The State Of (Corporate) Security

[Zanidd]

Hello Choombas

I was just wondering if you're experience concering security is similar to mine.

A bit of bg info first. I work as an independent security consultant/pentester and often times when trying to sell my service I get replies in the realms of:

• We don't need security
• We can't afford security
• Security concerns have been moved down in our backlog
• We have cyber-security-assurance

Meanwhile, whenever I get hold of a new client their infrastructure and apps are mostly vulnerable and the "Security Hygiene" isn't there (passwords beeing reused, written on sticky notes etc..), yet they still see security as a nice-to-have and think "it wont happen to us".

Do your experiences align with mine? Or is that a local issue 🤣

[Florian]

i know similar companies. 

Problem is, they don't understand it will cost much more in case of a breach and no on is "to small".

and the point with the assurance is (at least in switzerland) i am sure they will add if not already in place audits that if you don't have a certain level of security they won't pay. -> like if you drive your car to fast and make an accident or drive drunken. then your car assurance will not pay at all.

[Zanidd]

1 hour ago, Florian said:

i know similar companies. 

Problem is, they don't understand it will cost much more in case of a breach and no on is "to small".

and the point with the assurance is (at least in switzerland) i am sure they will add if not already in place audits that if you don't have a certain level of security they won't pay. -> like if you drive your car to fast and make an accident or drive drunken. then your car assurance will not pay at all.

AFAIK they already have such an audit-thing where you can get up to 10% off if you're ISO certified. But the problem I see is, the smaller the company the bigger the impact of an attack.

losing 50k may kill a small company, whereas losing 50k for Google is just another friday afternoon.

But how do we get this information across or embed it into the mind-set of business owners and decision makers?

[Florian]

as it's always done. Talk about it. News / Media need do talk about it. the younger and probably more aware generation climbs the career ledder. 

there is nothing like a "kickstart-campaign" to push many companies into that cyber security awareness mindset. 

[Advanced Persistant Sweat]

Eventually I think from a financial standpoint it will be seen as the cost of doing business, like insuring a house you build on a beach.

[celebrimbor]

I talk to tons of companies who are insistent a breach wouldn't even cause them financial harm other than replacing their computers. Seems very short sighted. 

[Chris]

In Germany, we have a law that forces critical infrastructure to do a lot of security work. In May 2023, they will even have to deploy some kind of SIEM with the possibility of fast response (either automation or enough people looking at SIEMs).

So, what do these institutions do, having one or two IT persons for hundreds of employees? E.g. hospitals manage to have five beds below the defined amount for being "critical infrastructure", so no one is forced to do something important.
And even if there is someone having a SIEM, no one is looking at the data.

For other companies in Germany, we have many working in the supply chain for automotive. They have a certification (TISAX) which forces you to build an ISMS and let an auditor look at your documents if this likely is the case. I am not convinced that this makes things more secure, as well.

 

If anyone cares about security here, current strategy for most companies is to buy software that will somehow fix the problem with "AI or so", like EDR.

 

The customers who really care about doing better are the ones how either suffer from an attack or had a pentets made out of their own effort. No one cares before he really saw the issues.

 

That's my experience over here.

[kereshnull]

This mIndset, if we can call it like that, has been there for a long time. I do see it getting better but I might be biased working mainly in FinTech.

The easiest way to tackle it is to translate it to $$$ in the form of revenue loss or fines. Fines work better in EU, regulators have more teeth, and revenue/reputation loss is more impactful in the US.

Unfortunately, security has had that issue forever where if it works, nobody sees it, and if it does not, we get all the blame.

In some cases, selling security as a differentiating factor compared to the competition within your industry is a good approach as it is marketable.

Check out "The Day the Role of the CISO Changed Forever - BSW #280" from October 5th security weekly stream.

Relevant and just popped up in my feeds (talk about targeted content 😉) 

Edited November 8, 2022 by kereshnull

[Unknown]

Oh yes. It is very common, sadly. Private and government places.
Makes me wannacry (😁) sometimes. This actually scares me because so much critical infra structure is so dependent of working computer systems and, well. We had one not long ago where a large grocery store chain was totally blackout since no checkout system worked because of a malware that entered through their contracted IT company.

That was really bad.
No information loss for what i know but no one could buy stuff in their stores for several days, and the economic losses were huge!

It pops up here and there in news from all around the world, were companies (critical and non critical) get in trouble and the main reason is as you are onto:
People do not care or think it is not important or think they are good at security.
And they do not want to spend one coin to make things better or fix things.

[kazukidevnull]

23 hours ago, Florian said:

as it's always done. Talk about it. News / Media need do talk about it. the younger and probably more aware generation climbs the career ledder. 

there is nothing like a "kickstart-campaign" to push many companies into that cyber security awareness mindset. 

Tbh, sadly enough, the closest we come to a "kickstart-campaign" to push companies into cyber security awareness is not done by us on the good side but the other side as more and more companies that got breached being in the news, thus higher the chance they will actually open the purse strings to improve things, even more if they themselves was the victims.

Of course, that alone is not enough to get companies to do things always, so it's still up to the InfoSec department to keep pushing for change, sadly, if the C-suite see no fire around, then it's hard to push them into improving things on their own will, so first when things get hot do they care.

 

I do believe that more and more companies care about investing some time and money into security as the increase of non-technically people who want to learn how to protect themselves have increased based on the record number of non-technically people from companies such as C-Suite who have opted to take the "security course" that Norway's national security agency do which they offered for free all last month, so i do believe if there's a cheap way to learn, then many will invest time in it if possible.

[gilmx]

IMHO the state of corporate security is abysmal.  I cite as very recent contributors to my opinion:

Mudge's testimony regarding twitter:
https://www.youtube.com/watch?v=MYm7ybQa-D0 (opening statement)

Uber's former CISO convicted
https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach

but the problem (especially as Mudge describes it in his opening statement) is not limited strictly to security - if you haven't seen it, the documentary Downfall about Boeing and their MCAS software is a disturbing but worthwhile watch.
https://www.imdb.com/title/tt11893274/

 

[StupidEcho]

I supported a smaller company that had a similar view and eventually had their 365 compromised. 

Even with sensitive data being forwarded out to clients, they still opted for no MFA, conditional access, or any type of restrictions because it "may slow them down or hinder them at some point". Every 2 months or so there was another breach of some kind but they still never opted for anything to help them.

Security problems can be cultural and if that culture is in the C-level then there's really no hope other than playing CYA for shit goes south, and it's a matter of "when" not "if".

[v0ltage]

@Zanidd I worked for a technology firm and literally I have the same arguments internally.  They've made some absolutely weird decisions that I can't get my head around, but I've been made to feel the villain / fool for suggesting otherwise because "i don't understand the culture".  It is always a constant battle / uphill slog

I had a discussion with the leadership to get vulnerability management in and their response was "we don't want vulnerability data in the cloud in case the vendor gets hacked and the attacker knows our vulnerabilities, and we don't want it on prem as it might disrupt the network and requires passwords to be stored which could be compromised if the system got hacked"

 .... so the solution for them is to not do it at all.  

Also agree with @StupidEcho last sentence, once the C-suites mind is made up they wont ever admit to being wrong... + when it does go wrong it's your fault anyway!

Edited November 9, 2022 by v0ltage
edited to improve my shocking engrish

[Zanidd]

On 11/9/2022 at 12:46 PM, v0ltage said:

@Zanidd I worked for a technology firm and literally I have the same arguments internally.  They've made some absolutely weird decisions that I can't get my head around, but I've been made to feel the villain / fool for suggesting otherwise because "i don't understand the culture".  It is always a constant battle / uphill slog

I had a discussion with the leadership to get vulnerability management in and their response was "we don't want vulnerability data in the cloud in case the vendor gets hacked and the attacker knows our vulnerabilities, and we don't want it on prem as it might disrupt the network and requires passwords to be stored which could be compromised if the system got hacked"

 .... so the solution for them is to not do it at all.  

Also agree with @StupidEcho last sentence, once the C-suites mind is made up they wont ever admit to being wrong... + when it does go wrong it's your fault anyway!

Glad to be an independent "consultant".

State of security is horrible in most companies. Most ppl (incl. devs) don't care. For development teams it's more of an afterthought.