The Ivanti Threat Thursday Update for August 10, 2017: What You Can’t See and Don’t Know Will Hurt You
Greetings. This week: survey findings of limited visibility for IT and cybersecurity teams, plus a new framework and a new state mandate for cybersecurity training. Please share any opinions, tips, or suggestions evoked by your reading. Thanks in advance.
Survey: Lack of Visibility Hampers Enterprise Cybersecurity
In May, market watchers at Vanson Bourne surveyed 500 IT and security decision makers in the U.S., the UK, France, and Germany. The survey, commissioned by “traffic visibility solutions” vendor Gigamon, revealed some sobering findings about the links between visibility and cybersecurity.
- “Sixty-seven percent of respondents cited network ‘blind spots’ as a major obstacle to effective data protection while 50 percent of those, who do not have complete visibility of their network, reported that they lacked sufficient information to identify threats.”
- “Seventy-two percent of respondents report that they have not scaled their monitoring and security infrastructure to meet the needs of increased data volume.”
- Seventy-eight percent of respondents have no consistent way of accessing or understanding network data, while 48 percent “did not possess information on what is being encrypted in the network.”
What We Say: Your ability to protect and defend your IT environment from cybersecurity threats relies heavily on the ability to see as much of that environment as possible. This includes hardware, software, users, and actual and possible vulnerabilities. Your multi-layered defenses must include comprehensive, accurate discovery and inventory of all critical hardware and software, reporting that delivers clear, actionable information, and analytics that enable effective planning and decision making.
NIST Makes “NICE” with Cybersecurity Training
The U.S. National Institute for Standards and Technology (NIST) first published its widely supported Framework for Improving Critical Infrastructure Cybersecurity in February 2014, and released an update for industry comments in January 2017. This month, NIST released the first version of a new framework as part of a larger initiative: the National Initiative for Cybersecurity Education, or “NICE.”
The NICE Cybersecurity Workforce Framework intends to provide “a reference structure that describes the interdisciplinary nature of the cybersecurity work. It serves as a fundamental reference resource for describing and sharing information about cybersecurity work and the knowledge, skills, and abilities (KSAs) needed to complete tasks that can strengthen the cybersecurity posture of an organization.” NIST also intends for the NICE Framework to provide a starting point from which organizations can develop additional resources “to define or provide guidance on different aspects of cybersecurity workforce development, planning, training, and education.”
What We Say: NIST and promulgators of other popular cybersecurity frameworks and guidelines agree. Given the rise in number and sophistication of user-centered attacks such as phishing and social engineering, user education must be part of any efforts to achieve defense in depth. NICE is focused on helping to train and advance the careers of the cybersecurity workforce. However, for maximum effectiveness, cybersecurity education efforts must embrace customers, partners, and internal users – including IT and cybersecurity teams. Given the broad worldwide support for its Cybersecurity Framework, NIST’s new initiative and framework should prove worthy foundations for education and training efforts at your enterprise. (See “Three Things You Can Do Now to Increase User Contributions to Cybersecurity at Your Enterprise.”)
Illinois Mandates Cybersecurity Training for its Employees
On the heels of the NICE Cybersecurity Workforce Framework release, Illinois Governor Bruce Rauner signed into law the requirement for all state employees to undergo cybersecurity training. "Employees are our first line of defense," Gov. Rauner said in a statement. “Cybersecurity is no longer just an IT issue. It is a public safety issue, and we will do all we can to protect the residents and infrastructure of our state."
“With this legislation, Illinois becomes the 15th state to adopt a mandatory cybersecurity awareness training for state employees. States are increasingly the targets of attacks, and security threats pose a daily risk in the state's ability to serve taxpayers and protect critical and confidential information,” the statement said.
What We Say: Federal, state, and local government agencies are particularly attractive targets to online malefactors. Systems at those agencies are rife with highly valuable personal, private, and confidential information about constituents and the agencies themselves. Disruption of such systems is also a goal of online attackers. As they become increasingly reliant upon their IT environments to do business and deliver services, government agencies must integrate cybersecurity into all aspects of their operations and cultures. Those agencies must improve the security of incumbent technologies, while modernizing IT wherever possible to achieve maximum protection. (See “Government: Deliver an Excellent User Experience without Compromising Security or Compliance.”)
Protect and Defend Your Enterprise with Ivanti
Ivanti can help you translate guidelines, recommendations, and user and business requirements into effective, coordinated, multi-layered defenses and protections. We help fight ransomware and other malware with solutions for patch management and control of user applications, devices, and admin rights. (We also have solutions to help federal, state, and local government agencies modernize and secure their IT environments.)
Through September, combinations of select Ivanti cybersecurity solutions are available at discounts of up to 30 percent. Check out the offer details. And keep reading our Patch Tuesday and Threat Thursday updates, to keep abreast of the latest cybersecurity threats and your best responses to them.