Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Why Don't IT Generalists Understand Security?
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 4   >   >>
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/13/2014 | 12:29:58 PM
Re: Understanding
@RiskIQBlogger  Ah, yes, the ol' "cost center" thing.  As you say:  "IT security is a cost and a drag on the bottom line. That can have all sorts of consequences, but namely they're the last to present, the last voice heard and used to be the least interesting voice in the board room." 

You say that's going to change. How long do you think it will take? I've been hearing for ages that eventually good security will be a selling point for businesses, and THEN they'll take it seriously.... hasn't happened yet.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/10/2014 | 1:20:17 PM
Re: Risk management should become an emphasis.
Although I do agree that Risk Management is a critical part of Information Security, I'm not sold on remaning it as such. Risk Management encompasses so many aspects of an organization not directly related to IT Security. It is true that some organizations have IT Security reporting to the CRO, but my take is that it is a subject that has evolved to really become its own discipline, and really deserves to have its own seat at the table.

I also agree that IT pros in general have become increasingly aware of their need to pay more attention to security, if merely for self preservation. Since IT's role is to deliver technology that aligns with business goals, they should see that Security's role is to make sure that the technology is delivered as securely as the business allows based on risk. After all, the ideal situation is for all aspects of an organization to align with the organization's business goals.
aws0513
50%
50%
aws0513,
User Rank: Ninja
10/10/2014 | 11:46:34 AM
Risk management should become an emphasis.
As I listened to your thoughts and perceptions in the video, I was reminded of a line shared with me a long time ago during my military career.
"You can have exceptionally skilled and trained soldiers, the best equipment, solid policies and plans, effective logistics, awesome everything.  But none of it matters unless everyone... EVERY SINGLE PERSON INVOLVED...  is on the same page with the same goals in mind.

Much of what you discussed is that very problem.  The security professionals have one particular goal that, if you think about it, is relatively new in the IT industry.  The IT professionals have goals that are more focused on service delivery, solution design, operations support, and maintenance planning....  keeping the business in business.  The business is generating revenue = the IT function is working as expected for the business to function.

Security pros would like to say they are keeping the business in business too, but what they believe is only just now becoming a tangable thing.  Thanks to recent events and media coverage, the risks are becoming more difficult to accept by business owners and customers alike.  Not just monetary loss...  reputation is also on the line.
At the same time, IT pros are seeing risk to their own careers by not hearing the guidance provided by security pros.  If a business is not generating revenue because customers have lost confidence in the way the business protects private information, the business may have to make changes to stay afloat.

The gap between these viewpoints still exist because there is still this intangable aspect of security that is difficult for many people, not just IT pros, to rationalize with their current goals.  How does one measure the effectiveness of a fence and gates around a warehouse other than to say that nothing bad happened in the warehouse recently?  Nothing bad can happen without the fence and gates just as easily.  The chance for a bad thing to happen may be higher, but that is still often an unmeasurable factor.
What makes things even more challenging for gaining hearts and minds in regards to security is the fact that threats against our environments are changing tactics so fast that all the fences and gates in the world may still fail to stop those "unknown unknowns".  Organizations with solid security programs are still getting hacked out there, and such news undermines the opinion of security practices because people see such breaches as "security failed again".

"Risk Management Professional"...   maybe that should be the new name for security pros.  Heck, maybe security should be renamed to risk management.  That is all security really is.  Maybe more people would be able to rationalize the need for risk management practices?  Maybe a renaming of the security industry is in order to make it more understandable to IT pros, business owners, and consumers alike.

I will say that I do sense a slow shift in the IT professional mindset however.  As IT pros learn more about what can make them look bad in the eyes of business management, they are also learning more that the security risk management pros can help them avoid those possible as long as they learn to work well together.
Steve Yarlly
50%
50%
Steve Yarlly,
User Rank: Apprentice
10/10/2014 | 10:55:07 AM
Re: IT vs Security
As far as your example of a security person setting up firewall rules, that to me seems to be more a network engineers job.  While it is certainly a good idea to have a security persons input for setting up firewall rules, the actual implementation of the rules should be performed by a network engineer, not a security specialist.  Seperation of duties must be maintained.  Having a security specialist provide input on the request and if approved the network engineer will implement.  

 

My two cents.
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
10/10/2014 | 9:50:49 AM
Re: IT vs Security
@ODA155 "What I think the real problem is, that it's not who gets it more, it's communication because neither side wants to listen to the other. For instance, there is a project to design and build out something to do something really cool for the business. The system design team may not include security because its going to change how they want that system to do those very cool things and they may not want to hear it... just apply security once it's up and running. Security knows that once it's up and running (which is when we normally find out it's even up and running) it it's too late in most cases to build proper security processes or systems into whatever is being planned, therefore requiring extra effort from all teams involved (again) afterward instead of during the designed process."

That hits the nail right on the head, as the saying goes. When it comes right down to it, most IT security issues boil down to design flaws or weaknesses, whether it be in software, hardware, or architecture. In over 20 years of IT experience including software development, desktop standardization, server infrastructures, network engineering, business analysis, security, and management, I have seen IT groups focus almost exclusively on the design and delivery of technology without bothering with the security aspects of their solution. And yes, too many times security is brought in as an afterthought. There are tremendous pressures on IT to deliver technology that enable business processes, and if security and IT are on a linear reporting structure, security will almost always lose, and securing the technology will be a catch up game at best. Needless to say, there is also a communications gap between IT and security. As you know, ISC² maintains that soft skills, along with the 10 domains, are vitally important to a security professional. Security folks must communicate their security goals properly and effectively, to ensure that security is involved at the design stage of any IT technology project. At the same time, IT must also listen to security, and together, they should collaborate as a team to deliver secure solutions that enable business processes to function efficiently through the use of technology. I also teach InfoSec, and I drive that point home to my students; in fact, I always recommend to them books on effective business writing, communications, and teamwork and leadership skills. It is well known that soft skills rank very high on the "wish list" for security job openings, sometimes even rating higher than actual technical skills, especially at the management level. Incidentally, I agree that the CISSP certification is valuable (or else I would not have gotten it). At the very least, it shows that an individual not only possesses broad knowledge in security, but also has practical experience in the application and deployment of secure practices.
macker490
0%
100%
macker490,
User Rank: Ninja
10/10/2014 | 7:18:09 AM
security starts with software control
the common thread in all this hacking is : malware

malware is un-authorized software

the key to security then is controlling the software.    and you can only do that by starting in the os -- and that is where the real trouble is.    and only the os oem can fix it.    you cannot fix it by tacking on patches.

data encryption and secure passwords are easy to use -- but useless if your system is compromised with unauthorized programming.
bearinboulder
0%
100%
bearinboulder,
User Rank: Apprentice
10/9/2014 | 5:25:55 PM
There's no middle ground
I put a lot of the blame on the security people building a moat around their castle.

I'm a software person but by studying for (and actually testing for) an appropriate certification I can 1) learn a lot, 2) learn the common language I need in order to talk to my peers, and 3) get a credential that will tell my peer's boss to give me a chance. I'm not asking for free reign just because I have a stupid cert, I just want a seat at the table to express my concerns instead of being treated like an idiot later by people who might know less about their subject than me.


Unfortunately security has gone the other way. I can pass exams but, except for CompTIA, I can't get certs because they all require extensive job experience where your only job is security. That means it's a lot harder for me (and others like me) to act as a bridge between development and security teams, it means I have a harder time advocating for little things that will improve security, etc. There's no way to distinguish myself from a guy who read a few DZone papers and is now convinced he has all of the answers.


Sure, some people know what "Associate of ISC2" means, but few will care since infosec isn't my job. It's even worse with CEH - you can make a strong argument that at least one person on every user-facing team should be a CEH but nobody can get it if they're developers, not infosec.

The flip side is also an issue. Since infosec people are expected to focus on infosec they never develop the breadth of experience that will allow them to easily communicate with their non-sec peers. So instead of being involved in early design (or even architectural) meetings and discussing their concerns in a way that the developers, DBAs and sysadmins understand they come in later with decrees that often make no sense from our perspective and then wonder why there's anger.
PZav
50%
50%
PZav,
User Rank: Author
10/9/2014 | 4:20:31 PM
Understanding
Its probably a lack of understanding into exactly the challenges posed by information security. I believe most IT people consider information security folks to be the goalies. Its their job to provide a barrier. In IT's mind that just means more hardware, which is a subset of IT's world. 

Good IT people are more focused on operational efficiency, capacity planning and making improvements across the board. Outsourcing IT and cloud solutions has increased IT's visibility and given them a seat at the executive table as they're now key revenue drivers.

Info Sec is a different animal altogether. They have all the above are concerns, but they also lack influence. IT security is a cost and a drag on the bottom line. 

That can have all sorts of consequences, but namely they're the last to present, the last voice heard and used to be the least interesting voice in the board room. However, that's going to change.

The key now is to have people who can translate info sec needs into language that not only IT can understand but also executives. Most executives are risk averse, they just need to understand the risks.
Killer
100%
0%
Killer"B",
User Rank: Strategist
10/9/2014 | 2:15:21 PM
Re: IT vs. InfoSec
@ Sara Peters Yes it will be a never ending journey, until the journey ends. Some businesses will have a longer journey than others. The length of the journey will be directly correlated to the business' understanding of the cost of a security failure. The failure does not have to be the theft of data, but could be just a takedown. Take Code Spaces for instance, their failure was due to a poor understanding of their security exposure. Because of this they succumbed to a takedown. Their data was not stolen, their house was burned down. It would be interesting to know the ripple effect, what other businesses where impacted and to what degree because their data was lost.

To your questions. No more security as a bolt on. It will take time, but security must be included in the design/planning phase of projects. However, this will come with culture change in the organization and also at the college level. If security is include up front we will significantly reduce the ridiculous flaws (Bash anyone) that show up. They cannot be separate, they must work together. IT and InfoSec are two different disciplines, not responsibilities that using the same platform. IT does the moving and storage, InfoSec does the valuation and protection of what was moved and stored.

Another analogy. IT/InfoSec are like man and woman. Each has a specific roles, disciplines and skill sets. But left to themselves they will not alone propagate the human race. They must come together, do a little dance (you know the rest) and keep things moving forward.

One last thing. Money plays a big role in this as well. Money is the great equalizer; you pay for something that has value. If it does not cost something, you should question its value. Open source, free ware, whatever you want to call it should give you pause. If your data has value to you, you should protect it from theft or getting burned down. If the owner/board of directors doesn't understand this, then you have a culture problem and are a Code Spaces waiting to happen. If the boss gets it, but the IT team doesn't, then you have options, find a new IT team.
ODA155
0%
100%
ODA155,
User Rank: Ninja
10/9/2014 | 1:53:49 PM
Re: IT vs Security
"I can say that Security people are laser-targeted specialists and IT folks have to know a lot about everything."

To that I disagree, and here is my reasoning. In my opinion an "IT Gerneralist" is not really IT, they're someone whose interests are geared more toward business interests, getting the project in on time or project managers. Someone only interested until the system\project is handed of to IT professionals who must adminster and maintain what they've been handed. Ask any person whose made their living in IT working with systems or the core infrastructure of how your companies IT environment is configured. When a generalist needs something done they go to the specific IT personell that can accodate their needs whether that be, admin, application, database support or something at a higher level. Also, I believe that the BEST security folks come from the ranks of IT professionals like SYSADMIN and network engineers.

Security professionals, while "laser focused", must know alot more than just the security side of things and that said there are so many different areas of security I can understand why people would think it's that simple. OK, now putting aside the argument of whether the CISSP certification is worth it, I believe that it is, others don't. Putting that aside, I've listed below the ISC2 10 Domains of Information Security, I've had my cert for over 10 years now, and I have to tell you that my laser cannot focus on all of that... there's no way and anyone who says that they are is lying to you. Like any other other profession with multiple levels and concentrations you find your niche and resources.

What I think the real problem is, that it's not who gets it more, it's communication because neither side wants to listen to the other. For instance, there is a project to design and build out something to do something really cool for the business. The system design team may not include security because its going to change how they want that system to do those very cool things and they may not want to hear it... just apply security once it's up and running. Security knows that once it's up and running (which is when we normally find out it's even up and running) it it's too late in most cases to build proper security processes or systems into whatever is being planned, therefore requiring extra effort from all teams involved (again) afterward instead of during the designed process.

I would invite anyone in my company to come walk a day in my "security shoes"... user awareness... phishing emails... CRYPTOLOCKER... CRYPTOVAULT... other assorted malware... firewall rulesets... PCI... HIPAA... SOX...Penetration Testing... compliance configurations... vulnerability scanning and reporting... explaining why any vulnerability on any Internet facing device should not go unresolved regardless how minimal... C-Level people who want non-expiring passwords (yeah), web filtering... user access management and my very favorite thing to do, knife fight with DBA over database security for MSSQL vs Oracle.

Thanks, I've said enough and I hope I haven't made too many folks upset.

 

ISC2 10 Domains of Information Security
1. Access Control – a collection of mechanisms that work together to create security architecture to protect the assets of the information system.
2. Telecommunications and Network Security – discusses network structures, transmission methods, transport formats and security measures used to provide availability, integrity and confidentiality.
3. Information Security Governance and Risk Management – the identification of an organization's information assets and the development, documentation and implementation of policies, standards, procedures and guidelines.
4. Software Development Security – refers to the controls that are included within systems and applications software and the steps used in their development.
5. Cryptography – the principles, means and methods of disguising information to ensure its integrity, confidentiality and authenticity.
6. Security Architecture and Design – contains the concepts, principles, structures and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity and availability.
7. Operations Security – used to identify the controls over hardware, media and the operators with access privileges to any of these resources.
8. Business Continuity and Disaster Recovery Planning – addresses the preservation of the business in the face of major disruptions to normal business operations.
9. Legal, Regulations, Investigations and Compliance – addresses computer crime laws and regulations; the investigative measures and techniques which can be used to determine if a crime has been committed and methods to gather evidence.
10. Physical (Environmental) Security – addresses the threats, vulnerabilities and countermeasures that can be utilized to physically protect an enterprise's resources and sensitive information.


<<   <   Page 2 / 4   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM &amp;amp; Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.