Security Industry Failing to Establish Trust

MADRID—In other industries, failure is embraced as a learning opportunity. In security, not so much.
Instead, it’s too often an opportunity to victim-shame, a chance to mock a corporate giant such as Equifax which recently lost 145 million customer records and had a CISO—albeit with a lengthy IT career—who had a music degree much to the glee of the Twitter echo chamber.
Related Posts
In his closing keynote at Virus Bulletin 2017 on Friday, independent consultant Brian Honan said security is failing as an industry to establish trust.
“As an industry, we’re very bad at learning new stuff—and we mock victims,” said Honan, founder of Ireland’s first CERT IRISSCERT and an Infosecurity Europe Hall of Fame inductee. “Deloitte is a victim. Equifax is a victim. Yahoo is a victim. Every customer who trusted those companies with data is a victim. Yet as an industry, we laugh and we mock, and our reaction is not to learn or share, but to keep things quiet.”
Instead, he made an impassioned plea to learn from other industries such as airlines that plan for failure, expect things to fail and react accordingly. The result, as he showed on Friday, is a remarkable turnaround of its safety record since the mid 1980s.
“We need to share our dirty laundry, and stop creating an atmosphere of fear and mocking,” Honan said. “Our first reaction needs to be to help and not mock. If we don’t do that as an industry, the government is going to do it for us.”

被曝光的网站入侵事件似乎只是冰山一角,原因之一是受害者不想声张进而影响自家声誉等等。
The cascading failures of 2017, replete with mega breaches and global ransomware outbreaks, are symptomatic of issues that still linger in the air for close to two decades. As Honan points out, we still haven’t figured out passwords, we still open untrustworthy attachments, we still stink at patching, and malware still finds its way onto computers.
“In 2017, why are we still relying on people to pick ‘password1’ to protect them from criminals?” Honan asked incredulously.
Poor passwords, missing patches, out of date software, out of date antivirus, lack of continuous monitoring and an endless string of vulnerabilities are burying security pros in a sea of distrust.
学习管理系统LMS 学员操作演示
“These are not super cyber ninjas in North Korea [who are hacking us],” Honan said. “We repeat the same mistakes over and over and we’re not getting different results.”
As 2017 has so far demonstrated, there are more real-world, bottom-line consequences to major attacks than ever before. WannaCry forced hospitals across the U.K. to re-route patients. NotPetya put global shipping line Maersk out of commission for some time, as well as giant pharmaceutical Merck. Maersk alone reported $300 million in losses from the June wiper attack.
And the solution enterprises and midmarket companies are given is an endless parade of appliances and products sold on the basis of fear, uncertainty and doubt without ever touching the problem.
“We need to change what we are doing. We need to change our approach based on FUD,” Honan said. “The key thing in our industry is to scare the crap out of someone and then come in with a shiny box and say ‘Here you go, this will save you.’ And when that doesn’t work, what do you do? You scare them again, and another shiny box comes in.”
Most firms aren’t in the crosshairs of advanced attackers. Most companies don’t need to necessarily concern themselves with zero days, Honan said.
“We need to stop relying on the APTs and zero days as a sales piece. What we’re trying to do is build trust,” he said. “We need to share information and lessons learned, and not be worried about doing it in an open way that may not bring value. If we don’t, I fear we may have a bleak future ahead of us where we won’t trust anything anymore. We won’t trust our elections, our transport, anything.”
收到可疑的有附件的邮件不打开,并及时报告安全响应团队,安全响应团队在收到报告时,要及时排查和加强警戒,因为此时可能已经有其他员工中招了。

猜您喜欢

从棱镜事件新进展看员工信息安全监管
依法治国与信息安全管理制度
网络安全法在线讲解-《网络安全法》的突出亮点 https://v.qq.com/x/page/u0514qmyllg.html
特朗普措手不及!美军刚又出大事
KALBENUTRITIONALS CASSCOUNTYHEALTH
员工安全培训呼唤参与式学习