Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘cyber supply chain’

Homegrown Software is Not Secure

Tuesday, January 11th, 2011

Ask 100 security professionals to name a weak link in the cyber security chain, and a majority will point to software vulnerabilities. This is especially true in two areas: 1) Internally-developed software where developers may lack the skills or motivation to write secure code, and 2) Web applications where rapid development and functionality trump security concerns.

How vulnerable are today’s web apps? Here’s how the IBM X-Force answered this question in its 2008 Trend and Risk Report:

“Web applications in general have become the Achilles Heel of Corporate IT Security. Nearly 55% of vulnerability disclosures in 2008 affect web applications, and this number does not include custom-developed applications (only off-the-shelf packages). Seventy-four percent of all Web application vulnerabilities disclosed in 2008 had no available patch to fix them by the end of the year.”

ESG Research looked further into software security in its recently published report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the U.S. Critical Infrastructure” (note: this report is available for free download at the ESG website, www.enterprisestrategygroup.com). Security professionals working at critical infrastructure organizations were asked, “To the best of your knowledge, has your organization ever experienced a security incident directly related to the compromise of internally-developed software?” Alarmingly, 30% answered “yes.”

What does all this mean? IBM X-Force data clearly demonstrates an abundance of insecure web applications out in the market. ESG’s data shows that many critical infrastructure organizations are not only writing insecure code but are also being compromised as a result of these vulnerabilities. Yikes!

Insecure software is a problem that is too often swept under the rug because it isn’t easily addressed with a tactical threat management tool Du Jour. Yes, software security requires new skills and processes but unless we make these changes we will continue to be vulnerable. If your lights go out sometime soon, insecure software may be to blame.

Tags: , , ESG Research, , , Software Assurance, software security, Web Applications, X-Force
Posted in Uncategorized | 1 Comment »

Corporate Executives Remain Lukewarm on Cyber Security

Thursday, December 2nd, 2010

What’s needed for strong cyber security? Good security policies, processes, and technology safeguards, of course, but highly-secure organizations also integrate security into their corporate culture — from new employees to the corner office. Since the proverbial buck stops at the CEO’s desk, cyber security-conscious and proactive CEOs are a security professional’s best friend.

In its recent research report, “Assessing Cyber Supply Chain Vulnerabilities Within The US Critical Infrastructure” (Note: The report is available for download at www.enterprisestrategygroup.com), ESG Research asked security professionals working at critical infrastructure organizations (i.e., electric power, financial services, health care, etc.) to respond to the following question: “How would you rate your organization’s management team on its willingness to invest in and support cyber security initiatives?” The responses were as follows:

  • 25% selected: “Excellent, executive management is providing an optimal level of investment and support”
  • 49% selected: “Good, executive management is providing an adequate level of investment and support but we could use more”
  • 21% selected: “Fair, executive management is providing some level of investment and support but we could use much more”
  • 2% selected: “Poor, executive management is providing little to no investment and support”
  • 3% selected: “Don’t know/No opinion”

Obviously, executives need to sort through a maze of costs and spend shareholder dollars judiciously. Furthermore, security professionals are paid to be paranoid and will usually want more funding. That said, nearly one-fourth of respondents rated executive management support for cyber security as “fair” or “poor.” Remember too that we are talking about critical infrastructure here — our money, our power, our food, our health care, etc. Yikes! Even more frightening, 38% of survey respondents working at telecommunications companies rated their executive management’s support for cyber security initiatives as “fair” or “poor.” If your cell phone stops working soon, don’t be surprised.

I believe there are several problems here:

  1. Executive management doesn’t understand the risks and thus simply eschews cyber security investment.
  2. Security professionals speak in a geeky dialect that executives can’t understand, creating a communications gap.
  3. Many executives believe that a security incident would result in an inconvenience and slap on the wrist rather than a major service outage

It’s time to address these issues. Business managers must realize that automation, digitization, and new applications come with a cyber security cost — period. Security professionals need better communications skills and tools to translate nerdy technospeak into more pedestrian language. Legislators need carrots and sticks to entice technically-challenged 60 year old CEOs to invest in cyber security. It’s that simple. Either we do these things or we wake up one day to darkness. It is our choice.

Tags: , , Critical Infrastructure Protection, Cyber Coordinator, , , , , , , Enterprise Strategy Group, ,
Posted in Uncategorized | No Comments »

Are IT Vendors Getting a “Free Pass” On Cyber Security?

Wednesday, December 1st, 2010

Before buying an old house, most people do a thorough home inspection to make sure that plumbing, heating, and electricity infrastructure is safe and stable. When purchasing a car for a new driver, many parents check the vehicle’s crash test rating. These actions are simply common sense due diligence since we want to make sure that our homes and children are safe.

Along the same line of reasoning, one would assume that critical infrastructure organizations (i.e., electric utilities, financial services, health care, food processing/agriculture, etc.) do the same type of due diligence on IT equipment and their IT vendors. After all, these IT systems are the underpinning of their services and thus the backbone of the critical infrastructure at large. One would assume that critical infrastructure organizations do this type of security due diligence, but unfortunately this is usually not true.

According to the new ESG Research Report, “Assessing Cyber Supply Chain Security Within the US Critical Infrastructure” (the report is available for free download at www.enterprisestrategygroup.com), IT product and vendor security audits are performed in a random and haphazard fashion. For example:

  1. Only 31% of the critical infrastructure organizations surveyed always audit the security processes of their strategic software vendors (i.e., business applications, productivity applications, databases, operating systems, etc.). As bad as this is, even fewer organizations always audit their strategic infrastructure vendors (i.e., servers, storage, networking, security devices, etc.), professional services vendors, or VARS/distributors.
  2. When critical infrastructure organizations do conduct security audits, the audits tend to vary by vendor. Only 33% say that “all vendor security audits follow the same standard processes and procedures.” This means that some vendors get put through the proverbial grinder while others get a superficial inspection.
  3. In many cases, vendor audits seem to be a “check box” activity rather than a true security requirement. Forty-seven percent of critical organizations say that they “prioritize vendors that achieve a desired security profile but still may buy from other vendors.” In other words, a secure product/vendor may be pushed aside and substituted with an insecure alternative.

Why are many vendors getting a security free pass? I’m not sure. It may be that vendor and product security was no big deal in the past when cyber security was composed of network firewalls and desktop antivirus software. It could be that vendors wow their customers with speeds, feeds, and functionality to keep them from digging into geeky security issues. Perhaps they schmooze customers with sporting event tickets and golf outings to take their minds off of product security.

In any case, this behavior should be unacceptable henceforth. The threat landscape is getting more and more sophisticated each day, so each product’s security must stand out on its own.

Note to critical infrastructure organizations: Many IT vendors virtually ignore security in their product design and development. You should be doing a heck of a lot more security due diligence on IT products, vendors, and services, and institute procurement rules that mandate specific security metrics. Vendors should no longer have security–or insecurity–carte blanche.

Tags: , , Critical Infrastructure Protection, , , , , , , Enterprise Strategy Group, ,
Posted in Uncategorized | No Comments »

Critical Infrastructure Organizations Want Cyber Security Help From the Government

Tuesday, November 30th, 2010

ESG Recently Published a new Research Report titled “Cyber Supply Chain Security Vulnerabilities Within The U.S. Critical Infrastructure.” The report can be downloaded here.

As part of the survey, we asked respondents whether the U.S. Federal Government should be more active with cyber security strategies and defenses. Most respondents believe that the answer is “yes;” 31% said that the U.S. Federal Government should be “significantly more active with cyber security strategies and defenses” while 40% believe that the feds should be “somewhat more active with cyber security strategies and defenses.”

Okay, but what exactly should the government do? ESG asked this question as well–here are the results:

  • 42% said, “create and publicize a ‘black list’ of vendors with poor product security”
  • 42% said, “create better ways to share security information with the private sector”
  • 39% said, “enact more stringent cyber security legislation along the lines of PCI”
  • 39% said, “provide incentives (i.e., tax breaks, matching funds, etc.) to organizations that improve cyber security”
  • 36% said, “amend existing laws to hold IT vendors liable for security problems associated with their products”
  • 32% said, “enact legislation with higher fines for data breaches”
  • 26% said, “limit government IT purchases to vendors that demonstrate a superior level of security in their products and processes”
  • 23% said, “promote the use of FIPS-140 and common criteria certified products in the private sector”
  • 23% said, “provide funding for cyber security funding and education”
  • 22% said, “adopt and fund a public service campaign around cyber security education”

Interesting mix of carrot and stick suggestions. I don’t think the IT industry would be too thrilled with “black lists” or changes in liability laws, so expect lobbyists to push for federal incentives and programs.

One other interesting note here: Heavily regulated critical infrastructure organizations with the highest levels of security were most likely to push for more stringent regulations. It appears that something is lacking in current cyber security legislation that heavily regulated organizations recognize and want to change.

Tags: , Bill Clinton, , Critical Infrastructure Protection, , , , , , , Enterprise Strategy Group, ,
Posted in Uncategorized | 2 Comments »

New ESG Research Report Points To Security Vulnerabilities In the US Critical Infrastructure

Monday, November 29th, 2010

In 1998, then President Bill Clinton recognized that the United States was especially vulnerable to a cyber attack to its critical infrastructure. Clinton addressed Critical Infrastructure Protection (CIP) by issuing Presidential Directive 63 (PDD-63).

Soon after PDD-63, Deputy Defense Secretary John Harme cautioned the US Congress about the importance of CIP by warning of a potential “cyber Pearl Harbor.” Harme stated that a devastating cyber attack “is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure.”

It’s been 12 years since this dire warning and the general consensus is that US cyber security vulnerabilities are worse, not better. Barack Obama recognized this problem as a candidate and then as President. Upon taking the oath of office, the President called for a 60-day security review, and then addressed the media in May 2009. The President stated, “it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation. . . we’re not as prepared as we should be, as a government or as a country.”

The fundamental assumption here is that the US critical infrastructure is vulnerable to a cyber attack, but is this truly the case or just empty Washington rhetoric? Unfortunately, a recently published ESG Research Report reveals that the US critical infrastructure is vulnerable today and could become more vulnerable in the future without decisive near-term action.

ESG surveyed 285 security professionals working at organizations considered as “Critical Infrastructure and Key Resources” (CIKR) by the US Department of Homeland Security. Here are some key research findings:

  1. Sixty-eight percent of the CIKR organizations surveyed suffered at least 1 security breach in the last 24 months. Alarmingly, the organizations with the strongest security policies, procedures, and defenses suffered the highest number of security breaches. It is possible that security-challenged CIKR organizations are under attack but lack the security skills and tools to remediate security incidents.
  2. Twenty percent of those surveyed rated their CIKR organization’s security policies, procedures, and technology safeguards as “fair” or “poor.”
  3. Seventy-one percent of survey respondents believe that the threat landscape will get worse in the next 24-36 months (26% believe it will be “much worse”).
  4. Almost one-third of respondents (31%) believe that the US Federal Government “should be significantly more active with cyber security strategies and defenses.”

Most of the report focused on cyber supply chain security. Simply stated, cyber supply chain security extends cyber security policies, processes, and controls to all parties that touch IT–technology vendors, software developers, business partners, etc. Most CIKR organizations are way behind here. Technology vendor security gets little oversight. Secure software development processes are immature. External IT relationships are secured through informal agreements and security data sharing.

In aggregate, the report provides real data quantifying these and other cyber security issues. The entire report is available for free download here.

Critical infrastructure protection and cyber security have been part of the lexicon in Washington since at least 1998. It is about time for less talk or more action. Hopefully, this report helps accelerate this activity.

Tags: , Bill Clinton, , Critical Infrastructure Protection, , , , , , , , John Harme, PDD-63
Posted in Uncategorized | No Comments »

The Ominous Warnings from the Google China Incident

Friday, January 15th, 2010

Caught between a rock and a hard place, Google did something few companies are brave enough to do — it went public about a data breach. This is especially noble as the company is really betting on cloud computing and SaaS for future growth.

While Google applications were not breached, Google (and all cloud providers) took a PR hit with this incident. That said, Google did a good job of reassuring the public about its security.

Clearly Google has its own business reasons for outing China with regard to its cybersecurity attacks. Nevertheless, there are a few bigger and more ominous warnings contained here:

  1. Sophisticated adversaries can trump strong security. Google is no TJX–it really knows what it is doing when it comes to securing its networks, servers, and applications. In spite of this expertise, however, its assets were still penetrated. The bad guys are really good at what they do, folks. If this doesn’t illustrate this fact, nothing will.
  2. Beware of industrial espionage. The breach at Google may have compromised dissident emails but I have no doubt that foreign and possibly state sponsored adversaries are poking at our networks as I write this. American and European tech companies whose business is based upon Intellectual Property (IP) should be especially worried. Sort of gives cybersecurity a whole new level of business value.
  3. The cyber supply chain may be next. The majority of our technology is now produced off-shore, primarily in Asia. How can we be sure that these components haven’t been compromised already? With the exception of the DOD, NSA, and a few other global government agencies, we are just coming to terms with this risk.

Google has a lot of chutzpah but it is really fighting a battle for the good of Google. It is up to the rest of us to recognize that we are under attack and protect ourselves accordingly.

Tags: , , , , , industrial espionage,
Posted in Uncategorized | No Comments »

Search
About ESG | Register | Contact Us | Disclosure Policy | Terms of Use | Privacy Policy
© 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site