During a recent SearchCompliance webcast, Bulb Security LLC founder Georgia Weidman discussed how modern technology, such as mobility and the IoT, creates numerous cybersecurity gaps for enterprises. Here in part one of this four-part webcast, Weidman discusses how enterprise cybersecurity has become much more difficult as networks become increasingly complex.
Editor's note: The following is a transcript of the first of four excerpts of Weidman's webcast presentation on how enterprise cybersecurity is being influenced by mobile, IoT and nontraditional endpoints. It has been edited for clarity and length.
Georgia Weidman: We're going to talk about compliance gaps in mobile, internet of things and nontraditional endpoints. If you do anything around compliance, you might just say, 'Well, compliance doesn't really cover that, does it?' which is part of the problem, I think. I just did an interview for an article about yet another breach. It was a vendor, so they have to be PCI-compliant. Our hospitals have to be HIPAA-compliant. There's all this compliance, and there are people who keep saying, 'Okay, we're compliant and, yet, this keeps happening.' I think, really, perhaps we should just say, 'Compliance gaps' in the entire world. But in particular, let's talk about my field of interest: mobile, internet of things and nontraditional endpoints, in general.
I heard a really good quote when I was at an ISACA Conference.
Robert Herjavec, the guy from Shark Tank and Dancing with the Stars was the keynoter. In his presentation, he said that the perimeter isn't the perimeter anymore. He started out basically selling firewalls back in the day when that was new and clever, but that was one of his first businesses and that was the endpoint. All of the traffic went through that endpoint for your enterprise, or that perimeter.
But now, that's not the case anymore. The perimeter has completely changed. There is no perimeter, really. I'm on a phone and a laptop right now. You guys are, possibly, at a work station, but more likely at a laptop, or maybe an iPad. All of those things could be considered the perimeter.
You probably had to enable something like Java or something like that in order to view this presentation at all. Even that act right there is, potentially, giving some security threats access to the machine. Hopefully, we trust ISACA and we trust the platform that this webinar is on to a certain degree, but you never know. When I go and give conference training or give a talk and I have to hook my computer up to any unknown projector. I have to do this because if I'm going to get paid, I have to give my training. But, in fact, I'm doing absolutely the thing that I tell people to be wary of, which is never run unknown, untried code that people I just met as I got off the plane are telling me to use.
I think we're really stuck in the Dark Ages in a lot of ways. We want to treat enterprise security as just how it was when there was a firewall, and that was the perimeter. If we just checked everything that was going in and out of that perimeter, everything was, basically, good.
See other excerpts from this webcast presentation on cybersecurity
My CEO drew this picture. If you're in the IT department at the enterprise, this is what you have on the wall. This is your network that you are in charge of defending if you are the security team.
The first mistake I see our junior pen testers or security people make is to say, 'Well, I'm just going to map the entire network.' And I say, 'Well, the entire network is really big. You'll be here all week just doing that. So you're never going to get, necessarily, a really great picture of everything that's out there.' This is a really hard task to keep up with even just asset management of these entire networks, much less the security posture.
We give people on the defense side a lot of flak. I think we say, you know, 'How is it you can't patch MS08-067? It's from 2008. You've had all this time to patch it. Why is it still in your enterprise?' But, anyway, you're talking about, hundreds of thousands, potentially, of machines. It's not necessarily that easy a thing to do. I can't keep my computer in my house updated all the time, but it's always telling me I have to update it and I have to restart. In a lot of ways, enterprises are still like this. They've just gotten more complex.