[BreachExchange] Security Playbook 2017: How to improve practices this year

Inga Goddijn inga at riskbasedsecurity.com
Wed Mar 29 19:24:37 EDT 2017


http://sdtimes.com/security-resolutions-trends-companies-need-consider-year/

>From LinkedIn to Yahoo, companies fell into the hands of hackers and
identity thieves in 2016. Each year, companies seem to make the same
security resolutions, only to face roadblocks like skill shortages, time
constraints and budget issues, which prevent them from implementing good
security practices. Experts recommended companies consider the following
trends and predictions for 2017, instead of scrambling to fight off attacks
for another year.

Software is vital for society’s well being, since it is critical in all
aspects of human lives, whether it’s banking or mobile applications or
national infrastructure, said Paul Curran, cybersecurity evangelist for
Checkmarx (an application security solution company).

Despite the necessity of software security, companies struggle to implement
it into development operations, and rarely do their resolutions turn into a
reality, said Curran.

However, as DevOps adoption increases, these companies are forced to find
solutions that are “built into the fabric of the enterprise to make it more
difficult for attackers to enter the system and gain access to sensitive
assets,” said Chandra Rangan, senior vice president of marketing for HPE
Security.

Security analytics is a “critical line of defense,” he said, as it can help
organizations detect and respond to threats faster to mitigate their risk.
Organizations should also change their thinking from an all-or-nothing
approach to “one that incorporates protection, detection and response,” he
said.

The shift in methodology that comes from DevOps means organizations need to
redefine security’s role in the software development lifecycle (SDLC), to
“shift left” and implement security early on in the software development
stages, instead of leaving it to the very end and in production, said
Curran.

This shift-left model presents problems for traditional application
security testing (AST) solutions like penetration testing, especially since
these solutions address security testing later on in the SDLC, and they
cannot be pushed to the development stages, said Curran.

While static application security testing (SAST) solutions can work for a
DevOps environment, “Not all SAST products fit the demands presented by the
rapid release cycles in DevOps,” said Curran.

This means companies need to find a frictionless, quick-turnaround policy
that meets DevOps requirements, which must translate into incremental
scanning, partial-code scanning, compiler-free capabilities and tight
integration with developer tools, he said.

*From perimeter security to the zero-trust model *
Many of the tools that keep threat actors at bay focus on the idea of the
perimeter security of a network, or the network between the private and
locally managed or owned side of a network. Network perimeter security is
one way to keep the malicious users out of the environment in the first
place, and while it’s important to put network perimeter technologies in
place, it’s obvious that sophisticated attackers can easily get past these
defenses, said Sam Elliott, director of security product management at IT
security firm Bomgar.

HPE Security Services’ CTO, Andrzej Kawalec, said that traditional network
perimeter technologies like access and authorization, AV and endpoint
protection technologies are no longer enough to protect information
throughout its life cycle. Most organizations rely on “building bigger
walls or moats to keep attackers out of the castle,” but today’s
adversaries can get through the front door or window easily.

“Organizations should focus their efforts on research and reconnaissance,
infiltration, discovery, capture and exfiltration or data extraction to
learn and understand the cadence and sequence of attacks,” said Kawalec.

This is why more members of the information security community have adopted
the stance of assuming hackers are already in the network, since
cybersecurity is so pervasive today, according to Elliott. This model is
known as the zero-trust model, first proposed by Forrester Research as a
way to promote the idea of never trusting any entity, and to always verify
the location. This means assuming that anyone in the network, including
employees or third-party vendors, should not be trusted.

The idea of the zero-trust model was highlighted in the big data breach of
the U.S. Office of Personnel Management (OPM) in September of 2016, which
exposed background investigations and fingerprint data of millions of
Americans. A report
<https://krebsonsecurity.com/2016/09/congressional-report-slams-opm-on-data-breach/>
 commissioned by the U.S. House Oversight and Government Reform Committee
is blaming the OPM for jeopardizing the of its employees, and it detailed a
long timeline of the breach, highlighting how the OPM’s information
security plans left the agency at risk.

This breach shows the community that there are significant gaps around
privileged access and privileged accounts, and the reality is there isn’t
much distinction between “insiders” and “outsiders” if the company is
implementing the zero-trust model, according to Elliott.

He added that there are many technologies that aim to solve this challenge,
and he recommended multi-factor authentication, such as putting a second
factor in like a PIN code before logging in to a network or device.

*Working to improve developer security skills *
Another recommended resolution is for companies to work on their own
developers’ or teams’ skills. According to former Symantec CEO Michael
Brown, the skill shortage is only going to get worse, because unfilled
cybersecurity job positions are on track to increase to 1.5 million by 2019.

Checkmarx’s Curran said the industry can address this issue by “dealing
with the underlying problem of poor security within software code.” And
companies can also give developers adequate training and the right tools to
deliver software that has less vulnerabilities, he said.

“By 2020, we will see more universities introduce secure development
courses, and developers will be measured not just on the functionality and
the speed of app delivery but also how secure their code is in relation to
measurable standards,” said Curran.

Another suggestion for countering the development skills shortage comes from
<https://www.checkmarx.com/2016/10/18/importance-application-security-awareness-training-interview-maty-siman/>
 Maty Siman, CTO and founder of Checkmarx. He suggested security teams
implement a low-friction process that would be defined together with the
security team, allowing them to educate developers about important security
issues and avoiding any overlap when possible.

Bomgar’s Elliott agreed that the people and training issue is one reason
why companies are failing to address security issues. One of the biggest
challenges he highlighted is educating those who are not in the technology
industry, and the challenge is getting effective security and practical
security that does not interrupt their day-to-day productivity.

*Enhancing IoT security *
The influx of DDoS attacks this past year should be a sign that it’s vital
to pay attention to security IoT devices, according to Curran. He added
that “the current playbook for IoT development is still immature.”

“There is not enough attention being paid to securing IoT devices,” he
said. “There is a palpable fear that a major category of IoT products
embedded within a life-critical application such as health, CNI or
automotive is vulnerable to a major attack through negligence in software
security.”

Curran predicted that over the next few years, IoT security will be
enhanced, especially as industry groups and regulatory frameworks backed by
governmental agencies are “likely to expand their role in ensuring that the
software embedded with IoT devices adheres to the agreed level of security
and compliance.”

Companies can also assess their current security measures for smartphones,
and then address the gaps by working with internal and outside service
providers that can add a layer of protection for IoT devices. Organizations
will need to buckle down and plan for the change that comes with IoT,
considering how they can begin to build a secure software development cycle
in 2017 and onward, he said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170329/5d85ae71/attachment.html>


More information about the BreachExchange mailing list