.jpg)
That was one of the findings last week in a study conducted by the Ponemon Institute and sponsored by Websense.
Thirty-one percent of the nearly 5,000 respondents surveyed for the study said their cybersecurity team never met with the executive team about cybersecurity. Twenty-three percent of the surveyed IT pros said their teams only met annually with company brass.
Security professionals often complain that management doesn't get the relationship between data loss and revenue loss. That shouldn't come as a surprise, given how little the parties communicate with each other.
"Thirty-one percent is a big number to say they never communicate with their executive teams. That's not healthy," said Jeff Debrosse, director of security labs at Websense.
"That would clearly support why some security professionals believe that their executive management doesn't relate being exploited with the loss of revenue," he told TechNewsWorld.
Vein of Disatisfaction
The latest buzzword in business circles is "agility" -- agile marketing, agile software development, agile modeling.
"In an agile world, everyone wants to pivot and shift quickly to any change in design or customer demand, but security is not very much different," Debrosse said.
"As attackers change their tactics, I'd want to be in constant communication with my executive team," he continued. "They have to understand a threat, what our capabilities are for defending against that threat, and whether our industry is being targeted, our company is being targeted, or we're just a target of opportunity."
The researchers also struck a rich vein of discontent among security professionals toward their existing protection systems. Some 29 percent of them said they'd like to totally overhaul their current systems. Another 13 percent said they wouldn't change anything about their current system because nothing they could do would protect them against a determined attacker.
"That's quite telling," Debrosse said. "It shows they're not confident that where they are today -- from a security standpoint -- is supporting their organizations adequately."
Active Directory Flaw
Security researchers at Aorato discovered a flaw last week in Active Directory that allows an attacker to change a user's password. Since 95 percent of all Fortune 1000 companies use that Microsoft program, the vulnerability could be very troublesome.
An attacker can impersonate the victim to access various enterprise services -- such as Remote Desktop Protocol Logon and Outlook Web Access -- that require the explicit use of the victim's password, Tal Be'ery, vice president of research at Aorato, explained in a company blog.
Worse yet, logged events miss the vital indication of an identity theft attack, he noted. The attacker can perform this activity unbeknownst to event logs, making log-based SIEMs and Big Data security analytics useless against an attack.
The flaw stems from Microsoft's penchant for backward compatibility.
"Although Active Directory supports newer, securer versions of the flawed protocol, it also supports older versions," Be'ery told TechNewsWorld. "Due to that fact, it's only as secure as the oldest protocol."
Aorato has alerted Microsoft to the flaw, but the company is reluctant to patch it.
"They're calling the vulnerability a 'limitation,' and they're not going to fix it," Be'ery said.
"This is a well-known industry limitation in the Kerberos Network Authentication Service (V5) standard (RFC 4120). Information on how to manage this limitation when using Windows can be found on the Microsoft TechNet site," Microsoft noted in a statement provided to TechNewsWorld by spokesperson Katherine Kerrigan of Waggener Edstrom.
OK to Reuse Passwords
Speaking of passwords, Microsoft raised the hackles of a few security experts last week when it recommended that weak passwords be reused.
The recommendation -- along with a scheme for organizing passwords based on user value -- was aired in a 16-page paper by Microsoft researchers Dinei Florencio and Cormac Herley, in partnership with Paul C. van Oorschot, Canada Research Chair in Authentication and Computer Security at Carleton University.
"Our findings directly challenge accepted wisdom and conventional advice," the reserachers wrote. "We find, for example, that a portfolio strategy ruling out weak passwords or password re-use is sub-optimal."
Users should identify the importance of a service and assign a password based on that, the researchers' suggested. Weak passwords would be OK for less important sites, and strong passwords would be reserved for high importance sites, like a bank.
That scheme can be just as burdensome to consumers as choosing unique, strong passwords for all sites and services, argued Andrey Dulkin, senior director of cyber innovation at CyberArk.
"Regular users have trouble distinguishing what 'important' and 'non-important' services are. Most people get that banking is important -- but the distinction is not clear on other services," he told TechNewsWorld.
"Password re-use is a significant threat, both to individual users and organizations," he added. "As users choose the same passwords for online and organizational services, the organization's exposure to attacks grows."
