As data breaches continue on despite the massive amounts of money being spent on cybersecurity, it’s important for organizations to significantly improve their vulnerability management (VM) systems, according to Rahim Jina, COO and co-founder of Dublin, Ireland-based cybersecurity company Edgescan.
Speaking during a morning technology breakout session called “Vulnerability Management – From B Movie to Blockbuster” at the annual Content Protection Summit, presented by the Content Delivery & Security Association (CDSA), he pointed to several companies he noted all had one thing in common: “They have all been hacked.”
That’s despite the fact that they’re all large companies and at least some of them have “large security budgets” with “dedicated security people,” he said.
Jina noted that he recently added Marriott to that list of hacked companies, after it was reported the hotel giant had been the victim of a massive security breach.
“So, why do these things keep happening?” he asked rhetorically, noting that spending large sums of money on cybersecurity didn’t seem to be making companies less likely to be hacked.
“Obviously it’s not a matter of maybe we’re not spending enough money,” he said. Rather, he said: “Maybe it’s just we’re not doing it smartly enough” and “getting a vulnerability management program working is a good start.”
How organizations approached VM in the past just doesn’t cut it anymore with today’s technology stack and development methodologies, so companies need to shift their VM programs away from the B-movie level status quo and towards a blockbuster-level program, according to Jina. Unless they want to keep playing what amounts to a never-ending game of blind whack-a-mole, that is.
In the past, organizations have typically checked their VM systems for about two weeks once a year and that was it, Jina noted. One major mistake that “happens all the time” is that people download dated, “vulnerable versions” of software, “so straight out of the box, they already have problems,” he said. When conducting a test of a system’s vulnerabilities, meanwhile, it’s important to make sure you’re not just testing certain components, but are testing the entire application and “not just hitting the front wall,” he said.
It’s also important that an organization be able to view its vulnerabilities at any given time because “we can’t improve what we can’t measure,” he said.
He went on to cite internal data for 2017 that, he said, showed, “by sheer volume, 73 percent of all the vulnerabilities we found were in the network and host layer,” while only “27 percent were found in the application layer.” But the “most severe issues”—issues presenting “critical risk” — tended to be in the app layer, he told attendees. In comparison, only 2% of all issues in the network layer were critical, he said.
Edgescan is working on an updated report including 2018 data that it plans to release in January, he said.
The 2018 CDSA Content Protection Summit was presented by SafeStream, and sponsored by Edgescan, Microsoft Azure, LiveTiles, Aspera, Amazon Web Services, Convergent Risks, Dolby, Illumio, NAGRA, EIDR, the Trusted Partner Network (TPN), Videocites, Human-i-t, Telesoft and Bob Gold and Associates and is produced by the Media & Entertainment Services Alliance (MESA) in association with CDSA, the Hollywood IT Society (HITS), Smart Content Council and Women in Technology Hollywood (WiTH).