CYCLONEPROJECT - Fotolia
Editor's note: This is part two of a series on CISO challenges. Part one looks at some of the common issues and threats enterprises face and how CISOs identify and address them.
There is a long list of common problems that plague CISOs and their enterprise security teams. But compliance requirements, patch management and basic password hygiene are just some of the widely-known CISO challenges. There are many more cybersecurity blind spots that lurk under the radar. At RSA Conference 2016, several CISOs and security experts discussed some of the cybersecurity blind spots that enterprises often don't see until it's too late. Here's what they had to say.
Cybersecurity blind spots: Networking & cloud
Randy Marchany, CISO for Virginia Tech University, oversees a 40,000 node network -- IPv4 and IPv6 -- on multinational campuses. Some of the older intrusion detection systems don't know what to do with IPv6 packets, so they let them through. "Firewalls are not effective protection or even detection devices," Marchany said during a CISO panel discussion at RSA Conference. "Ignoring encrypted traffic is a big risk, so we look at outbound traffic over inbound traffic. Encrypted traffic doesn't bother us; we pay attention to the destination -- the encryption doesn't matter."
Other panel members commented how one piece of data that companies are not looking at but should be are HTTP errors in their network streams. Companies that end up with multiple clouds also need to address the problem of privilege across the clouds. Another area of concern is data exfiltration through tunneling --rabbit hole. "Organizations must consider how they are going to manage a variety of challenges when moving to the cloud," added Demetrios "Laz" Lazarikos, CISO for vArmour and former CISO for Sears online.
Lazarikos also provided the following to consider:
- Regulatory compliance in existing on-premises environments and cloud environments; are they the same, or different? Do they change as they move from on premises to the cloud?
- Audit trails and accountability are critical as workloads move from on-premises infrastructures to the cloud, and vice versa.
- Policies required for the on-premises environment need to be tailored for application with cloud solutions.
Charles Renert, vice president of cybersecurity of ViaSat, a satellite telecommunications company, said encrypted networks should be on every company's radar. "While encryption has become the new norm, with over three-quarters of internet traffic being encrypted today, there are concerns with its ability to keep up with increasingly high-bandwidth applications and data centers," Renert said. "Businesses are regularly faced with the tradeoffs between network performance vs. protecting cloud and shared infrastructure, with the trend favoring the latter."
Cybersecurity blind spots: Devices and systems
Pavel Slavin, technical director of medical device cybersecurity at healthcare firm Baxter International, said the growth of connected devices, especially in the healthcare industry, poses serious risks. "Medical devices are big news -- not because it's IoT, but because they can help patients or even kill patients, if hacked," Slavin said. "Established security practices don't always apply, so how do you protect a device in ICU? Medical personnel won't always take their gloves off to do biometric authorizations, and they may not always remember the password for every device."
Other considerations include determining how to provision the keys to millions of devices and then managing the keys. CISOs also need to consider what types of vulnerability, threat and attack data they are missing. For example, system images have a lot of data to help detect the existence of an attack that remains on the network.
"In healthcare, the preservation of life is the very first priority," Lazarikos added. "Having cumbersome and unrealistic infosec solutions in place that prohibit a doctor from achieving this goal will never be successful."
Cybersecurity blind spots: Applications
Most enterprises rely on complex legacy applications for mission-critical operations. And therein lies the problem. "We had one of our clients tell us 'A layer in our SAP system was not being taken care of that included managing roles, profiles, authorizations and permissions tied to business functions'," said Juan Perez-Etchegoyen, CTO at Onapsis, a cybersecurity firm based in Boston that focuses on SAP software. "SAP is so complex that the landscape is hard to control. The security of business-critical apps tends to be outdated and misconfigured. It often takes 18 months for SAP to fix the vulnerabilities uncovered in the market."
Members of the CISO panel at RSA Conference also recommended that when it comes to application security, make sure interactions are taking place from within the apps and not through a service behind the scenes. "Structure your systems based on a need-to-know basis and integrate with human resources," said Don Smyczynski, CISO for Rich Products. "If someone moves to a new business unit, department or location, we delete the account and recreate it -- picture a 20-year employee with additive access rights."
Brad Taylor, CEO of managed security service provider Proficio, said software as a service (SaaS) can further complicate the situation for enterprises. "I think a lot of it boils down to end-user behavior. If end user[s] clicks on a link from a suspicious email, or open a suspicious document, they often unknowingly compromise their credentials through malicious code that ultimately leads to a breach," Taylor said. "Users are also connecting to hundreds of cloud-based applications -- some authorized but many unauthorized. When moving corporate data to the cloud with little-to-no monitoring or control from the enterprise, it's difficult to manage the human element in the initiation of a data breach. We therefore often have to monitor the behaviors of compromised devices, accounts and credentials to detect malicious misuse. So our answer is to monitor and analyze behavior that could lead to a compromise or be an indicator of an existing compromise."
Mike Fitzmaurice, vice president of workflow technology at software maker Nintex, said application security is a major cybersecurity blind spot because of users. "The biggest threat to security is making mistakes," he said. "All the planning and work we do to set up systems to protect the information goes out the window if people fall off the tracks or go outside the tracks when using their applications."
Cybersecurity blind spots: Data
At the end of the day, corporate data is the most important element that enterprises need to protect. But the challenge for CISOs is shifting organizations' security programs to a data-centric approach, and identifying the data that needs to be prioritized. "We had to change our focus from device to data -- there are no device breach notification laws … only data," Marchany said. "We've been doing BYOD for over 30 years and find that hackers are not getting in and stealing data right away. They want a presence inside your network and take advantage of being on the network for a long time."
Ken Allan, global information security leader at Ernst & Young, offered some advice for enterprises. "We recommend looking at existing security operations centers -- even if they're not very sophisticated. Some companies focus on what is easy to focus on such as firewall logs and IDS triggers," he said. "But we see companies with a breach in progress, and they determine it's not causing any harm, so they leave it alone. The tech team may know how to contain it, but they don't feel it's necessary. However, the business issue may drive a very different decision or outcome on how to react."
Allan also commented on how stolen information is being used on the black market. "You would think its value would decrease over time," he said, "but an E&Y study showed that the value is actually increasing because hackers learn know how to use it more effectively -- for harm."
Stay tuned for part three in this series on CISO challenges.
Read more on the role of cybersecurity insurance in the enterprise
Find out what CISOs think of cloud access security brokers
Discover why a federal CISO is crucial for the U.S. government