Usually I am not particularly a big fan of security doom scenarios, but looking at this week’s security news and the usual New Year’s security predictions I have to admit that I grew a bit concerned about the overall info security outlook.
Here is the canvas:
- Sabotage attacks from Iran targeting US industrial control systems and critical infrastructure modeled after Stuxnet, Duqu, and Wiper are growing in frequency.
- A major hack targeting Sony has exposed plenty of confidential information including executive pay and actors’ confidential information and has leaked several unreleased blockbuster movies.
- Retailers are still under attack with a new strain of malware that targets Point-of-Sales systems and syphons off credit card information from memory.
- Major credit card processors are still targeted with man-in-the-middle attacks to steal huge amounts of credit card data.
- New revelations on the NSA spy program declare that all mobile communications could be subject to snooping.
- A sophisticated stealthy Linux Trojan is on the loose to exploit hundreds of thousands of Linux systems.
- A new TLS-based POODLE bug to breach the TLS encrypted data confidentiality has been discovered.
To me, these scenarios look like they were taken right out of a cyber-punk movie, such as a fictional sequel to the Matrix trilogy. Unfortunately, they are the harsh reality. If I did not do cyber-security for a living, I would have already packed my bags and left.
OK. So, these are the doom scenarios, but what about the companies’ controls to defend against these threats? Besides the fact that I am starting not to like the term “threat intelligence” any more since there is a huge babble in the security industry on it, “threat management” is the most likely response to these emerging threats.
But then you start hearing these statistics:
- According to SC Magazine, 58% of businesses today do not have a complete patch management strategy. It makes you wonder how businesses are thinking to fix the growing amount of vulnerabilities in their environments.
- A huge number of security breaches are related not to vulnerabilities but to misconfigurations – such as open network shares called “passwords” containing all kinds of open files containing guess what? Passwords.
- Based on our clients’ sample of vulnerabilities, most of the vulnerabilities are clustered around applications such as browsers, Java, Adobe products and web / application servers. Again, companies are great with Windows patch management but not so great with their application patch programs.
- Most of the companies we talk to do not have a complete asset inventory program in place for both network devices and applications. Again, you cannot protect what you do not know.
- According to a recent article, E-commerce sites certified as secure by Security Seal often still have huge security holes. Moral of the story: automation for the sake of generating huge commercial distribution does not work.
At NopSec, we step up to the challenges mentioned above by really pushing for increased automation of the organizations’ vulnerability management programs through the following:
- Automated assets and applications detection and fingerprinting.
- Contextual business vulnerability discovery and prioritization via correlation with emerging threat intelligence feeds and public exploits databases.
- Vulnerability predicting analytics not for the sake of it, but to enhance the intelligence and decision-making on vulnerability fixes in order to focus on what matters the most to the business.
- Social and context-enhanced remediation to eliminate the ambiguities in the patch management and vulnerability remediation workflows.
If you are ready for a positive change towards a context and threat intelligence-focused vulnerability management program, contact us to schedule a personalized demo of our SaaS solution Unified VRM.