Security Strategies

Cyber Security Expert Warns: You're Doing It Wrong

SAN JOSE, Calif. -- The New IP -- Here's a message that should strike some level of fear into the hearts of any company's senior management team IT operations staff: "Most of you are doing cyber security wrong, you work for companies doing it wrong and you probably all have clients or customers doing it wrong. You are not just missing a technical opportunity, but the whole approach you are taking is profoundly wrong."

Scott Borg, CEO of the US Cyber Consequences Unit, an independent, non-profit research institute, threw this glass of cold water on The New IP conference attendees last week.

But Borg isn't playing a name and shame game: "It's not your fault. You never had the opportunity to do it right, because our whole corporate approach to cyber security is so profoundly wrong," he told attendees, heralding a mass unclenching of glutei maximi in the audience.

That some cultural changes are required will not come as news to anyone who has attended other Light Reading events. Heavy Reading research consistently shows that security is a top priority for network operators, by far, but they're still stuck in a "it's someone else's problem" mindset, relegating the enormous task of security to one specialized security group. (See Security Suffers From 'Not My Job' Mentality .)

As Borg described it, however, the problem goes much deeper than that. It's threefold, he said. First, cyber security needs to protect the creation and distribution of value, but teams often don't know how their companies create value. Second, companies don't have a clear idea of what they are defending against -- the types of attacks, the attackers and their techniques. And, third, cyber security needs to be directed towards what companies will do next to create value, not what they do now -- it needs to be future-oriented. (See FCC Launches Downloadable Security Push and ISOC Urges Faster Security Standards Adoption.)

"We are not organizing our cyber security to defend the ways we create value, the things the matter," he said. "We're not defending against the kinds of attacks that come after us, and we're not looking at how we'll do things in the future, which will dictate cyber security management. This is really bad."

For more on security in the telecom industry, head over to the dedicated security channel here on Light Reading.

Service providers may still be in the early stages of developing effective cyber security strategies to take advantage of these new business opportunities, but they are far from the only ones. Borg also explained how the US government is getting it wrong. When asked by an audience member why the US isn't more aggressive in cooperating with the private industry to stop cybercrime, Borg said it's because there is no national cyber security policy in the way there was, for example, a much-discussed, public nuclear weapon policy during the Cold War.

"The private sector will participate if they're paid for their time; if they get value out of it," he said. "But government people aren't providing information, so the whole thing dies."

Borg was also asked about the security implications of drones. His answer? "What can I say? It's really scary."

"Drones are a huge vulnerability" for cyberattacks, he said, and should be considered in the same equation as the rest of service providers' cyberdefense plans. (See FAA Lays Out First Proposal for Small Drones and A Drone for the Holidays? The FAA Wants a Word....)

— Sarah Thomas, Circle me on Google+ Follow me on TwitterVisit my LinkedIn profile, Editorial Operations Director, Light Reading

Page 1 / 4   >   >>
MikeP688 3/16/2015 | 10:28:29 PM
Re: All in for Security There are strategies for sure to pursue to avoid being "dupped".    Although beyond the scope of our deliberations here, I am getting to know and take advantage of a evaluation tool put out by New Mexico State University that allows me to evaluate online resources to be evaluated--without being led down a path that may end up costing me valuable time that I otherwise would not have.   We also need to have a concerted education campaign--I am reminded of my predicament with Paypal last year--It was so authentic, it was not even funny.   When I clicked on the email address, though, it mapped back to a Go Daddy Domain Name--they did not even bother to register.   I advised Paypal--but I guess I am the exception, not the rule.   It is ever so vital that such deliberations continue here and beyond so that the level of awarness continues unabatted.

pcharles09 3/16/2015 | 10:10:13 PM
Re: All in for Security @MikeP688,

As a wise man once said "The problem with common sense is it isn't so common". Most people would like to think they know what they're doing on the web, but even if they're vigilant, there's lots of things they just don't know. So the problem is how do you avoid what you don't know exists?
MikeP688 3/16/2015 | 10:07:53 PM
Re: All in for Security It all begins with exercising common sense.     I have been wrestling with this very fact as I was working on my first project for my Ph.D. I have just launched.    We can, must and should exercise that sense of self-judgement--and as we do that, we can truly insure that we are not hurt.    
pcharles09 3/16/2015 | 10:03:44 PM
Re: All in for Security @MikeP688,

Sad but that's the reality of what the internet is now. There's so much $$ made in illegitimate sources that it's lucrative to do that for a lot of folks. Then there's the victims that make it easy to be preyed upon.
pcharles09 3/16/2015 | 10:02:01 PM
Re: All in for Security @SachinEE,

I'm interested in what you mean by "proper identity management"...
brooks7 3/1/2015 | 6:40:46 PM
Re: All in for Security SanchinEE,


Suppose the cloud vendor has IT techs that are bribed.   Seems like a nice low tech way to defeat any high tech security right?

Let me put it this way.  If you want something bad enough, you can spend enough to steal it.  


MikeP688 2/28/2015 | 11:50:20 PM
Re: All in for Security I periodically am "phised" now...and to Google's Credit (which I run my stuff on) it gets better by the milli-second.   The most laughable of all was from Paypal...it looked really really real.   But when I actually checked on the "domain name", it showed a Go-Daddy Domain name and I knew it was fake...they insisted that I should update my account or else everything will be "gone".    I sent it up to Paypal...but those of us who actually understand it are not as prevalent.   We have to be careful..we have to be vigliant..when possible activate two-step authentication (and Government is so ahead of the curve here..believe it or not...).    It is up to us--no question.  
SachinEE 2/28/2015 | 9:36:30 PM
Re: All in for Security @pcharles: I hope when everything goes up into the cloud, proper identity management would probably solve all your issues, but you have to wait for that.
pcharles09 2/28/2015 | 5:10:03 PM
Re: All in for Security @MikeP688,

I haven't been phished (to the best of my knowledge) but I have had my identity compromised. I agree that it is a frustrating thing to have happen to you. It's also an eye-opener. It pushed me to be a lot more careful on & offline for sure!
MikeP688 2/26/2015 | 11:05:45 AM
Re: All in for Security It is pretty much black and white if you've been a victim and a target of phishing..so I would humbly suggest that it is a war..and it requires eternal vigliance.
Page 1 / 4   >   >>
Sign In