What’s It Going to Take to Have Cyber Security?

Written by- Kevin L. and Kody T. McLaughlin

If you are a Cyber Security professional do you get as mad as I do when you read and hear

over and over again that Cyber Security professionals don’t have enough talent, skills, or

business acumen to effectively secure systems? I say bull!  That’s right bull!  In wargame

after wargame I have observed that the defending team must keep an unused port open,

or have a small exploitable vulnerability on their systems so that the attackers have a

chance and the games are interesting.  What that tells me is that many of us know what to

do and we have the skills necessary to do it but there are organizational blockers that

prevent us from effectively securing the systems we are trusted to safeguard.  Until we

change the business culture into one that allows cyber security professionals the latitude

to mandate that system baselines are kept, that critical vulnerabilities are remediated

immediately, that unused ports and unused services remain off, that comprehensive logs

are sent to a security tool for analytics,etc. we will continue to have data breaches

reported on pretty much a daily basis. Organizational data breaches are getting to be too

common and too severe to be ignored. Already this year we have seen:

  • A 56 million card credit card breach at Home Depot
  • 4.5 million patient records compromised at Community Health Services
  • A breach of over 216 stores at Jimmy John’s
  • The discovery of a 2-year, 82,600 patient breach out of Aventura Hospital and Medical Center
  • 1.4 million TripAdvisor customers compromised
  • A Neiman Marcus breach of 350,000 cards
  • A breach of 868,000 cards from 330 stores at Goodwill

Oh well, at least at the end of the day we can forget about these breaches and unwind

with a few video games. That is, of course, as long as they aren’t one of the games like

Destiny and Call of Duty that hackers DDoS’d with little effort.

The bulleted items above are just the high-profile incidents. Numerous smaller

companies have also been compromised. Yet companies still refuse to believe that this

could happen to them. According to the Ponemon Institute, 43% of companies had a data

breach in the past year. It is time for companies to realize the cyber threat isn’t some

boogieman in the closet; it is a real and increasingly present threat.

These threats come with real consequences. According to a report published

by IBM the average cost of a cyber breach is $201 per record compromised. This

averages out to a cost of $5.9 million per breach with some breaches exceeding

$21 million. The IBM report also suggests that customers and investors are becoming

increasingly less likely to continue doing business with an organization that has had a

breach.

Breaches also come with legal battles. Right now, Home Depot is caught in a

firestorm of suits, one of which is to the tune of $450 million for negligence.

It is a sad state that it appears as if Information Security teams are woefully incapable of

keeping up with the increasingly prominent and advanced cyber threat. This isn’t due to

lack of knowledge or talent but due to lack of influence within their organization. It is too

easy and too common for companies to hire CISOs and large security teams to make

themselves feel safe and then when those teams want to change policies, procedures,

or add security controls they are shunned and ignored due to the inconvenience

associated with securing systems. Or, and this appears to be the non-security business

executive’s number one trump card these CISOs and their teams are told “you just don’t

understand the business”;  which really means that the business executive doesn’t

understand or believe the security analysis.  Worse is that in most organizations these

Cyber Security teams have no power to mandate appropriate action be taken to secure

organizational systems.  When organizational charts put the CISO underneath executive

decision makers, instead of high enough to warrant a chair at “the big kids table,” it is

extremely difficult for security teams to make a meaningful change in their organization’s

security posture. Until security teams are given the authority they need to be effective

these daily breaches will continue.

 

 

http://www.theregister.co.uk/2014/09/23/call_of_duty_lizard_squad_ddos/

http://www.latimes.com/business/technology/la-fi-tn-community-health-hacked-20140818-story.html

http://krebsonsecurity.com/2014/09/jimmy-johns-confirms-breach-at-216-stores/

http://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted-malware-contained/

http://healthitsecurity.com/2014/09/16/aventura-hospital-reports-82601-patients-data-breach/

http://www.cnbc.com/id/102027979#.

http://www.forbes.com/sites/katevinton/2014/09/23/data-breach-bulletin-home-depot-ebay-ck-systems-call-of-duty-destiny/

http://www.bankinfosecurity.com/home-depot-faces-canadian-breach-suit-a-7351

http://www-935.ibm.com/services/us/en/it-services/security-services/cost-of-data-breach/

About mclaukl

Kevin L. McLaughlin began his career as a Special Agent for the Department of Army. He was responsible for investigating Felony crimes around the globe. He has had many careers over the years, including being a Police Officer in Kissimmee Florida, an Investigator for Mastercard/Visa, a Middle School teacher, a Director at Kennedy Space Center (where he worked with Fred Hayes, James Lovell, Armstrong, Sheppard, etc.), the President of his own company, an IT Manager and Senior Information Security manager with the Procter & Gamble (P&G) company (fortune 35), a CISO at the University of Cincinnati and a Senior Information System Security Manager for the Whirlpool Corporation (fortune 125). Kevin has also been an adjunct since 1992. While at P&G Kevin created one of P&G’s augmentation outsourcing teams in India. Kevin designed and implemented this India team and it won a global Gold Service award from Atos-Origin and has acted as a model for countless corporate relationships since. Over the years Kevin has: created an Information Security program conducted Information Security Strategic planning designed Information Security solutions, investigated over 700 Cyber cases and operated a Global Security Operations Center. • Education - MS in Computer Science Education, BS in Management of Information Systems - currently a PhD in Cyber Security, University of Fairfax • Professional Certifications - CISM, CISSP, PMP, ITIL Master Certified, GIAC Security Leadership Certificate (GSLC), CRISC. Kevin also holds Certificates in the Advanced Principles of Information Security and in Advanced Information Security Research Methods from Jones International University.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s