Cyber Security Should Be Expanded To Departments Other Than IT: CII-KPMG

An anonymous reader shares a BGR report: Cyber threats today are no longer restricted to a company's communications and IT domains, calling for more than just technical controls to avert attacks and protect the business from future risks and breaches, a new report said. According to the joint report of the Confederation of Indian Industry (CII) and KPMG, cyber security today embraces multiple units of an organization like human resource, supply chain, administration and infrastructure. It, therefore, requires governance at the highest levels. "It is vital to keep pace with the changing regulatory and technology landscape to safeguard and advance business objectives. Working backwards by identifying and understanding future risks, predicting risks and acting ahead of competition, can make a company more robust," said Richard Rekhy, Chief Executive Officer, KPMG, India.

Yes and no

[Chas]

Do I agree that other departments need training in security?

HELL THE FUCK YES! The nastiest hole in most security systems are the stupid meatbags being stupid on their computers.

Do I think that there should be SOME input back from these other departments too? Sure. But in a healthy organization, this is already the case.

Do I think that these departments should be given policy and decision making powers over security policy?

HELL THE FUCK NO! That's like putting a blind and deaf sheep that's considered stupid (even by sheep standards) in charge of a flock in an unfenced field in wolf country.

In short, while feedback is welcome, and good ideas are always welcome, managerial control isn't. Because it's not their job.

Re: Yes and no

I have had to walk across the faciity to read a user's email to them. The reason: "it said URL so it is too complicated." We expect users like this to comprehend security? I dont expect them to get past the first word. It had sec-something in it. It is too complicated.

Re:Yes and no

[lgw]

It is vital to keep pace with the changing regulatory and technology landscape to safeguard and advance business objectives. Working backwards by identifying and understanding future risks, predicting risks and acting ahead of competition, can make a company more robust

Wow, buzzword bingo in a single quote. Where's Weird Al when you need him? Right here!

This consultant must have been toning it down though. I would have a expected a "proven methodology" and "commitment to quality" in there somewhere, and maybe a "seamless integration" too.

Ignorance shouldn't be an excuse.

[jellomizer]

The biggest problem in IT Security, is all the decision (those people outside of IT) claim ignorance, as those IT guys just talk techno babble.

So when there is legitimate problems, they just ignore IT and tell them to fix it. Vs. trying to take some time to learn about the problem and see if there are other solutions than just a computer fix.

Re:Ignorance shouldn't be an excuse.

[houghi]

And how many IT directors say "We can't fix it!"? Not that many, because they all say "We have found a new way and we implement that." and all the while they forget the weakest part: humans.
And no, you can't just upgrade them as if they were a machine with not enough memory. You have to work with what is give to you and make it work.

Re:Ignorance shouldn't be an excuse.

[tnk1]

Yes. You can employ all the latest technical tricks and safeguards and the HR assistant is still going to send a list of all of your social security numbers to a "hacker" due to a badly formatted email that purports to be from the CEO. The number of times that outside parties simply pretend to be someone else and demand sensitive data to be sent to them, and it *works* is absurdly high. This is because people aren't trained and more to the point, have not been told that security is not their responsibility nor their manager's.

I agree that the Information Security group (NOT the IT department, unless you're too small for an IS group) should be crafting policy and training, and they should accept feedback about their efforts from the other groups, but ultimately they should not be overruled on InfoSec rules by the other departments unless there is executive sign off *in writing* to exceptions.

Re:Ignorance shouldn't be an excuse.

[Archangel+Michael]

claim ignorance

Security is mostly / always at the cost of convenience, and often costs money budgets don't have (until it is too late).

I know that in our organization, security is always an afterthought, even though we in IT try to make it a priority. Decisions made by people who are ignorant are almost always wrong (broken clocks being right twice a day), because they are almost always based on convenience over security.

And when the inevitable security problems come up, they expect IT to fix them, without compromising all their stupid decisions along the way.

When ever someone makes a REALLY stupid suggestion (easily guessed passwords), I try to put it into terms they can understand ... "Why not set everyone's password to the exact same thing, that way when someone forgets their password, their neighbor can tell it to them! CONVENIENT!!!"

Re:Ignorance shouldn't be an excuse.

[Bob+the+Super+Hamste]

This about sums it up.

Re:Ignorance shouldn't be an excuse.

[pla]

With SMBC, you always need to mention SFW (for the half-dozen or so that qualify) or not.

Re:Ignorance shouldn't be an excuse.

With SMBC, you always need to mention SFW (for the half-dozen or so that qualify) or not.

You are thinking of Oglaf. Nearly all SMBC panels are worksafe.

Re:Ignorance shouldn't be an excuse.

[chris_osulliva]

but IT could stop the HR assistant from emailing SSNs by scanning outgoing email. the login/password reset interface is probably the weekest link.

Same as it ever was

Any worthwhile ISMS has always incorporated controls that aim to reduce and manage the risk surface of an organization as a whole. So-called "technical controls" are just ONE part of it.

Technical solutions for social probs don't work

[houghi]

Security was; is and never will be a technical solution for just IT. From the beginning it was clear that most of it was social enginering. Security is more a mindset.
As many went through IT related ways (computers), the IT departments told us over and over again that they would take care of it with more and more technical solutions.

We are all aware that technical solutions for social problems don't work. People will write down their passwords, because they have too many. People will tell them to somebody who says he is from IT. People will do things, because they are afraid their boss will yell at them if they don't. They palm people into buildings. And all because they have no idea why it is so dangerous.

People are not even interested in protecting their own identity and secrets and make themselves volnerable to attacks. If they do this to them selves, why would they not do it for the company they work for?

The reason is simple: ignorance. You need to explain that if you give one piece of the puzzle (e.g. just the first number of your CVV code) if they get the otherpieces elsewhere, they have all of the information.

So it is indeed now up to IT to realize that they have been lying and finally start to understand that security is a state of mind and not something you can deal with as if it were a bug (or a feature). NEVER solve a social problem with a technical solution.

Re:Technical solutions for social probs don't work

[XXongo]

We are all aware that technical solutions for social problems don't work. People will write down their passwords, because they have too many.

It's been shown that writing down your password is pretty much the safest thing you can do. If I can't write it down, I can guarantee my password is going to have to be something like puppydogN, and I'm going to use the same one on every single system because I can't memorize fifty different passwords and remember which one goes with which login.

What pisses me off most are the a$$holes in computer security who are now making me change my passwords to a new one every 90 days. Nobody has ever shown that this makes anything safer.

Re:Technical solutions for social probs don't work

The basic idea behind mandatory changes is that the amount of time a password is used should be shorter than the amount of time it would take an attacker to brute-force every password in that space. The more complicated the password, the longer it (theoretically) can be used.

Take the simple case, a 4-digit pin. An off-the-shelf computer today can count from 0000 to 9999 in less than a second. Add in delays for testing the system, and you're talking maybe a second or two for an offline attack (i.e. the attacker has a password hash and is testing to find which password matches it) or, at worst-case, a few hours if doing an online attack across a slow link and the system enforces delays between attempts.

Obviously, 4-digit pins suck in this case. This is why all those rules for password complexity exist (10 characters, mixed-case alphanumeric with at least one special character). The larger the character set, the longer the password, the larger the solution set for brute-forcing a single hash.

The problem is that static passwords are already so badly broken that pretty much any memorable password is brute-forceable in less than 90 days. Add to that the existence, and ready availability of pre-computed hash databases that allow near-instantaneous lookups, and static passwords are pretty much toast. So, given how expensive it is to implement/manage a multi-factor system, most companies just punt, require the 90 day change, and say they did their best.

Re:Technical solutions for social probs don't work

Absolute proof is not necessary when rational discourse will do. Nobody has ever shown that you are not a pedophile, yet it is reasonable to assume that you are not a pedophile. If a password can plausibly be brute forced in 100 days, it is reasonable to demand password changes every 90 days.

Is that sufficient reasoning, or are you a pedophile? /s

Re:Technical solutions for social probs don't work

I haven't used this, but there's this.
http://www.passwordcard.org/en

Great idea, but it will never happen.

Security is a process that you have to integrate in to every aspect of your business. It should be part of your training, planning, policy, business process, etc.

Trouble is, those that control the pocket books don't see it that way. They've been convinced that security is a service, or worse an appliance. It's a neat line-item that ticks a box and should be priced out to the lowest bidder.

To be fair, they see everything that way. Makes their jobs easy when leadership is a spreadsheet, a report, and a golf game with the bosses instead of.. You know, actual work.

You ever wondered why so many large organizations seem like such disjointed, jumbled up messes with ill-fitting parts that don't communicate well? Yeah.

so more Shadow IT? or more we can do are own at lo

[Joe_Dragon]

so more Shadow IT? or more we can do are own at lower cost (at the places that have IT bill other departments) and more PBH fights over stuff that they do not know that much about. I read in PBH magazine that we need to have X and I don't thing X.1 (just about the same thing) will cut it.

Necessary, but a waste of time.

[pla]

I can easily see the theoretical value in this. In practice, this will just scare and confuse 99% of non-IT people.

Corporate cybersecurity must operate in such a way that it doesn't require the end users' cooperation, or it will fail. Sure, you can teach people best practices, how to spot phishing attacks, not to use the same password on every system they use; but as soon as you move beyond that, you've set yourself up for complete failure.

Re:Necessary, but a waste of time.

[tnk1]

You need everyone's cooperation at some level. There is simply no way to prevent attacks unless you have everyone on the same page.

Yes, you might be able to track the HR assistant who sent the data and fire them, but too late for the company. You at least need to train them to the point that they,

a) Know the minimum that they have to do in order to protect their data,
b) Know that they can be fired for failing to protect that data.

You would not believe the number of people who make these sorts of mistakes and are *not* fired. The reason is simple. No one trained them to recognize attacks, and no one told them that they had to protect that data or be fired. Unless they are in disposable positions, their manager rightly points out that they're valuable members of the HR/Finance/Sales team, and that if their CEO writes them an email ordering them to give something up, they're going to follow orders.

A great deal of InfoSec breaches are all social engineering that happen to use email or something to convey the attack. There is no purely technical solution for that.

Re: Necessary, but a waste of time.

I thought teaching peole about security wad branded as terrorism by the patriot act and the other BS laws we passed since then.

Re:Necessary, but a waste of time.

[pla]

Unless they are in disposable positions, their manager rightly points out that they're valuable members of the HR/Finance/Sales team, and that if their CEO writes them an email ordering them to give something up, they're going to follow orders.

I mostly agree with you, but I think you might have missed my intent...

Why does a random HR employee have the ability to send an export of all employee data to an external address? Why would the CEO legitimately need to ask anyone to send them data (as in, the data itself, not a link to an internal webpage or file)?

Yes, people will always make mistakes, and non-techies will never keep up with the latest social attacks - Thus my point; not saying someone should lose their job for an offense they don't even understand, but rather, that they shouldn't have the physical capability of accidentally causing such a breach.

Though rare, this counts as one area where we could take a tip from high-security government agencies - No removable media, no direct internet access, no email attachments can leave (or enter) the local network without some form of sign-off by InfoSec, etc. And yes, of course people will always find ways around such technical barriers, but at that point it becomes a lot harder to claim ignorance instead of malice.

Re:Necessary, but a waste of time.

Because of the fact that one can get fired quite easily, and whatever the C-levels want, they get, it is a lot less risky to send a properly formatted, aesthetically pleasing PDF with the latest company letterhead to someone purporting to be the CEO than to refuse the request. In theory, this shouldn't happen, but in reality, just a touch of brow-beating, and one can get the keys to the city pretty quickly.

I remember getting fired for refusing to let a tailgater in behind me, as he didn't have a badge, and I challenged him on that. Turned out to be a higher up muckety-muck. Easier to let an ass just get in than risk losing one's job in today's economy.

No

[jwymanm]

In fact the opposite should happen. They should be removed from any level of access to anything that requires security to protect peoples data. And not to be harsh on them, so should any employee honestly. Usually it turns out the least secure people in the company have the most access to customer information. This is the system we have today because they are the people that directly interact with the customer and are typically new people hired freshly from the street since turnover rate in call centers/fast food is so high. We need a different process entirely to create a secure way to provide PCI / PII . It should never even have to be provided manually to another human getting paid minimal wage.

Perhaps we should not call it "cyber security"

When I worked on military projects decades ago we had "cyber security". Our computers were not connected to any external network. Heck, we were not allowed to have a phone line to the office. The office had to be many meters away from the perimeter of the site to minimise the chance of sniffing the emissions from our monitors and such. Our removeable disk drives were locked in a safe every night

That is cyber security in a big way.

But what about my engineers note book that I could take home? Or actual project documents? Or casual chat with friends and strangers down the pub?

That was covered to.

I needed to pass a security guard and show my ID to get on site. I needed two card keys to open the doors to get into our office.

We were all briefed on what is acceptable and what is not. By the security officer. We had all signed the Official Secrets Act and were therefore subject to the death penalty for leaking information. Treason that is.

Point is security is not just the IT department and "cyber security". It involves everybody. As the article tries to say.

   

Ehhh, WRONG!!!

The people in the groups listed are fucking clueless, so of course you don't include them in the decision making process or your entire company will go fucking swirly down the toilet.

If any changes were to be made, it would be to increase the power of the people in the IT trenches to disembowel clueless corporate officers to prevent security incidents from happening due to "Don't you know who I am? Fucking let me do what I want or you're fired" egomaniacs.

NO

[Ryanrule]

IT should be given greater control.

Endpoint security + user education

See subject: BOTH = critical but can be ineffective vs. a malicious/disgruntled user. For that very purpose & almost 2 decades ago (originating in 1997 @ NTCompatible.com) I created guides for users to secure themselves BOTH @ home or corporate LAN/WAN (provided they have rights that is) but more geared to "standalone non-networked" systems though for individual users to do so (many users of them experienced great success due to it in fact once FULLY implemented) themselves (want to do a job right? DO IT YOURSELF type thinking)-> https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+to+secure+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1 & surprisingly, it even got me PAID (nice unexpected surprise actually).

* Many here note a social problem is not curable by technology... well, it is & it isn't as I noted above - depends on the user's mindset! Today's user? Not as big an "ignoramus" etc. others here called them (I laughed @ meatbag in 1 such comment) - they KNOW how to "f stuff up" IF they want to in other words yet can claim "ignorance" I-don't-know as a cover unfortunately - IT guys take the burden then & yes, the blame. It's sad, but HOW IT IS, unfortunately.

(I.E./E.G.-> If they're not pissed off @ the company & yes, sometimes they have a legit gripe, no doubt, but protecting where you make your monies is a GOOD idea in the end imo, no matter how bad it's going or how poorly you're treated (& yes, when you work for others you truly ARE an "expendable asset" in the end unless you own the place & yes, they burn you out for pennies too)).

APK

P.S.=> Network perimeter defenses which IT handles & usually applies (hopefully) are all "well & good" but malicious links, unless filtered out (as I do via my hosts file engine, the most effective SINGLE measure out there vs. today's threat landscape for the best "ROI" in efficiency) will get you by webpages or HTML mails every time (& disgruntled users KNOW this above all else) - nice part, especially from an IT standpoint, is that it KEEPS YOU BOYS WORKING (think about it) but it robs your money source @ the same time hurting it & YOU too in the end... apk

Re: Endpoint security + user education

Didnt microsuck stop honoring the hosts file? Or was that an idle threat (or only applicable to winlose services)?

For windows update only afaik

See subject: I've seen speculation but no proof of it vs. telemetry 'spying' though (but a lot of talk of it) which firewalls or routers can handle though (OR registry settings to shut it off) - for updates this is a GOOD thing (in rare cases of hosts being compromised past WFP/SFP) but when my program runs it protects hosts beyond that + updates of it refresh rewrite it vs. that.

APK

P.S.=> They DID 'screw it up' slightly - less efficient than post Windows 2000 SP#2 where they added 0 vs. even 0.0.0.0 or even less efficient default 127.0.0.1 since they're larger in init. Open/Read/Close/Flush I-O cycles as hosts is loaded into memory from up off disk in Windows 7 (only real "gripe" I ever had on 7 really)

To which even MS' senior mgt. in Foredecker (Richard Russell) AGREED with me on here on /. no less years ago http://slashdot.org/comments.pl?sid=1467692&cid=30384918/ I approached the now departed Sinofsky in his "Building Windows blog" & he avoided it totally too!

Addendum (due to /. AC length limit)

Continuing my last post with details & as to WHY imo: MONEY is the answer to 99/100 questions - Neither ever addressed & Russell said he would - oh well! He probably tried, but Ballmer was SO BENT on becoming "an advertising power" like Google, Nadella even WORSE now than Sinofsky too, probably 'snuffed' it imo!

Hosts adversely affect that initiative *BUT do unquestionable speedup & secure users) - as hosts block ads giving you not only more speed but also protection from the most used type of threat - host/domain names that yes, via HTML mail + malicious sites & scripts on them (mainly ads) DO slip by perimeter & MOST firewall IP address based defenses.

APK

P.S.=> I felt Foredecker was a pretty straight up & competent CS degreed mgr HOWEVER: He tried passing the buck on it, telling me to address others @ MS - As the FORMER head of "Windows Client PEFORMANCE division" it really WAS his area - smaller hosts files, line per line, DO help performance of it! apk

KPMG was involved. The noise you hear are lies

KPMG has not one shred of credibility with anyone.

They are to contract software services what Ebola is to blood borne pathogens.

If you have had KPMG on a project you know how it gets infected, well, like an Ebola patient. (Dead, and the last few hours do not go well at all.)

Uh,....

No shit, Sherlock.

IT is a BOD issue

If your company does not have a CIO directly reporting to the Board of Directors about IT - you are doing it wrong. Southwest Airlines and Delta both learned that the hard way recently.

they only figured this out now?

[bravecanadian]

This has always been the case.

Unfortunately, most companies treat information security as an IT task instead of a company wide mindset.

In the push and pull of security vs. convenience IT generally loses.. but they *do* get to take the blame once things go wrong.

Again: Security is a process, not a product.

Security is a process, not a product. its not an os, its not software, its not a department. its a function integral to an organization, a culture.

I said the same thing yesterday on the AV thread only to be modded down to infinty. would the idiots please refrain from doing that again today? probably not.

KGPM is peddling methodology here. methodology is product to them and while they are in the ballpark, a methodology does not make things secure any more than AV products. since security is a function integral to an organization, a culture.

if confidentiality and security are not in the culture, they reduce to security theater. but like AV, what KGMP offers is probably a salable palliative.