of companies that even deal with this area only 1% of them actually use the products they purchase properly. Said differently – even if a CISO is buying the right things they are not using most of what you paid for. And in most cases they either have no plan to actually use critical features like Password Management, Session Management and Access Monitoring, or are moving so slow it will decades to finish. Often this is meant to purposefully deceive C-Suite and above. This puts everyone at risk.

Here is how bad things are. CMU CERT is the premier authority on cyber-security best practices. Especially for DoD. I found out that CMU CERT has no solution for themselves in this area. They actually defer to CMU IT for their own security and they have no solution in this area. Shouldn't the organization responsible for telling others what best practice is use best practices for its own security?

Why is this happening? These products inadvertently expose several huge best practice gaps. Examples include having 4X more accounts than people, non-encrypted password files or spreadsheets, emails with passwords and software programs with passwords hard coded in them and many not knowing where they all are. And having local admin permissions available on laptops and end points and not knowing where they all are either.

Why don't these folks address this? Because it means pushing the culture to change bad habits and admit to their executives and boards they even existed in the first place. Governing bodies and regulators mean well but they don't help much. This is because the relevant regulations, SOC, HiTrust etc are too trusting and don't specify enough detail. This gives organizations far too much room to wiggle. This all results in most companies and organizations not utilizing best practices or readily available of off the shelf products that can significantly reduce the threat.

This is not a technical issue. It's one of Courage. Courage to admit the root causes exist, To deal with the culture and lead them to fix them. To not sacrifice customers to protect egos or let the bean counters justify it's cheaper to harm customers than the bottom line. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.