"Knowing things by learning" is a brand column created by NetEase Yunyidun. The words come from Han Wang Chong's "Lun Heng · Real Knowledge". People have different abilities. Only by learning can they know the truth of things, and only afterward can they be wise. If you don't ask, you won't know. "Knowing things by learning" hopes to bring you gains through technical dry goods, trend interpretation, character thinking and precipitation, and also hopes to open your eyes and achieve a different you. Of course, if you have good knowledge or sharing, you are also welcome to contribute by email ([email protected]).
This article was written by Kevin Beaver, Independent Information Security Consultant, Kevin Beaver is Kevin Beaver is an information security consultant, author and professional speaker at Principle Logic, LLC in Atlanta. With over 29 years of IT experience and 23 years of security expertise, Kevin performs independent security assessments and consulting to help businesses uncheck the boxes that keep creating false security awareness. He has authored/co-authored 12 books on information security, including the best-selling Hacking for Dummies and a Practical Guide to HIPAA Privacy and Security Compliance.
Why are so many people fighting over network and application security? Some answers to this question are obvious, but others are less obvious. After testing the security of hundreds of applications over the past fifteen years, I've come to the conclusion that there are many reasons why cybersecurity failures occur that deserve our attention.
Nine common cybersecurity challenges
Here are 9 of the most common security challenges I consider to be the major but not particularly major cybersecurity incidents and data breaches of our time.
1. Lack of safety requirements and standards
In many cases, developers drive specific security needs rather than larger business units. This loose and inconsistent approach often stems from a lack of organizational security standards. Some standards may be implemented by third-party developers, but they are sometimes not considered part of the application architecture at all.
2. Lack of formal security training for developers and quality assurance (QA) professionals
Just as I can't expect to write reliable code or find every software quality issue, developers and quality assurance (QA) professionals can't be expected to know everything security-related. That said, in the software and systems development life cycle, both developers and QA professionals have many missed opportunities to prevent or discover common security flaws that keep them from reaching production status. Simply following a framework, such as the Open Web Application Security Project's (OWASP) Top 10 Security Implications, can bring huge benefits. However, most developers and quality assurance (QA) professionals I speak to have not heard of it.
3. Lack of security leadership
Most small startups and midsize businesses talk about security, but the substance behind it is trivial. Even in large enterprises with dedicated security executive roles, bureaucracy and protectionism, IT executives' protection of their own interests often gets in the way of security.
4. Incorrect security testing
Website and application security testing is often included in general vulnerability and penetration testing efforts and is not properly tested. General network vulnerability scanning for web applications is not enough, security teams need dedicated vulnerability scanners. Authentication testing with different network vulnerability scanners, network proxies, and related tools is critical, and even source code analysis is beneficial in many cases.
5. Inadequate security controls
Staging, quality assurance (QA), and development systems are often exposed on the Internet, but they don't have the same security controls that production network environments have. They are not behind web application firewalls, are often unpatched, and they are rarely protected by active system monitoring and alerting.
The real problem is that they often provide production data that is not identified, encrypted, or otherwise protected. This data is exposed on the internet or in front of anyone with internal network access. When this happens, chances are no one will know.
6. Unknown Websites and Apps
Many websites and applications are unknown and therefore unprotected. In many organizations, many network systems have not undergone security audits. Either they're considered unimportant, or they don't know it at all. Some of these websites and apps were originally built by people outside of developers and IT, which led them to fall outside the scrutiny of cybersecurity regulation.
7. The Wrong People Are Conducting Vulnerability Testing
In some organizations, the wrong people are testing for cybersecurity flaws. Internal security teams often conduct testing without external or independent assessments. This may be adequate in terms of security, but should at least follow the rules of an independent third party doing this work on a regular basis.
I often see external vendors doing their own "tests", which are usually just basic vulnerability scans. I've also seen many people rely on audit reports to make network-related security decisions. Audits like this are great for uncovering security vulnerabilities in and around the data center, but they don't really mean anything about specific web application vulnerabilities.
8. Over-reliance on documented strategies
Some managers rely entirely on documented security policies to protect systems. In the grand scheme of things, security policies do little to protect the network environment from attack. However, other than reassuring auditors, policies have little value to cybersecurity programs.
9. Adverse Event Response Planning
Many security teams do not plan to address the risks they find. Common cybersecurity breaches arise when vulnerabilities and risks are identified, but solutions are never in sight. Just ask anyone involved in the major security incidents we see and hear every day, and planning the entire incident is critical, especially the most pressing questions about your most critical systems. Timely action pays off handsomely.
Strengthen weak links in the security chain
Whether cybersecurity is an informal part of your overall IT program or part of it that you have a dedicated SecDevOps program overseeing, you'll find that most security challenges are on your head. In other words, in order for people to make security programs work for your organization, not against your organization, you must acknowledge and overcome these challenges.
One or more of these challenges undoubtedly exists in your organization. Engage the right people, identify gaps, and commit to making appropriate adjustments under a unified cybersecurity strategy by educating employees, spreading awareness, and uniting different departments.