Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity

    What’s Missing from Nearly Every Security Approach

    Written by

    Wayne Rash
    Published September 26, 2019
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      AUSTIN, Texas – I walked through the exhibit space at the SpiceWorld conference here, and in booths scattered about, I saw appliance after appliance promising a solution to one security problem after another. One would trap phishing emails, according to the people there. Another would solve your authentication problems. Still another would look for malware of nearly any type, updated nearly continuously.

      A consistent theme in their marketing was that while expensive, these devices were a lot less costly than hiring another employee. They would, they promised, protect your enterprise against attack. What was also interesting was that despite the promises of the appliance makers, their displays were not particularly busy, which is surprising given that this is an important show aimed specifically at IT professionals.

      Go here to see a listing of eWEEK’s Top SIEM Companies.

      What they realized, of course, is that while technology plays a role in securing an enterprise, it’s not a solution in itself, whether it’s an appliance, endpoint protection software or something in between. That’s because technology solutions are intended to fix one problem. If the problem changes, then the technology misses, at least until someone applies an update.

      Discovered One of the First Javascript Attacks

      I found this out a few years ago when I encountered one of the first Javascript attacks in an email. What was purported to be an attachment containing a fax actually contained Javascript far down at the end of what appeared to be a long user agreement, buried in the legalese. The Javascript would have connected my computer to a server in Russia, and caused it to download a file. Fortunately, I was suspicious of the supposed fax, and didn’t actually open it in anything that could execute Javascript.

      What’s important here is that the technology on my network, including some antivirus and antimalware software and a next-generation firewall, failed to catch it. But my annoyingly suspicious nature did catch it, and I was able to look at the file and see the malware that would have compromised the system.

      This incident is just an illustration of what can happen to organizations on an ongoing basis as attacks become more prevalent. Brian Krebs, who runs the website Krebs on Security, described the complex nature of today’s security landscape in a presentation here, explaining what we can learn from data breaches. He pointed out that while technology can catch many of the security problems likely to affect most networks, it will never catch all of them.

      Perhaps more important, the threats that technology doesn’t catch are frequently the most serious. They’re the attacks that become major breaches. This is because a really good attacker gets inside your network a little at a time, and spends days or weeks learning everything there is to know about your security, your network management and your security staff.

      Bad Actors Strike on Their Own Terms

      Only when they’re satisfied that they can launch an effective attack, do they move into actions that turn into a major breach. That breach can result in ransomware taking down your systems, and it can result in critical information being posted for sale to other cybercriminals.

      Normally, Krebs said, there’s plenty of time for an organization to find and neutralize an attacker that’s found his/her way into your systems, if only the organization knows to look. So why don’t they? Two reasons: people and policy.

      It takes trained staff to catch what the technology solutions miss, and “we don’t have enough people,” Krebs said. In addition, he noted that many companies make it far too hard to talk to them about security. To see how this doesn’t work, just try reporting a security problem to the company that has it. While there are a few companies that pay bug bounties, most don’t, and most don’t even have a means by which to receive such a report.

      After his presentation, Krebs and I relaxed over some barbecue from Franklin’s, while he told me about an informal study he did recently on the Fortune 100. He was looking for senior executives with a title that indicated a responsibility for security. He found two.

      Threat Landscape ‘Mercurial’ in Nature

      The problem with a lack of leadership in security is directly related to the mercurial nature of the threat landscape. In an earlier presentation, security evangelist Nick Cavalancia explained that the only way companies can keep up with insider threats is to have people who actually know what’s happening with their employees, including when employees have problems that technology can never catch. He said that this is why it takes an alert staff to help prevent this type of security threat.

      Krebs points out that that same fluid nature of the security environment is why no technology solution alone can prevent security breaches. He said it was critical to know whether the leadership of an organization sees the lack of good security as an existential issue. He added that businesses without such acumen are doing their companies and their shareholders a disservice.

      Krebs added that with some of the new security threats, notably deep fakes, which can produce fake videos or voice calls that can fool even people who know the targeted individual well, can’t be easily detected by technology independently. While it can be done eventually, it provides plenty of opportunity for CEO fraud to take place, in what the FBI reports is already a rapidly growing security threat.

      in many cases it takes a while to develop detection technology that can do recognize such fakes, and in the meantime, it takes people to unmask such an attack. Right now, “There’s not enough investment,” Krebs said.

      Wayne Rash, a former editor of eWEEK, is a longtime contributor to our publication and a frequent speaker on business, technology issues and enterprise computing.

      Wayne Rash
      Wayne Rash
      https://www.eweek.com/author/wayne-rash/
      Wayne Rash is a content writer and editor with a 35-year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He is the author of five books, including his most recent, "Politics on the Nets." Rash is a former Executive Editor of eWEEK and a former analyst in the eWEEK Test Center. He was also an analyst in the InfoWorld Test Center and editor of InternetWeek. He's a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.