The CyberHood Watch partners, Dave & Bill talk about a new study, and a dirty little secret discovered in a recent survey conducted by Bob West, CEO Echelon One & Jeff Hudson, CEO Venafi. Find out more about the “dirty little secret” next week at the Black Hat conference in Las Vegas.
Everyone is familiar with the honors of being bestowed the keys to the city usually associated with an honorable deed; well, Jeff Hudson of Venafi admirably provides the keys and certificates to encrypt, secure, and manage all the cities globally in cyberspace, and the ability to manage all the Enterprise network’s keys and certificates safely and securely.
Together with Bob West, CEO and Founder of Echelon One, information and strategy consulting with many of the world’s largest financial institutions globally, collaborated with Jeff Hudson, CEO of Venafi in a study of 420 (broad based and a correct sample size) different Enterprise IT organizations and government agencies, of which 60% of the 420, each employ greater than five-thousand employees.
Both Bob and Jeff pointed out in a subtle, but yet in an alarming way that they are working diligently to provide the best system to manage the keys and certificates to afford safe and secure Enterprise environments. As well, both Bob and Jeff acknowledge that the challenges are very real and threatening with the current state of chaos managing keys and certificates that are lost and/or broken. The impression that you are left with are institutions are worse off than they realize and it is only going to become worse if not addresses with better management of their keys and certificates.
Time Stamp| 00:11:41 |The study concludes that corporations “think” they are doing things the right way. However, the most important realization to take away from the study was that “Humans are the weak link, and that corporations and organizations are not training them, nor training them well enough”, said Jeff Hudson. Jeff continued to say that, “…77% of the organizations are not meeting the best practices, which means they are not training their people enough, and if humans are the weak link the way you make that weak link stronger is through training.”
The latter statements only validate the critical common thread that runs through both the corporate Enterprise and the end consumer…That humans are the weak link and education and having a standard of best practices to help guide our human behaviors are so valuable to everyone. We are a global community and we do individually have a ripple effect on all of us.
“BYOD” (Bring Your Own Device) is a big movement currently experienced throughout large corporations, also known as the “Commercialization of ITs”. In a previous interview, it became clear that the technologies used by consumers are far better and convenient than the technology currently used or offered at the Enterprise level.
Employees are pushing to use his or her personal mobile digital devices to complete work tasks. The practice of allowing personal devices is an enormous challenge for ITs to police. Again pointing out the demand to educate employees as to what the best practices are and how to keep information safe.
M@D is a provider of Enterprise mobile security set up in hours not weeks.
Time Stamp: 00:18:57 – Another finding brought about from the study was, “there is this technology known as SSH, which utilizes keys, kind of like encryption, but it is used as an access method for systems centers.” The report highlighted that the SSH keys are not well protected, and systems currently implemented (many are antiquated) to manage keys and certificates are in chaos. Thus creating another weak link in the system that further exposes vulnerabilities to exploit and access personal identifiable information (PII) or other data in the corporate Enterprise.
Time Stamp: 00:41:47 | The dirty little secret regarding the SSH vulnerabilities are many of the corporate websites front doors facing the public web are insecure. The latter findings from the report will be presented for discussion at the upcoming Black Hat conference in Las Vegas, which could be the next big topic of the industry…A Dirty Little Secret.
Properly managing keys and certificates are critical, period. The current state of affairs is cause for alarm with the discovery that there is as much chaos over the poor accountability, reliability, and vulnerability associated with corporations poorly managed number of unaccounted for keys and certificates that are lost, stolen, or broken.
Social networks are another way to gather information on an individual, and build a personal profile to target, attack, and place malware on an individual’s endpoint to search out keys on the network.
Here is a final thought to leave you with…the current state of affairs is troubling. Not only are ITs expected to do more, but they are expected to do it with less personnel, and with a reduced budget.
What is unfortunate is cybercrime is better funded, which creates an imbalance and a real disadvantage for security ITs. It is common knowledge that there is more money spent on the development of malware than on software to defend against malware.
Time Stamp 00:38:38 | There is no absolute when it comes to security, but you can be very aware, and approach it from a causality; if I do this | this may happen. Be very aware of where you put data, your email, and what types of websites you are viewing.
“Sony’s market capitalization has gone down by about 20% or about $10 billion dollars”, said Bob West, CEO Echelon One, when talking about the losses caused because of a security breech incident affecting Sony’s brand reputation. Protecting your brand reputation is a huge incentive for corporations as well as a small business owner to insure their customers’ security is protected.
Do you know what your vulnerabilities are? The better you can quantify, identify, and understand your information risks the better you will defend your security position for your corporation and your customers.
Your CyberHood Watch Partner,
david c ballard