Security Industry Failing to Establish Trust

MADRID—In other industries, failure is embraced as a learning opportunity. In security, not so much.
Instead, it’s too often an opportunity to victim-shame, a chance to mock a corporate giant such as Equifax which recently lost 145 million customer records and had a CISO—albeit with a lengthy IT career—who had a music degree much to the glee of the Twitter echo chamber.
Related Posts
网络安全法宣传推广视频 https://v.qq.com/x/page/p050493s0f5.html
In his closing keynote at Virus Bulletin 2017 on Friday, independent consultant Brian Honan said security is failing as an industry to establish trust.
“As an industry, we’re very bad at learning new stuff—and we mock victims,” said Honan, founder of Ireland’s first CERT IRISSCERT and an Infosecurity Europe Hall of Fame inductee. “Deloitte is a victim. Equifax is a victim. Yahoo is a victim. Every customer who trusted those companies with data is a victim. Yet as an industry, we laugh and we mock, and our reaction is not to learn or share, but to keep things quiet.”
“内鬼”出售个人信息获利的案子隔些日子就曝光一例,运营商应该对员工访问客户资料的权限设置一下吧,另外定期也得审核员工查询和导出客户数据的操作日志啊。

Instead, he made an impassioned plea to learn from other industries such as airlines that plan for failure, expect things to fail and react accordingly. The result, as he showed on Friday, is a remarkable turnaround of its safety record since the mid 1980s.
“We need to share our dirty laundry, and stop creating an atmosphere of fear and mocking,” Honan said. “Our first reaction needs to be to help and not mock. If we don’t do that as an industry, the government is going to do it for us.”
The cascading failures of 2017, replete with mega breaches and global ransomware outbreaks, are symptomatic of issues that still linger in the air for close to two decades. As Honan points out, we still haven’t figured out passwords, we still open untrustworthy attachments, we still stink at patching, and malware still finds its way onto computers.
“In 2017, why are we still relying on people to pick ‘password1’ to protect them from criminals?” Honan asked incredulously.
Poor passwords, missing patches, out of date software, out of date antivirus, lack of continuous monitoring and an endless string of vulnerabilities are burying security pros in a sea of distrust.
“These are not super cyber ninjas in North Korea [who are hacking us],” Honan said. “We repeat the same mistakes over and over and we’re not getting different results.”
As 2017 has so far demonstrated, there are more real-world, bottom-line consequences to major attacks than ever before. WannaCry forced hospitals across the U.K. to re-route patients. NotPetya put global shipping line Maersk out of commission for some time, as well as giant pharmaceutical Merck. Maersk alone reported $300 million in losses from the June wiper attack.
And the solution enterprises and midmarket companies are given is an endless parade of appliances and products sold on the basis of fear, uncertainty and doubt without ever touching the problem.
“We need to change what we are doing. We need to change our approach based on FUD,” Honan said. “The key thing in our industry is to scare the crap out of someone and then come in with a shiny box and say ‘Here you go, this will save you.’ And when that doesn’t work, what do you do? You scare them again, and another shiny box comes in.”
Most firms aren’t in the crosshairs of advanced attackers. Most companies don’t need to necessarily concern themselves with zero days, Honan said.
“We need to stop relying on the APTs and zero days as a sales piece. What we’re trying to do is buld trust,” he said. “We need to share information and lessons learned, and not be worried about doing it in an open way that may not bring value. If we don’t, I fear we may have a bleak future ahead of us where we won’t trust anything anymore. We won’t trust our elections, our transport, anything.”
网络极客们可能会挑战组织的安全控制措施,不过他们会有些安全防范的基础。同时也要教育一般的用户,不能完全迷信网络信息安全机制,提高警惕,多重防御很必要。

猜您喜欢

公司内部信息安全意识沙龙参加者寥寥无几
云计算和移动应用给IT安全人员带来的职业发展启示
网络安全法网络宣传片 002 国家网络安全的现状与重要性概述
ICO停摆前后:骗子太多哄抬价格 坐庄成常态
R3HTY BESTFORCLOSUREHOMES
员工使用网盘来备份和分享文件么