Failure to Communicate Hamstrings Cyberdefenders

A failure to communicate between security pros and company brass may be contributing to the inability of a significant number of organizations to reduce the risk of cyberattacks on their systems.

That was one of the findings last week in a study conducted by the Ponemon Institute and sponsored by Websense.

Thirty-one percent of the nearly 5,000 respondents surveyed for the study said their cybersecurity team never met with the executive team about cybersecurity. Twenty-three percent of the surveyed IT pros said their teams only met annually with company brass.

Security professionals often complain that management doesn’t get the relationship between data loss and revenue loss. That shouldn’t come as a surprise, given how little the parties communicate with each other.

“Thirty-one percent is a big number to say they never communicate with their executive teams. That’s not healthy,” said Jeff Debrosse, director of security labs at Websense.

“That would clearly support why some security professionals believe that their executive management doesn’t relate being exploited with the loss of revenue,” he told TechNewsWorld.

Vein of Disatisfaction

The latest buzzword in business circles is “agility” — agile marketing, agile software development, agile modeling.

“In an agile world, everyone wants to pivot and shift quickly to any change in design or customer demand, but security is not very much different,” Debrosse said.

“As attackers change their tactics, I’d want to be in constant communication with my executive team,” he continued. “They have to understand a threat, what our capabilities are for defending against that threat, and whether our industry is being targeted, our company is being targeted, or we’re just a target of opportunity.”

The researchers also struck a rich vein of discontent among security professionals toward their existing protection systems. Some 29 percent of them said they’d like to totally overhaul their current systems. Another 13 percent said they wouldn’t change anything about their current system because nothing they could do would protect them against a determined attacker.

“That’s quite telling,” Debrosse said. “It shows they’re not confident that where they are today — from a security standpoint — is supporting their organizations adequately.”

Active Directory Flaw

Security researchers at Aorato discovered a flaw last week in Active Directory that allows an attacker to change a user’s password. Since 95 percent of all Fortune 1000 companies use that Microsoft program, the vulnerability could be very troublesome.

An attacker can impersonate the victim to access various enterprise services — such as Remote Desktop Protocol Logon and Outlook Web Access — that require the explicit use of the victim’s password, Tal Be’ery, vice president of research at Aorato, explained in a company blog.

Worse yet, logged events miss the vital indication of an identity theft attack, he noted. The attacker can perform this activity unbeknownst to event logs, making log-based SIEMs and Big Data security analytics useless against an attack.

The flaw stems from Microsoft’s penchant for backward compatibility.

“Although Active Directory supports newer, securer versions of the flawed protocol, it also supports older versions,” Be’ery told TechNewsWorld. “Due to that fact, it’s only as secure as the oldest protocol.”

Aorato has alerted Microsoft to the flaw, but the company is reluctant to patch it.

“They’re calling the vulnerability a ‘limitation,’ and they’re not going to fix it,” Be’ery said.

“This is a well-known industry limitation in the Kerberos Network Authentication Service (V5) standard (RFC 4120). Information on how to manage this limitation when using Windows can be found on the Microsoft TechNet site,” Microsoft noted in a statement provided to TechNewsWorld by spokesperson Katherine Kerrigan ofWaggener Edstrom.

OK to Reuse Passwords

Speaking of passwords, Microsoft raised the hackles of a few security experts last week when it recommended that weak passwords be reused.

The recommendation — along with a scheme for organizing passwords based on user value — was aired in a 16-page paper by Microsoft researchers Dinei Florencio and Cormac Herley, in partnership with Paul C. van Oorschot, Canada Research Chair in Authentication and Computer Security at Carleton University.

“Our findings directly challenge accepted wisdom and conventional advice,” the reserachers wrote. “We find, for example, that a portfolio strategy ruling out weak passwords or password re-use is sub-optimal.”

Users should identify the importance of a service and assign a password based on that, the researchers’ suggested. Weak passwords would be OK for less important sites, and strong passwords would be reserved for high importance sites, like a bank.

That scheme can be just as burdensome to consumers as choosing unique, strong passwords for all sites and services, argued Andrey Dulkin, senior director of cyber innovation at CyberArk.

“Regular users have trouble distinguishing what ‘important’ and ‘non-important’ services are. Most people get that banking is important — but the distinction is not clear on other services,” he told TechNewsWorld.

“Password re-use is a significant threat, both to individual users and organizations,” he added. “As users choose the same passwords for online and organizational services, the organization’s exposure to attacks grows.”

Breach Diary

  • July 15. New York Attorney General Eric T. Schneidermann reports that from 2006 to 2013, 22.8 million personal records of New York state residents were exposed in nearly 5,000 data breaches.
  • July 15. ForeScout Technologies releases survey of 1,600 IT security information decision makers that found 96 percent of organizations in Europe and the United States with more than 500 employees suffered a significant security incident in the past year.
  • July 16. eBay lowers annual sales targets by US$200 million — to $18 billion to $18.3 billion — due to data breach that occurred earlier this year.
  • July 16. National Consumers League reports that 72 percent of Chicago residents who were fraud victims also were affected by a data breach.
  • July 16. U.S. Senate passes bill to legalize unlocking cellphones.
  • July 16. Google hires notorious hacker George Hotz for its Project Zero initiative, which is aimed at finding software vulnerabilities.
  • July 17. Arbor Networks reports that Distributed Denial of Service attacks more than 20 Gbps in size doubled in the second calendar quarter of this year compared with the same period in 2013. In addition, more than 100 attacks at more than 100 Gbps have occurred thus far this year.
  • July 17. Indiana University reports a February data breach that exposed personal information of 146,000 current and former students cost the university $130,000. It adds that no misuse of the exposed data was reported to the university.
  • July 17. CyberArk releases annual threat report that finds 68 percent of businesses changed their security strategies due to either the Edward Snowden affair or the Target data breach.
  • July 17. Microsoft begins offering “right to be forgotten” privilege to European users of its search engine Bing.
  • July 18. Australian deal site Catch of the Day informs its users of data breach that occurred in May 2011. Users who have not changed their password since that time should change them now, it recommends.

Upcoming Security Events

  • July 24. Keep Your Data Safe with Dell Endpoint Encryption. 2 p.m. ET. Webinar. Free with registration.
  • Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595.
  • Aug. 5-6. Fourth Annual Cyber Security Training Forum. Double Tree Hilton Hotel, Colorado Springs, Colo.
  • Aug.5-6. B-Sides Las Vegas. Tuscany Suites and Casino, Las Vegas. Free.
  • Aug. 7-10. Defcon 22. Rio Hotel & Casino, Las Vegas. Registration: $220.
  • Aug. 16-17. B-Sides Dubai. Dubai World Trade Center. Free.
  • Aug. 23. B-Sides Minneapolis-St. Paul. Nerdery! Free with registration.
  • Sept. 6-7. B-Sides Dubai. Move n Pick Jumeirah Hotel, Dubai. Free.
  • Sept. 13. B-Sides Memphis. Southwest Tennessee Community College, 5983 Macon Cove, Memphis, Tenn. Free.
  • Sept. 13. B-Sides Augusta. Georgia Regents University, Science Hall, 2500 Walton Way, Augusta, Ga.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
  • Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.
  • Sept. 29-Oct. 2. ASIS 2014. Georgia World Congress Center, Atlanta. Registration: exhibits only, free; before August 30, members $450-$895, non-members $595-$1150, government $450-$895, spouse $200-$375, student $130-$250; after August 29, member $550-$995, non-member $695-$1250, government $550-$995, spouse $200-$475, student $180-300; a la carte, $50-$925.
  • Sept. 29-Oct. 3. Interop New York. Jacob Javits Convention Center, New York City. Expo: free. Total Access: early bird (July 1-Aug. 15) $2,899; regular rate (Aug. 16-Sept. 26), $3,099; Sept. 27-Oct. 3, $3,299.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels