Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security United States

US Cyber-Defense Agency Urges Companies To Automate Threat Testing (bloomberg.com) 13

The US government's cyber defense agency is recommending for the first time that companies embrace automated continuous testing to protect against longstanding online threats. From a report: The guidance, from a cluster of US and international agencies published on Wednesday, urges businesses to shore up their defenses by continually validating their security program against known threat behaviors, rather than a more piecemeal approach. "The authoring agencies recommend continually testing your security program, at scale," according to an alert from the Cybersecurity and Infrastructure Security Agency and several other US and international agencies. The alert warned malicious cyber actors allegedly affiliated with the Iranian Government's Islamic Revolutionary Guard Corps are exploiting known vulnerabilities for ransom operations. An official at CISA told Bloomberg ahead of the announcement that emulating adversaries and testing against them is key to defending against cyberattacks. Central to the effort is a freely available list of cyberattackers' most common tactics and procedures that was first made public in 2015 by MITRE, a federally funded research and development center, and is now regularly updated. While many organizations and their security contractors already consult that list, too few check if their systems can actually detect and overcome them, the CISA official said.
This discussion has been archived. No new comments can be posted.

US Cyber-Defense Agency Urges Companies To Automate Threat Testing

Comments Filter:
  • by rsilvergun ( 571051 ) on Wednesday September 14, 2022 @01:49PM (#62881897)
    And pay for it this quarter.

    Companies have been treating IT workers as disposable for sometime in an effort to keep wages trending down. It's worked, with IT workers making significantly less inflation adjusted from 20 years ago (even post .com boom).

    But it means nobody plans to stay at a job. So all that matters is this quarter. Next quarter is somebody else's problem. And the only way to get ahead is to move to another company and then come back. Finally you have to get ahead because raises don't keep pace with inflation (again, need to keep those wages trending down).

    The goal is to get in, get experience, and move to another job before the shit hits the fan. And if you happen to be the guy where the shit hits the fan you just blame the guy before you because none of you were in the job that long.
    • It's like employment is a pyramid scheme!

    • I'm glad I got out of IT when I did. The salaries on the job offers I was getting were ever decreasing. By the time I got out - 2015 - the starting pay on some of the offers from recruiters was down to what amounted to $10 an hour...these were jobs that were requiring a 4 year degree!
      One year with AttackIQ is $300,000 according to TFA, and the average salary of a cybersec nerd is somewhere around $60-$70k a year. So are they really going to be saving money?
    • This is something I wonder if governments should finance, just so it is universally available, and companies can't use "oh, costs too much to license and security has no return on investment anyway, so why bother?" Having a government offer these tools contracted from a private company would at least yank part of that excuse away. To boot, the company that was contracted would make a windfall as they could offer more products and training. The fact that the government can say, "we gave you tools and docu

      • The catch is that this kind of testing must be continually adapted. New threats are emerging all the time, and simulating them is not always going to be easy. I'm not even sure that you *can* simulate the most serious threats, because those often use specific knowledge about the target. For example, knowing the account naming scheme, or the password requirements, or the brand of firewall in use, or...

        If the government were in charge, they would probably still be testing against Windows XP... Finding the lo

      • What are you a socialist?

        Jokes aside no. No more handouts to wealthy corporations. If the government wants to get involved with corporations they can buy shares of voting stock and then vote on the board of directors for how they want their money spent. Or I should say my money. And yours. No. More. Handouts. Not to corporations with tons of money and cash. These aren't individuals these are businesses
    • Companies don't want to pay for backup systems / failover / etc as well.
      Some places have even staffed down so you can have 1 guy doing the work of what used to be 3 so things can be missed / passed over / not done.

    • Exactly. Does anyone remember Oldsmar Fl, momentarily famous for having their water treatment plant "hacked"?

      12 facilities
      156 employees total with 1 IT supervisor, 1 GIS Analyst, 1 Analyst, 1 Support Specialist. They were using one of the web-accessible remote desktop tools because the computers controlling the systems were not located where the IT guys normally sat.
      Nothing in the budget for outside IT consulting/support.
      • by davidwr ( 791652 )

        They were using one of the web-accessible remote desktop tools because the computers controlling the systems were not located where the IT guys normally sat.

        There are ways to do this with an acceptable degree of security, but it will cost you.

        TANSTAAFL.

  • by bradley13 ( 1118935 ) on Wednesday September 14, 2022 @02:38PM (#62882069) Homepage

    Putting something like that in place is only possible for a company with a long-term perspective. Current incentives, especially at the CxO level are completely absent.

    Just as an example: I was working as an external consultant for a major international company, when the CIO had the brilliant brainwave to outsource their entire IT support department. He saved lots of money, and departed with a lovely bonus. Turns out that the outsourced support only spoke broken English, and broken English at that (I live in a German speaking area). Surprisingly, it turns out that you cannot swap out a mouse or replace a cable by remoting into a machine. So that was a disaster. The new CIO came re-insourced support, which solved lots of problems. Departed with a lovely bonus. Nowhere in any of that was there a single thought about the long-term. It was about short-term goals and, cynically, about cashing in that bonus before departing to the career stop.

    How do you fix this? How do you make the decision-makers care about - not the next quarter or the next year - but the next decade?

    • By making them individually responsible for their decision making. If they have to worry about the government coming after their summer mansion because one of the companies they fucked over 15 years ago had a massive IT security breach, they'll double check that the "brilliant brainwave" really is brilliant before OKing it.

To communicate is the beginning of understanding. -- AT&T

Working...