Companies failing to get security basics right

Many organisations are failing to secure their tech infrastructure at a very basic level, according to Tanium CSO, David Damato.

Speaking to CIO in Sydney yesterday, Damato said organisations are not doing the simple things right such as vulnerability and asset management, or what he describes as ‘security hygiene.’

Damato said tools and techniques available in the marketplace are very specialised and look for high-end sophisticated attacks but still fail to address basic security needs.

He said that of the more than 100 security breaches he has worked on in the past, cyber criminals were not using particularly advanced techniques to attack each organisation’s network.

“So in every breach that I ever worked on, maybe except for a few government agencies, they [cybercriminals] for the most part were taking advantage of how we function as security groups – taking advantage of blind points in a large environment,” he said.

He said organisations were struggling with making sense of telemetry data across up to hundreds of thousands of end points rather than implementing technology to protect against next-generation threats. These threats could include an advanced nation state attack where crooks embed malware in a piece of hardware.

“But that’s such a low risk. I can’t count how many times I’ve asked people how many systems they have in their environment? And they say, ‘well, between 40,000 and 50,000 systems.’ That’s a big discrepancy.

“It’s that visibility that organisations lack. My message is stop focusing on the big ticket items that are maybe a little bit too advanced and aren’t really solving the challenges that most organisations are dealing with now,” he said.

Damato added that in many breaches, local user accounts would be shared among a number of different computers.

“So basically, if I get a password from one system, I can then spread across to other systems very easily using that credential. It’s the equivalent of if you had a lock on your door and you lost that key and I could pick that key up and use it in a bunch of other locks elsewhere.

“It’s very difficult for organisations to determine where that account exists, who’s using it, when it’s used or if it’s even required,” he said.

Damato has worked with organisations to reduce the external fallout of a data breach. Earlier this year while managing director at Mandiant – which was bought by FireEye in early 2014 – Damato was hired to investigate the data breach at US health insurance giant, Anthem, which exposed 78.8 million customer records.

“A lot of those organisations that hired me in the past … I’ve helped them provide crisis management and communications and all the things that surround making sure an incident is well managed from a communications and regulatory perspective.

“But a lot of data breaches remain silent and if there’s no reason to report them, it’s very rare that you actually see a breach in the news,” he said.

Industries such as mining in Australia are heavily targeted by nation states or at least were for a number of years, he said.

“Those aren’t things that are always reported in the news. Australia has a number of very high profile corporations that make really interesting things and there’s definitely nation states out there not stealing personal information but intellectual property which we probably never hear about.”

Follow CIO Australia on Twitter and Like us on Facebook… Twitter: @CIO_Australia, Facebook: CIO Australia, or take part in the CIO conversation on LinkedIn: CIO Australia

Follow Byron Connolly on Twitter:@ByronConnolly