Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

3/2/2018
10:05 AM
Dawn Kawamoto
Dawn Kawamoto
Dawn Kawamoto
50%
50%

Why 46% of Companies Keep Security Strategies Status Quo After an Attack

Nearly half of organizations surveyed say their security strategy remains unchanged following a cyberattack.

Old habits die hard, especially when it comes to IT security strategy, a recent CyberArk Advanced Threat Landscape 2018 report finds.

Of the 1,300 IT security decision-makers, DevOps and app developers surveyed across the globe, 46% say their organizations failed to change their cybersecurity strategy after an attack.

Although security professionals are aware of what steps they should be taking to make their organizations more secure following a breach, roadblocks exist to prevent change, Nick Bowman, a CyberArk corporate communications senior manager, told Security Now.

"Roadblocks to change will vary per company, but can include factors like breaches not being deemed serious enough to provoke change," Bowman said.

Other potential hurdles include a misunderstanding at the board of directors' level, in which compliance with audit demands are considered the beginning and end of cybersecurity, he notes. And in other cases, business processes or functions prevent security strategy changes, Bowman adds.

"For instance, it might be considered more important to launch that new web service to drive revenue today versus ensuring it is not an open door to an attacker," Bowman explains.

Indeed. The survey found the percentage of users who have local administrative privileges on their endpoint devices soared to 87% this year from 62% in 2016. That jump was attributed, in part, to employee demands for flexibility outweighing best security practices, the report states.

Big mistakes post attack
One of the biggest and most frequent mistakes organizations make following a cyberattack is to do "nothing," Bowman laments, pointing to a sense of security inertia that survey respondents cited in the report.

  • 46% say their organizations cannot prevent attackers from breaking into internal networks each time it is attempted.
  • 50% admitted their customers' personally identifiable information (PII) could be at risk because it is not secured beyond legally required basics.
  • 49% of organizations have no privileged account security strategy for the cloud
  • 68% defer cloud security to their vendor's built-in security capabilities

And while 89% of survey respondents are aware security should begin with securing privileged accounts, credentials and corporate secrets, this practice is not widespread, Bowman notes.

"Seventy-three percent of respondents don't have a DevOps privileged account security strategy, for instance," Bowman says. "DevOps represents, potentially, a massively expanded attack surface as it creates -- automatically -- more and more privileged account credentials and secrets. If these are not managed and secured, they are obvious and tempting targets for attackers."

Signs of change emerge
Despite the somewhat bleak results in the survey, some organizations are changing their security strategies.

For example, 8% of organizations regularly perform Red Team exercises to discover critical vulnerabilities and identify ways to effectively deal with them, the report finds. And 44% of respondents say they reward and recognize employees who help prevent a security breach.

But one of the key considerations companies need to embrace is to change their mindset and think like an attacker to the point that the organization understands what the cybercriminal wants and the methods they will employ to get there, Bowman says.

"We try and get organizations to assume that their perimeter defenses either have already been breached or will inevitably get breached and put in place a security strategy that has this as a central tenet," he explained. "Attackers will get in. When they get in, they seek to move laterally using compromised accounts, credentials or secrets. What is it that is valuable in your organization? If you are a bank, it might be customer information. If you are a hospital, it could be avoiding system downtime that could disrupt surgical procedures. Once the pathway to the valuable thing or things is robustly secured and managed, Red Teams should be tasked to regularly try and compromise it, because vulnerabilities emerge and attack vectors evolve over time."

Related posts:

— Dawn Kawamoto is an award-winning technology and business journalist, whose work has appeared in CNET's News.com, Dark Reading, TheStreet.com, AOL's DailyFinance, and The Motley Fool.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...