Brian Pennington

A blog about Cyber Security & Compliance



Over 35% of organisations in the energy sector are not able to track threats

Tripwire 2016 Energy Survey: Physical Damage

Tripwire’s 2016 energy study was conducted by Dimensional Research on the cyber security challenges faced by organizations in the energy sector. The study was carried out in November 2015, and respondents included over 150 IT professionals in the energy, utilities, and oil and gas industries.

“After hundreds of years protecting our nation’s geographic borders, it is sobering to note that possibly the most vulnerable frontier happens to be the infrastructure that runs the largest companies in the country.”

Rheka Shenoy, VP and general manager of industrial IT cyber security for Belden

Does your organization have the ability to accurately track all the threats targeting your OT networks?


Does your organization have the ability to accurately track all the threats targeting your OT networks?

tripwire-2016-energy-survey-physical-damage- 2
In your opinion, is your organization a target for a cyberattack that will cause physical damage?
tripwire-2016-energy-survey-physical-damage- 3
Is your organization a potential target for a nation-state cyberattack?
tripwire-2016-energy-survey-physical-damage- 4
The incredibly high percentages of these responses underscores the need for these industries to take material steps to improve cyber security. These threats are not going away. They are getting worse. We’ve already seen the reality of these responses in the Ukraine mere months after this survey was completed. There can be no doubt that there is a physical safety risk from cyber attacks targeting the energy industry today. While the situation may seem dire, in many cases there are well understood best practices that can be deployed to materially reduce the risk of successful cyber attacks.

Tim Erlin, director of IT security and risk strategy for Tripwire

64% of Organizations are Potential Targets for Nation-State Cyberattacks

According to a recent survey conducted at this year’s Black Hat USA security conference, nearly two-thirds of organizations are potential targets for nation-state cyberattacks.

The survey conducted by Tripwire, which includes responses from 215 conference attendees, also found that 86% of those questioned have seen an increase in these targeted attacks directed at their network over the last year.

Even more alarming, however, was that despite the noticeable increase in attacks, less than half of the respondents (47%) said confidence in their organizations’ ability to detect and respond to a cyberattack grew in the last 12 months.

Screen Shot 2015-08-17 at 1.29.05 PM

Organizations know they are being actively targeted and that their current capabilities aren’t enough to consistently detect and defend against these attacks,” said Tim Erlin, director of IT security and risk strategy for Tripwire.

“While new defensive technologies are constantly being developed, organizations are hard-pressed to deploy these new tools effectively,” he said.

Erlin noted that in many cases, these organizations would do well to evaluate their investment in foundational security controls.

Additional findings from the Black Hat USA 2015 survey include:

  • 64% of respondents said targeted attacks against their networks have increased over the last year by 20% or more.
  • 53% of respondents said they do not have the visibility necessary for accurate tracking of all the threats targeting their networks.
  • 41% of respondents said they have seen a significant increase in the number of successful cyberattacks in the last 12 months.

How Cyber Security Literate is the board?

Tripwire have announced the results of a study on the cyber literacy challenges faced by organisations.

The study evaluated the attitudes of executives as they relate to cybersecurity risk decision-making and communication between IT security professionals, executive teams and boards. Study respondents included 101 C-level executives and directors as well as 176 IT professionals from both private and public U.K. organisations.

Despite the increasing number of successful cyberattacks against U.K. organisations, the study revealed that 54% of C-level executives at organisations within the Financial Times Stock Exchange (FTSE) 100 index believe their board is both cybersecurity literate and actively engaged in routine security. IT professionals from the same organisations are less confident in their boards cybersecurity knowledge, with 26% stating their boards only steps in when there is a serious incident.

While the results of the study point to executive confidence, they reveal the uncertainty of IT professionals. When asked if their board was “cyber literate,”29% of IT professionals either answered “no” or “not sure.” However, when C-level executives were asked the same question, 84% answered “yes.”.

There’s a big difference between cybersecurity awareness and cybersecurity literacy,” said Dwayne Melancon, chief technology officer for Tripwire. “If the vast majority of executives and boards were really literate about cybersecurity risks, then spear phishing wouldn’t work. I think these results are indicative of the growing awareness that the risks connected with cybersecurity are business critical, but it would appear the executives either don’t understand how much they have to learn about cybersecurity, or they don’t want to admit that they that they don’t fully understand the business impact of these risks

Other key findings include:

  • 28% of IT professionals “don’t have visibility” into what the board is told about cybersecurity
  • 47% were “not concerned” about their boards knowledge of cybersecurity.
  • In the event of a cyberattack, respondents would be most concerned about 62% customer data, 50% damage to brand and reputation and 40% financial damage or stock price.
  • 35% of respondents agreed that a security breach at their own organization had the biggest impact on their boards’ cybersecurity awareness, while other respondents felt that Heartbleed (19%) had a bigger impact than the Target or Sony breach and the Snowden leaks (17% and 8%, respectively).

Most organisations are not struggling with communication tools said Melancon. They are instead struggling with finding the right vocabulary and information to accurately portray cybersecurity risk to their boards, and they are trying to find the right balance of responsibility and oversight for this critical business risk

Retail and Financial Sectors Overly Confident About Breach Detection

Atomic Research have announced the results of a survey sponsored by Tripwire of 102 financial organizations and 151 retail organizations in the U.K., all of which process card payments.

The survey results indicate that recent data breaches have had little impact on the security controls of retail and financial organisations.

35% said it would take as long as two to three days to detect a breach on their systems

However, according to the 2014 Verizon Data Breach Investigations Report, 85% of point-of-sale intrusions took weeks to discover and 43% of web application attacks took months to discover.

It is shocking to see the high level of confidence exhibited by respondents in the wake of the recent series of high-profile cardholder data breaches,” said Tim Erlin, director of IT security and risk strategy for Tripwire, in response to the findings. “6% of respondents said they are confident that their security controls are able to prevent the loss of data files, but this confidence flies in the face of recent evidence to the contrary

The Payment Card Industry Data Security Standard is a security standard that outlines minimum security requirements for organizations that handle cardholder information. When asked how important PCI compliance is to their overall security program, 43% of respondents said it was the backbone of their security program, and 36% said it was half of their security program. However, in order to protect confidential customer data, organisations must apply additional security controls.

Other findings include:

  • 24% of those studied have already suffered a data breach where Personally Identifiable Information (PII) was stolen or accessed by intruders
  • 36% of respondents do not have confidence in their incident response plan
  • 51% of respondents are only somewhat confident that their security controls can detect malicious applications
  • 40% of respondents said they do not believe that recent high profile cardholder breaches have changed the level of attention executives give to security

It is great that recent breaches have increased cybersecurity awareness and internal dialogue. However, the improved internal communication may be biased by a false sense of security,” said Dwayne Melancon, chief technology officer for Tripwire. “For example, 95% of respondents said they would be able to detect a breach on critical systems within a week. In reality, nearly all of the recent publicly disclosed breaches have gone on for months without detection

Furthermore, only 60% of respondents believe their systems have been hardened enough to prevent the kind of data loss similar to that seen in recent high profile breaches,” Melancon continued. “These attitudes seem to indicate a high degree of overconfidence or naiveté among information security practitioners. I believe a number of these organizations may be in for a rude awakening if their systems are targeted by criminals

The Tripwire report can be found here.

Tripwire’s second installment of research on the state of risk-based security management with the Ponemon Institute has once again revealed some interesting insights into the workings of the IT Department. 

The survey covers risk-based security metrics and evaluates the attitudes of 1,321 respondents (749 U.S. and 571 U.K.) from IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management.

The key findings from the survey are:

  • 75% of respondents say metrics are ‘important’ or ‘very important’ to a risk-based security program
  • 53% don’t believe or are unsure that the security metrics used in their organizations are properly aligned with business objectives
  • 51% didn’t believe or are unsure that their organizations metrics adequately convey the effectiveness of security risk management efforts to senior executives

When asked, “Why don’t you create metrics that are well understood by senior executives?”:

  • 59% said the information is too technical to be understood by non-technical management
  • 48% said pressing issues take precedence
  • 40% said they only communicate with executives when there is an actual security incident
  • 35% said it takes too much time and resources to prepare and report metrics to senior executives
  • 23% of U.S. respondents and 20% of those in the U.K. think security metrics can be ambiguous, which may lead to poor decisions
  • 18% said senior executives are not interested in the information

 So, why isn’t communication between security professionals and executives more effective? Respondents were asked to select all the factors that apply from a list of nine possible reasons, and their answers present a wide range of serious challenges. The top three responses include organizations hampered by siloed information, presenting information not easily understood by non-technical managers, and the practice of filtering “bad news” from the C-suite.

  • 68% of U.S. and 57% of U.K. respondents say communications are confined to one department or line of business
  • 61% say the information is too technical and occurs at too low a level
  • 59% state that negative facts are filtered before getting to executives

Commenting on these results, Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, said,

Even though most organizations rely on metrics for operational improvement in IT, more than half of IT professionals appear to be concerned about their ability to use metrics to communicate effectively with senior executives about security

These results correlate with the dozens of conversations we have been having with CISO’s across the globe,” said Rekha Shenoy, vice president of marketing and corporate development at Tripwire

CISO’s talk about the importance of leveraging metrics as a way to influence business leadership and build a risk management practice within their companies. Unfortunately, they struggle with the bigger challenge of producing meaningful metrics while those they use are rarely aligned with business goals

Tripwire summary

While the majority of security professionals agree they need significant amounts of data in order to build a culture of ac­countability, they aren’t sure how to distill this information into metrics that are understandable, relevant and actionable to senior business leadership. Business metrics tend to reflect the value of strategic goals rather than technical goals, and may prioritize cost over less tangible security benefits. Security metrics tend to reflect operational goals and may prioritize technical improvement over business context.

The State of Risk-Based Security Management

The Tripwire sponsored Ponemon study called “The State of Risk-Based Security Management: United States” is designed to discover what organizations are doing with respect to Risk-based Security Management (RBSM), where RBSM is defined as the application of rigorous and systematic analytical techniques to the evaluation of the risks that impact an organization’s information assets and IT infrastructure. RBSM can be considered one component of a wider enterprise risk management system.

My summary of the document is below.

  • 77% express significant or very significant commitment to RBSM
  • yet 52% have a formalized approach to it
  • 46% have actually deployed any RBSM program activities

Of those that have a formal function, program or set of activities dedicated to RBSM, 74% have partially or completely deployed some or all RBSM activities. It appears that having a formalized strategy or plan for RBSM is an important precursor for ensuring that RBSM activities are deployed

41% of respondents say that their organizations do not categorize their information according to its importance to the organization. Organizations must take this step to make informed, rational decisions about what data is most critical to protect.

Only 45% have specific metrics for determining RBSM effectiveness. Those responsible for the program need a scorecard that demonstrates its success in order to secure funding and resources.

Few organizations have achieved a balanced approach with their preventive and detective controls. While most (80 to 90%) deploy the majority of necessary and appropriate preventive controls, only around half deploy the majority of necessary detective controls.

30% of organizations have no formal RBSM strategy for the enterprise, and almost a quarter (23%) have only an informal or ad hoc strategy.

The existence of a formal RBSM function, program or set of activities

  • Yes 52%
  • No 48%

The existence of a risk management strategy

  • 30% Do not have a strategy
  • 24% Formal but inconsistently applied strategy
  • 23% Informal or “ad hoc”strategy
  • 23% Formal and consistently applied strategy

The US and UK (25 and 36%, respectively) are less concerned about regulatory non-compliance than Germany and the Netherlands (60 and 58%, respectively). This can be attributed to the strict rules governing the handling of personal and sensitive information in Germany and the Netherlands.

Organizations in Germany and the Netherlands have more concern about the cloud than the US and UK. Specifically, 65%t of German organizations and 59% of organizations in the Netherlands are concerned or very concerned about software as a cloud service.  In contrast, 46% of US and 48% of UK organizations are concerned or very concerned.

US organizations are far more concerned about the human factor risk to their IT infrastructure today and in the immediate future. Specifically, 71% of respondents from US organizations say they are concerned about malicious insiders. In the UK that number drops to 49%.

A larger gap exists between the US and Germany (32%) and the Netherlands (16%). The US and UK are more concerned about employee carelessness (66 and 65%, respectively) than Germany and the Netherlands (34 and 38%, respectively).

Threats to information security faced by organizations

The greatest rise of potential security risk within today’s IT environment

Find the full report here.


Blog at

Up ↑

%d bloggers like this: