[BreachExchange] 5 Big Considerations for Cybersecurity Risk Managers

Destry Winant destry at riskbasedsecurity.com
Thu Feb 11 11:18:20 EST 2021


https://latesthackingnews.com/2021/02/09/5-big-considerations-for-cybersecurity-risk-managers/
Cybersecurity has become a hot topic lately, due in no small part to
the sheer number of leaked accounts that have been made public over
the last few months. Back in September, one data breach leaked the
names, encrypted password hashes and titles of countless converted
documents.

Even more concerning was the fact that the same breach exposed over 70
million different email addresses. Few people want to experience this
same kind of occurrence in their own place of business, which might
help to explain the renewed interest in security issues. Those in a
decision-making position need to be careful, however, because there
are a few pointers they need to keep in mind before investing in any
real solutions.

1. Choice of Platform
When it comes to choosing a cyber-risk management platform, there are
several considerations that IT managers will want to keep in mind.
More than likely, you’re going to have to select a firm that offers
security services that are delivered over a network. On-premise
deployment has simply gotten too expensive and complex for a majority
of smaller businesses to handle. Even larger firms that have many more
resources to draw from will probably want to consider cloud
computing-based solutions.

Managers at these companies will also want to think about a few other
cost-related considerations.

2. Budget Constraints
Few programmers and security experts are ever willing to discuss
dollars and cents when it comes to locking down a network perimeter,
but it’s an important conversation to have. While it might not be a
popular statement to make, it’s certainly true that some companies
have adopted unnecessary security protocols that cost money but
achieve very little. Other firms have put together excellent
deployments even though they’re bound by tight IT department budgets.

Take a few minutes to seriously consider how much your firm is really
willing to spend on reducing its attack surface. Once you have at
least something that resembles a concrete number you’ll be in a better
position to make some purchasing decisions.

3. Message Communication
Some experts are of the opinion that a majority of security breaches
happen because of either poor password hygiene or some other silly
mistake that provides an attack vector for bad actors. Unfortunately,
IT department staffers have taken such a heavy-handed approach to
security that there are plenty of employees out there who no longer
want to hear decent advice.

Creating educational cybersecurity presentation materials that
employees can pursue on their own time might be a better approach.

This technique doesn’t involve the age-old stereotype of a
cybersecurity expert browbeating everyone in a company to change their
passwords regularly. It instead encourages people to learn at their
own pace and form good habits that they can use to secure every
digital account they use in cyberspace.

4. Hardware Profiles
For the longest time, computer scientists were urging people to
reconsider the way that they deployed software in their businesses.
They hoped that individual implementations would become more secure by
reducing vulnerabilities in the networking stack. Some engineering
teams are now saying that this was the wrong approach and instead
recommend using software to cut down on the attack surface of certain
devices.

Intel’s dev teams have been making headlines lately by promoting a new
ransomware detection scheme that’s baked entirely into silicon.
Apparently, the organization has been working with specialists from
Cyberseaon to develop the technology, which will prevent the execution
of arbitrary code at the lowest level.

This kind of system may have helped to prevent the Spectre CPU
vulnerability, which was in part due to certain failings in the way
x86/x86_64-series microprocessors performed certain instructions. If
these chips had some way of preventing the execution of these code
segments, then any forthcoming kernel updates would have been
superfluous.

5. Repository Contents
IT department managers who aren’t currently in the habit of checking
what’s currently offered for download in various git repositories
might want to start. It costs nothing and takes only a few minutes out
of every day yet this simple tactic can help put a stop to security
threats before they start.

A number of high-quality tools are consistently ending up as
open-source projects. Some of these, like Facebook’s Pysa code
analyzer, were developed by major institutions and are custom-tailored
to work with specific platforms. Those who are running GNU/Linux or
any of the *BSD operating systems will more than likely find
precompiled binary packages in their distro’s own repos, which makes
it even easier to find these tools.

A number of cracking programs have also found their way into various
open-source storage containers, so you could potentially catch wind of
any threats caused by them well before the tech media gets a chance
to. At times, it might seem that staying up to date on all of these
threats is like shoveling while it’s still snowing.

That being said, IT departments that take just a few extra minutes
each day to address these considerations will find it much easier to
stay safe online.


More information about the BreachExchange mailing list