Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘ESG’

NASDAQ Hack Just Another Example of Cyber Security Vulnerabilities

Monday, February 7th, 2011

In a weekend highlighted by banal football chatter, a critical news story received minimal attention. Beyond Packers, Steelers, and new Bud Light commercials, the Wall Street Journal reported a security breach of NASDAQ last Friday. Apparently, hackers penetrated the NASDAQ OMX Group which runs a service providing “secure” communications between public companies and their boards. The target application known as “Directors Desk” is a privately-run collaboration system for corporate mucky-mucks.

This breach is yet another example of what cyber security is all about. These guys knew what they wanted (i.e., insider information) and found a way to get it. I read through a number of stories about this breach and none of them indicated when this breach took place. The bad guys could have been intercepting confidential communications for months or years. Imagine how much money you could have made if you had access to board of direction-level banter for the past 6 months? That’s likely what took place here.

In the recently-published ESG Research report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the US Critical Infrastructure” (available for free download at www.enterprisestrategygroup.com), 68% of the critical infrastructure organizations surveyed had experienced at least one security breach over the past 12 months. As of Friday, we can officially add NASDAQ to this list. I hope that this breach scares the heck out of CEOs, corporate boards, Wall Street, and congress. Many public and private organizations are sitting ducks in an increasingly insidious cyber security landscape.

Does anyone else hear a ticking time-bomb?

It’s Time To Re-Examine Endpoint Security

Wednesday, February 2nd, 2011

Back in 2007, ESG asked 206 IT security professionals to respond to the following statement: “Desktop security has become a commodity market with little difference between products.” As expected, 58% of respondents either strongly agreed (17%) or agreed (41%) with this statement. In other words, it really didn’t matter whether you ran Internet security tools from Kaspersky, McAfee, Microsoft, Sophos, Symantec, or Trend Micro; all would be equally effective.

ESG hasn’t re-visited this question since, but many anecdotal conversations with IT security professionals lead me to believe that nothing has changed. If anything, more people believe that endpoint security tools are a commodity today than four years ago.

In my opinion, this perception is not only wrong, it could also be dangerous. Why? For one thing, threat vectors have changed. The main threat vector today is the web and the primary target is the browser. In addition, traditional antivirus signatures have been joined by other defense-in-depth safeguards, like behavior-based heuristics and cloud services, to protect endpoints. Finally, there are the endpoints themselves. In 2007, the term “endpoint” really meant a Windows PC. Now it could mean a Mac, iPad, or some type of mobile device like a Blackberry, Droid, or iPhone.

Given these changes, CISOs should really take a hard look at their endpoint security tools before signing off on a new subscription. During this assessment, examine endpoint security tools in terms of:

  1. Security protection. This is far and away the most important thing you are buying, so prioritize the product’s efficacy over price, manageability, integration capabilities, etc. Endpoint security products should offer defense-in-depth capabilities for all types of threats. Progressive vendors are also using intelligence gathered from their install base and security intelligence to offer much more proactive protection. If your vendor is NOT doing this, there is a problem. Note that I’m somewhat surprised endpoint security vendors haven’t really bundled disk encryption with antivirus and firewalls, but that’s another story.
  2. Integration. Endpoint security tools should easily interoperate with network security (i.e., NAC/NAP/identity-based networking, SIEM), and endpoint management tools (i.e., patch management, vulnerability management, asset/inventory management). Other endpoint tools like disk encryption, eRM, and DLP also should fit here. This will help you keep endpoint configurations up to date, monitor behavior, and enforce security policies.
  3. Management. Endpoint security tools should have their own management consoles for command-and-control. And it may not be a requirement, but I believe that central management of all types of endpoint devices will become the default configuration over time.

The main point here is that far from commodity products, the endpoint security tools used could mean the difference between business-as-usual or a costly security breach. Choose wisely.

Homegrown Software is Not Secure

Tuesday, January 11th, 2011

Ask 100 security professionals to name a weak link in the cyber security chain, and a majority will point to software vulnerabilities. This is especially true in two areas: 1) Internally-developed software where developers may lack the skills or motivation to write secure code, and 2) Web applications where rapid development and functionality trump security concerns.

How vulnerable are today’s web apps? Here’s how the IBM X-Force answered this question in its 2008 Trend and Risk Report:

“Web applications in general have become the Achilles Heel of Corporate IT Security. Nearly 55% of vulnerability disclosures in 2008 affect web applications, and this number does not include custom-developed applications (only off-the-shelf packages). Seventy-four percent of all Web application vulnerabilities disclosed in 2008 had no available patch to fix them by the end of the year.”

ESG Research looked further into software security in its recently published report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the U.S. Critical Infrastructure” (note: this report is available for free download at the ESG website, www.enterprisestrategygroup.com). Security professionals working at critical infrastructure organizations were asked, “To the best of your knowledge, has your organization ever experienced a security incident directly related to the compromise of internally-developed software?” Alarmingly, 30% answered “yes.”

What does all this mean? IBM X-Force data clearly demonstrates an abundance of insecure web applications out in the market. ESG’s data shows that many critical infrastructure organizations are not only writing insecure code but are also being compromised as a result of these vulnerabilities. Yikes!

Insecure software is a problem that is too often swept under the rug because it isn’t easily addressed with a tactical threat management tool Du Jour. Yes, software security requires new skills and processes but unless we make these changes we will continue to be vulnerable. If your lights go out sometime soon, insecure software may be to blame.

Corporate Executives Remain Lukewarm on Cyber Security

Thursday, December 2nd, 2010

What’s needed for strong cyber security? Good security policies, processes, and technology safeguards, of course, but highly-secure organizations also integrate security into their corporate culture — from new employees to the corner office. Since the proverbial buck stops at the CEO’s desk, cyber security-conscious and proactive CEOs are a security professional’s best friend.

In its recent research report, “Assessing Cyber Supply Chain Vulnerabilities Within The US Critical Infrastructure” (Note: The report is available for download at www.enterprisestrategygroup.com), ESG Research asked security professionals working at critical infrastructure organizations (i.e., electric power, financial services, health care, etc.) to respond to the following question: “How would you rate your organization’s management team on its willingness to invest in and support cyber security initiatives?” The responses were as follows:

  • 25% selected: “Excellent, executive management is providing an optimal level of investment and support”
  • 49% selected: “Good, executive management is providing an adequate level of investment and support but we could use more”
  • 21% selected: “Fair, executive management is providing some level of investment and support but we could use much more”
  • 2% selected: “Poor, executive management is providing little to no investment and support”
  • 3% selected: “Don’t know/No opinion”

Obviously, executives need to sort through a maze of costs and spend shareholder dollars judiciously. Furthermore, security professionals are paid to be paranoid and will usually want more funding. That said, nearly one-fourth of respondents rated executive management support for cyber security as “fair” or “poor.” Remember too that we are talking about critical infrastructure here — our money, our power, our food, our health care, etc. Yikes! Even more frightening, 38% of survey respondents working at telecommunications companies rated their executive management’s support for cyber security initiatives as “fair” or “poor.” If your cell phone stops working soon, don’t be surprised.

I believe there are several problems here:

  1. Executive management doesn’t understand the risks and thus simply eschews cyber security investment.
  2. Security professionals speak in a geeky dialect that executives can’t understand, creating a communications gap.
  3. Many executives believe that a security incident would result in an inconvenience and slap on the wrist rather than a major service outage

It’s time to address these issues. Business managers must realize that automation, digitization, and new applications come with a cyber security cost — period. Security professionals need better communications skills and tools to translate nerdy technospeak into more pedestrian language. Legislators need carrots and sticks to entice technically-challenged 60 year old CEOs to invest in cyber security. It’s that simple. Either we do these things or we wake up one day to darkness. It is our choice.

Are IT Vendors Getting a “Free Pass” On Cyber Security?

Wednesday, December 1st, 2010

Before buying an old house, most people do a thorough home inspection to make sure that plumbing, heating, and electricity infrastructure is safe and stable. When purchasing a car for a new driver, many parents check the vehicle’s crash test rating. These actions are simply common sense due diligence since we want to make sure that our homes and children are safe.

Along the same line of reasoning, one would assume that critical infrastructure organizations (i.e., electric utilities, financial services, health care, food processing/agriculture, etc.) do the same type of due diligence on IT equipment and their IT vendors. After all, these IT systems are the underpinning of their services and thus the backbone of the critical infrastructure at large. One would assume that critical infrastructure organizations do this type of security due diligence, but unfortunately this is usually not true.

According to the new ESG Research Report, “Assessing Cyber Supply Chain Security Within the US Critical Infrastructure” (the report is available for free download at www.enterprisestrategygroup.com), IT product and vendor security audits are performed in a random and haphazard fashion. For example:

  1. Only 31% of the critical infrastructure organizations surveyed always audit the security processes of their strategic software vendors (i.e., business applications, productivity applications, databases, operating systems, etc.). As bad as this is, even fewer organizations always audit their strategic infrastructure vendors (i.e., servers, storage, networking, security devices, etc.), professional services vendors, or VARS/distributors.
  2. When critical infrastructure organizations do conduct security audits, the audits tend to vary by vendor. Only 33% say that “all vendor security audits follow the same standard processes and procedures.” This means that some vendors get put through the proverbial grinder while others get a superficial inspection.
  3. In many cases, vendor audits seem to be a “check box” activity rather than a true security requirement. Forty-seven percent of critical organizations say that they “prioritize vendors that achieve a desired security profile but still may buy from other vendors.” In other words, a secure product/vendor may be pushed aside and substituted with an insecure alternative.

Why are many vendors getting a security free pass? I’m not sure. It may be that vendor and product security was no big deal in the past when cyber security was composed of network firewalls and desktop antivirus software. It could be that vendors wow their customers with speeds, feeds, and functionality to keep them from digging into geeky security issues. Perhaps they schmooze customers with sporting event tickets and golf outings to take their minds off of product security.

In any case, this behavior should be unacceptable henceforth. The threat landscape is getting more and more sophisticated each day, so each product’s security must stand out on its own.

Note to critical infrastructure organizations: Many IT vendors virtually ignore security in their product design and development. You should be doing a heck of a lot more security due diligence on IT products, vendors, and services, and institute procurement rules that mandate specific security metrics. Vendors should no longer have security–or insecurity–carte blanche.

Critical Infrastructure Organizations Want Cyber Security Help From the Government

Tuesday, November 30th, 2010

ESG Recently Published a new Research Report titled “Cyber Supply Chain Security Vulnerabilities Within The U.S. Critical Infrastructure.” The report can be downloaded here.

As part of the survey, we asked respondents whether the U.S. Federal Government should be more active with cyber security strategies and defenses. Most respondents believe that the answer is “yes;” 31% said that the U.S. Federal Government should be “significantly more active with cyber security strategies and defenses” while 40% believe that the feds should be “somewhat more active with cyber security strategies and defenses.”

Okay, but what exactly should the government do? ESG asked this question as well–here are the results:

  • 42% said, “create and publicize a ‘black list’ of vendors with poor product security”
  • 42% said, “create better ways to share security information with the private sector”
  • 39% said, “enact more stringent cyber security legislation along the lines of PCI”
  • 39% said, “provide incentives (i.e., tax breaks, matching funds, etc.) to organizations that improve cyber security”
  • 36% said, “amend existing laws to hold IT vendors liable for security problems associated with their products”
  • 32% said, “enact legislation with higher fines for data breaches”
  • 26% said, “limit government IT purchases to vendors that demonstrate a superior level of security in their products and processes”
  • 23% said, “promote the use of FIPS-140 and common criteria certified products in the private sector”
  • 23% said, “provide funding for cyber security funding and education”
  • 22% said, “adopt and fund a public service campaign around cyber security education”

Interesting mix of carrot and stick suggestions. I don’t think the IT industry would be too thrilled with “black lists” or changes in liability laws, so expect lobbyists to push for federal incentives and programs.

One other interesting note here: Heavily regulated critical infrastructure organizations with the highest levels of security were most likely to push for more stringent regulations. It appears that something is lacking in current cyber security legislation that heavily regulated organizations recognize and want to change.

Cloud Computing? We Still Haven’t Mastered Server Virtualization!

Tuesday, October 19th, 2010

According to ESG Research, only 7% of the large mid-market (i.e., 500-1000 employees) and enterprise (i.e., 1,000 employees or more) are not using server virtualization technology and have no plans to do so. Alternatively, 61% are using server virtualization technology extensively in test/development AND production environments.

Okay, so server virtualization technology is everywhere, but how are large organizations using it? Many technology vendors would have you believe that enterprises are using server virtualization as the on-ramp to cloud computing. The industry crows about server virtualization’s use for IT automation and self-service, as VMs are rapidly provisioned, dynamically re-configured, and moved constantly from physical server to physical server for load balancing and resource optimization.

It’s a great vision, it just isn’t happening today. Most organizations use server virtualization for web applications and file and print services but far fewer have taken on transaction-oriented applications or databases. Many firms still struggle with performance issues when trying to align physical networks, storage devices, and servers with virtualization technology. As for VM mobility (i.e., vMotion), only 30% of the organizations surveyed by ESG use VM mobility on a regular basis. Why eschew VM mobility? It turns out that 24% of organizations say they have no need to use VM mobility functionality at this time.

The ESG data does suggest that server virtualization represents paradigm shift driving huge changes in IT organizations, processes, and technologies, but these transitions will take time to work their way out. Many enterprises will get to a state of more dyanamic data center transformation–around 2013 or so.

Take my word for it, the IT rhetoric around server virtualization is visionary hype rather than actual reality. I’ve got tons of data to back this up. There are more average Joe IT shops out there than whiz-bang organizations like , , and Microsoft and there always will be.

Good News on IT, Networking, and Security Spending in 2010

Friday, January 8th, 2010

ESG is in the process of analyzing a mountain of data about 2010 IT spending intentions. It’s a big job as we surveyed 515 mid-market and enterprise organizations in North America and Western Europe, but the data is starting to paint a good picture of what to expect this year.

First of all, it appears that IT spending will increase. Just over half of those surveyed said that their organizations will increase IT spending in 2010 as opposed to 43% in 2009. Not an overwhelming change but a statistically significant change nonetheless.

Another positive sign is where firms will focus their IT dollars. In last year’s survey, 54% of respondents indicated that IT dollars were pointed toward projects focused on IT and business cost containment. Cost containment initiatives are still important, 45% of organizations believe that these projects will impact IT spending but what’s most interesting is spending in other areas. In 2010, areas like business process improvement, security/risk management, regulatory compliance, and business intelligence will have more impact on IT spending than they did last year. In other words, organizations will look for new ways to use IT as a strategic advantage again.

Further good news for networking and security companies:

33% of organizations said that “increasing use of server virtualization” is a top IT priority. These firms will need help with their data center networks and security tools.

28% of organizations said that “information security initiatives” are a top IT priority. Interestingly, network security tops their long list of security initiatives.

27% of organizations said that “upgrading their network infrastructure” is a top priority. The research indicates that these folks need new core routers, switches, WLAN equipment, ADCs, and WAN optimization gear.

The research doesn’t indicate a return to the go-go years of IT spending but it does point to some cause for optimism.

Search
© 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site