In most organisations we are using a combination of waterfall or
agile development to deliver new business functionality. Unfortunately
it is also true that security is not the first consideration, in fact it
is often an after thought.
For most large-scale projects, there is a consistent use of SDLC
or waterfall approach. These instances have a traditional requirements
stage and then formal testing to validate that the specs are met. Such
large-scale projects always have a Non-Functional Requirements document
that includes “Security” as one key element.
We can think of Security being more akin to a ‘degustation’
course set and there is an expected additional course (stage) that is
dedicated for the security test to ensure all needs are met. For such
critical projects, there may be time pressure but adequate security
testing is usually performed.
Agile Security
In the agile world, a series of sprints are undertaken to build
functionality and by definition the requirements are not all known in
advance. The requirements are embodied within stories that are built
and developed in each sprint.
As the design is made on the run, it limits the bandwidth and
opportunity to consider security needs of any new system. Indeed there
is a strong temptation to believe that it can be bypassed.
Time is of the essence for nearly every digital project that I
have seen. Thus the team naturally wants to deliver these new features
into production as quickly as possible.
Let’s remember that a philosophy of MVP or minimum viable product
is preached, therefore the team is pushing to not over engineer and
keep development to the thinnest possible slice.
A Security Sandwich
The so-called “Security Sandwich” approach is all about trying
to adhere to robust security within the agile framework. For example
this would mean that you add stories that include the “security” risks
and have these integrated into the development process.
To write a security user story, is however not that easy for the
average agile developer. Such efforts require a very strong holistic
sense of how this story fits into the overall picture. Thus
understanding the overall threat model is part of the developer’s
responsibility – this means that we have to look at what threats exist
and what their impact might be.
A risk-based approach will always assist in getting to the real
essence of what the security story needs to cover. This is especially
the case as it would often be politically incorrect to have the release
delayed due to a ‘security test’.
In the agile world, there is an expectation of continuous releases and delivery.
Compounding this is the fact that security tests usually are
about vulnerabilities that exist between different systems and
components. As such test automation is going to be tricky.
Best Practices for Agile Security
This is a developing area and there are no simple security metrics
that can be pointed to as the ‘answer’. Best practice is about ensuring
that security stories are part of the sprints and not a discrete
activity prior to the release going live. You just have to design it
right.
Instead it is only possible to tackle an agile approach to
security – where this is about testing as we go and it is not a ‘big
bang’. The developer has to take this task on and not rely on a
specialized security team to give the ‘all clear’ at the end. Thus
developers are both debugging and also finding security vulnerabilities.
Ideally this occurs on a daily basis as the builds are being developed.
The dual objective is that we want to build software both quickly and also securely. It is indeed a Security Sandwich.
As the boundaries between work and leisure blur, it becomes an
increasingly problematic question to answer. No longer it is the case
the all files remain physically within the building; in truth corporate
data is accessed from many locations and devices.
The real question remains – do we know when an employee is going
to leave with corporate data? What clues exist to help you prevent this
from happening?
I do recall some analytics that were run around which employees
were the biggest users of external internet access. At the time it was
just my team monitoring whether the recently changed policy of removing
usage quotas was being abused or not.
My own observation at the time that there was a correlation
between most of the Top 10 users and what I knew from Management
Committee meetings to be many of the lowest performers in the
organisation.
It’s the Quiet Ones
Often proven to be true, it is the individuals that you don’t
suspect that actually are the staff that you need to actually monitor
more closely.
This is particularly true when it comes to employees that are
about to leave. Often they are the ones that are not taking leave. They
may also be the diligent ones that are always working back when others
have already left the office. Or in the case of mobile workers they are
the staff that are logged in from home.
I’ve also seen firsthand that what the normal person who consider
to be acceptable use of corporate assets – actually gets misinterpreted
and remember a staff member who ‘borrowed” laptops to fund his gambling
habit. Yes, and I did say ‘borrow’, that was the way he explained the
situation.
However at the time I was more concerned about the potential data loss than the physical asset.
Silver Bullets
For most organisations, the approach to stop employees leaving
with your data usually revolves around deployment of a Data Loss
Prevention (DLP) Tool and or Email Filtering Tools. The real question is
how effective are such tools in preventing the company’s secrets from
leaving the building?
There is in reality very few silver bullets, these tools can be
effective however they can provide 100% prevention. Just like an
umbrella's that is expected to keep you dry when it rains. Clearly you
are better with an umbrella but you will still get wet.
A DLP tool can prevent staff that are using an expected path to remove information and that’s where the story ends.
Gaps and Holes
It is the unexpected where the damage can be performed. Most
organisations also try to prevent unauthorised use of Dropbox, Google
Drive and other similar tools. The logic is sound that by blocking
access of these tools to their user group it will prevent files being
sent outside of the firewall without permission.
The truth is that there are a multitude of tools that can provide
such functionality and the static ‘black list’ is just not dynamic
enough.
It is only when you go to some of the major Indian outsourcers
that you see that disabled USB and smartphones with cameras are
outlawed. For the most part, we see that iPhones and Samsung phones are
everywhere – thus taking a simple photo of a screen of data is the way
such sensitive information can literally walk out the door.
What about old fashion print copies? Yes, while printing is monitored we really don’t check suitcases for removal of documents.
Social Media analysis
There are clues that can be found from mining Linkedin, Facebook
Activity etc to see correlate poor performers and what these staff are
posting on social media. There are specialist companies that do amazing
forensics to understand who is connected to who. This analysis can look
back in history and see patterns even when friends and connections have
been undone.
Taking a larger data set, not quite big data of negative social
media posts along with poor performer ratings, absenteeism can give you
some interesting insights.
Yes, you can predict your employees engagement and more specifically when employees are going to leave with corporate data.
From my experience it is often a failure and oversight that leads to a
major issue. The major risks are usually in large enterprises well
documented and even known - Why then is it that we don’t act?
Is this a failure to see? Perhaps a failure to act? Or worse still both failure to see and act?
Getting Numb
Many in IT Security have been on this gig for some years, it is not a
place that one typically goes for a short period of time. It tends to
attract a certain kind of IT Professional that has an interest and
aptitude for this arena.
Very thick skin is required as there is always resistance from
various IT parties and partners. My belief is that all this daily
interchange starts to make the IT Security professional a little numb
and accepting too much of risks on his\her own shoulders.
At other times, the role of the IT Security Manager is to raise risks
and “cry wolf”, unfortunately while courage is a required attribute it
soon runs out. As a diligent IT Security Manager you will have to go
into battle often and how others respond to you has a real impact.
This is not about overt resistance but often the passive silence that can be just as unnerving.
Top down Thinking
I recall a story where I was the CIO and also Chief Privacy Officer
for a $1B company and with my hybrid Business and IT team we had to
tackle a number of behavioural issues.
The situation was:
1) less than 20% training compliance for IT Security and Privacy
training. The approach was old school antiquated and there was no teeth
to enforce.
2) We operated in 50 offices, and most of these did not comply with
physical or logical security. As such PC’s were left logged on,
passwords shared, laptops not locked away, desk drawers and printing
faxes left around, filing cabinets unlocked.
Gamification with Teeth
As we were in Japan, I could access some great game developers and we
decided that we would start off with a complete overhaul of the
training. All staff were told that this is now mandatory with an online
verification and to pass they would have to complete a 10 minute game.
Red Pig, Yellow Pig and Green Pig – as you wandered around your
office you had to comply with the policy to lock drawers, filing
cabinets etc It was a simple game and actually a little fun.
The result we had 100% compliance even for our 1000 sales reps, who
are always too busy to take the test, that this worked. While there was
some level of threat and demand that the training be completed by a
certain date, this was still quite an amiable level.
Once all staff were trained which was completed within two weeks. We then embarked on stage 2 – adding the teeth.
Pig Hunting
My team embarked on dawn raids across all our offices, still were
unannounced and we walked the floors looking for non compliance to
security. Where laptops were left out, drawers unlocked or office’s we
entered and left a Red or Yellow Pig Sticker.
We also recorded the location of the offender against the floor plan.
This was later shared in full detail at Exco with followup in the
ensuring months.
While the sticker idea looked ‘light’ it also carried with it a warning
that a repeat offence would result in a HR Warning Letter.
As we had left no prisoners, even the CEO had left his office unlocked and his EA was not that happy. We taught, we saw and we corrected
The success of the program was all about changing behavior and making
it part of the culture what was acceptable and what wasn’t.
There was unambiguity and it was clear that within 6 months that were
weren’t going to change. In fact we had agreed that we would start to
get even more stringent.
For instance, the team started to check were the multifunction
printer and scanner being flushed every day so that there was not
sensitive data left behind.
Leadership is what matters
The engagement of the team into the activities was strong and they
progressed from wondering why were they invited into this activity
through to taking full ownership and accountability.
I never heard or witnessed any angry response from any of the
non-compliant persons. They all understood from the ‘game’ what their
responsibilities were and had to take this on the chin.
In the end this is about getting real ownership of security to where
it matters. And that is with the staff who use systems and processes.
So where are you, do you have a failure to see? Or failure to act??
I started to use alternative search tools such as Duck, Duck
Go and my old old favorite Yahoo. Why? Well I just was wary about all
the information that is being collected by Google, and just wanted to
see what it was like to revert to another tool.
I’ve used Duck Duck Go some years ago and I remember that it was
better than it is now. It felt cumbersome and I had to spell out fully
what I was searching for.
What Google had been ‘anticipating’, was a feature that I’ve gotten
used to and I just expect my mind to be read. Then not finding what I
was looking for immediately was a strange and unsettling feeling.
This
made me think about the DARK Web and where the content of the web is not
searchable. Deep, Dark, Hidden
These are all names that are given to this information that is not indexed, hence invisible to our normal view.
What we know as the web, is in fact also termed the ‘surface web’.
There is also another world that is not easily accessible – this is
names the Deep Web and the so called Dark Web is part of this opaque
zone that exists out of sight.
The Dark Web was formed as a result of a need for US defence to be
able to communicate from remote locations. As a result it developed and
with the notion that communications are anonymised it was critical that
there be more than just the spies talking to each other. Hence they
opened this up for the masses to also use as a channel.
How Big?
Well, it is not that well defined but it is understood that the Deep
Web is 400-500 times larger than the World Wide Web that we see
everyday. At the end of the day, as this is not searchable, then these
are mere estimates and no one really knows.
It is also expected that the content in the Deep Web would continue
to grow and with digital data
exploding, it is going to just increase
the gap that already exists. Peeling the Onion
This all started with what is called TOR or “The Onion Router” which
is a service that was first released in 2002. The origins from the US
Navy, and an attempt to protect confidential information.
The messages
that are sent using multi layer encryption, thus when received only the
first layer for address to be sent onto is de-encrypted.
In this manner, the identity of the sender and receiver is fully
protected from prying eyes of government and any entity. It is ironic
that this was created by the US Government, which applauded when TOR was
used to allow freedom of speech in the middle east and other countries
where information was not able to easily shared.
However since the Edward Snowden and Wiki-Leaks saga, the US government has been concerned about the Dark Web.
The Bad Guys do use the Dark Web
More recently the Dark Web has been used by ISIS for recruiting new
soldiers and historically has been the place to buy and sell drugs and
weapons. There is no doubt that the security inherent in this technology
has attracted the Bad Guys to conduct business in the shadow of the
Darknet.
But it is also true that the Good Guys have used this Dark Web to
overthrow governments or to share information within countries like
China, where it is banned.
It gets a bad rap, but perhaps the Dark Web is not necessarily Bad.
Lost in the Dark Space
It is easy to jump to the conclusion that the Dark Net is for bad
guys and thus everything inside is murky on purpose. In the main the
Dark Net includes objects that are ‘private’ in nature and perhaps
shared amongst friends. An example would be family photos or scanned
records that you really don’t want others to see as they are just
‘personal’ and not ‘explicit or rude’.
These fragments exist in the Dark Net and have never been indexed, thus searchable. Social Media Backlash
For each of us, we are using various forms of Social Media and our
identity is in the main both known and discoverable. When you use
Google Now and recognize that Google is reading your emails and
anticipating what you are doing, and offering advice for your upcoming
flight that it is on time but traffic is terrible.
While that can be construed as a good thing and hence a benefit.
Personally I’d prefer my technology company not to know when I take
holidays and who with etc.
I’d argue that over time there will be a greater sensitivity to use
of my personal data and many people will consider that perhaps the Dark
Web is not such a bad place after all.
Not that I’m going to do illegal things, but I just not sure I like
the fact that data is being recorded of my life and it is entirely out
of my personal control. Many professionals in IT are active on social
media and without realising are part of the Quantifiable Self movement.
To me while I don’t want my personal information to be disclosed, I
also don’t need to have this content all searchable by all…….
If you're like most, you face a conflicting challenge around
security: while there is increased focus on digitalisation of the
business, at the same time the threats to the business have not been
fully addressed – or even planned for.
The board has no doubt read reports about breaches at Target in the
USA, and of technology companies such as Sony and RSA having sensitive
information leaked. Board members may not be completely IT literate, but
even the most technical non-savvy among them is aware of Edward Snowden
and WikiLeaks.
Your goal in presenting to the board is to help them understand where
the organisation's security posture is currently, and what additional
investment is required to mitigate risks. Clearly, how you articulate
such technical elements will be a massive personal challenge.
The home
Given the need to be understood by all board members, you will want
to dumb down the content of your presentation. Yet this is a major risk,
and it can be potentially career limiting to gloss over too much
detail.
A good analogy to use in your presentation is the idea of a home.
Traffic, both on foot and in vehicles, travels past your home all the
time. The majority of this traffic has no interest in your home, and
travels by without any threat.
Some external parties, however, may view your house as a target. And,
much different than in your own home, every organisation also faces an
additional, inadvertent threat from the people that live within your
home.
Home Security
Inside the home, there are various doors and openings to the outside
world. These entry points have locks and alarms, and in a similar
fashion we can consider how we secure our enterprise.
In cyber security terms, each of these rooms becomes a ‘Zone’ and
there is a perimeter with monitoring of movement and access to the
space.
Many homes also have extra-valuable items that are stored in a safe
for additional protection. For most enterprises, the analogy is the
credit card data and personal information of customers. These items are
often password protected and/or encrypted, and access to the items is
restricted so that the kids don’t play with the crown jewels.
Walk the board through their home
The structure of the average home offers many parallels that you can
use to walk the board through the idea of the home. For example, how
sturdy is the front gate? Is it high and does it appear to be imposing?
From the cyber security standpoint, the firewall provides similar
protection for your network. How robust is your current firewall, and is
it fit for purpose?
We all know that even the strongest gate has little value if a side
gate is left open or another wall has a small gap to allow the dogs to
go in and out. For enterprises we check this by regularly having
penetration testing from the outside in. We also need clear family
policies as to who has keys to access the home, where they are kept,
whether they can be given to friends or cleaners, and so on.
Depending on our own security consciousness, we may have engaged a
security company that checks on our property and responds to alerts. Threats to the Home
There are many threats to the home and these grow and morph everyday.
Hence this is a constant journey, and that’s where I guess the home
analogy has some limitations.
Online businesses face threats such as Distributed Denial of Service
(DDoS) attacks, which are like having thousands of criminals trying to
climb your fence at the same time – and in so doing, overrun the
defences that are in place and the ability of your guard dog to protect
his turf.
The key is that you want the board to be concerned but not in panic
mode. Therefore, it is critical that you are able to show what you have
and what’s missing that requires investment.
Making my home into a fortress
'A man's home is his castle', the saying goes, and this is
traditionally the approach that we have taken in enterprises: to improve
security, we have just added more and more layers of defence. First, we
would add an updated Intrusion Prevention System (IPS) (an alarm) and
then an Intrusion Detection System (IDS), which is that nanny-cam teddy
bear that monitors movement in the house.
Unfortunately, the fortress mentality has limitations and cannot
guarantee that your home will be 100% secured. The complexity of the
different systems makes the whole process of managing security a non
trivial task.
These measures can all be undone – not only by malicious outsiders,
but if one of the dwellers in the home neglects to follow basic
guidelines such as changing a server password from the default or by not
applying the latest security patch. Thus the board needs to understand
that when there is an investment, it will need to be in people, process
and technology – not just technology alone.
Furthermore, you can’t and shouldn’t ask for everything to be fixed
immediately. A risk based approach needs to be adopted and measures
applied that address the greatest risks to the home. The Honey Pot
Some of the newer cybersecurity approaches revolve around distracting
the bad guys away from your home. This concept of honeypotting is to
draw attention and, through deception, let them into a fake firewall and
perhaps even to access a contrived customer file.
The overall benefit is that you can learn how they attack your home
and the mechanisms that are used to exploit vulnerabilities – and then
improve your security accordingly to protect the real
NABO and Neighbourhood Watch
It’s interesting that new incarnations of the Neighbourhood Watch are
coming into being with startups like NABO. These are community based
networks where people share information and become a local crime stopper
group.
Conversely, in enterprises we don’t often want to openly discuss such
matters because we fear disclosing our own vulnerabilities. However, it
is important not to operate in isolation but to share with a small
community in your industry.
A great example is the British banks, which have setup real-time
intelligence sharing with more than 10 agencies and bodies. In doing so,
they have created an early warning cyber alert system . Many Australian
organisations are starting to do the same through better collaboration
with the government-backed Computer Emergency Response Team (CERT) and
similar organisations.
Boards leads by example
Good security isn't only about convincing the board to invest: the
board also needs to work within their own ecosystems, working with other
Boards to bring their colleagues up to speed. This is not about making
our own fortress so impenetrable that the bad guys go elsewhere, but
rather about improving security in every organisations. If Australian
organisations can introduce a high standard of cybersecurity, we are
less of a target as nation.
Let’s remember: if cyber criminals can find and access your credit
card information from the website of a local liquor store, this is just
as damaging for you – as an individual business and as a person – as if
the information had been stolen from a large enterprise.
Just as in your home, constant vigilance and care are necessary to
ensure security is not only introduced, but maintained for the long run.
Once the criminals are in your home, they can be hard to get out
completely – but you need to make sure they are really gone and no
backdoors are left.
If you cannot ensure this yourself, consider bringing in outside help
so that you and the board can both sleep easier at night knowing
everything has been done to protect your interests.
There is increased scrutiny by the Board and Management of business
risks and potential impact of Cyber Security on operations. As the
person who is responsible for hiring the new CISO, what are the key
criteria that you ‘must’ have for the candidate?
In the marketplace there is an overall shortage of experienced CSO’s,
I’ve been asked to refer candidates and it is always a struggle. My bet
is that it is likely that you won’t have a large pool to choose from.
How then will you select your new CISO and what questions would you
want that person to just nail?
Here are ten questions that I would ask.
Question 1 – As a CISO what keeps you awake at night?
This is a really interesting insight into the person that who is
going to be at the helm. While you want this person to be calm in a
crisis, it will also be necessary that the CISO is a little paranoid and
doesn’t sleep well.
I’d be concerned if a CISO told me that they slept well as they had
done everything already to prepare the organization. What I would like
to hear is that we will have these measures in-place for threat
intelligence, to systems monitoring and alerts. This would include
social media monitoring and that we are looking for patterns that occur
in the enterprise and not yet within the silos of the individual tools.
What I really want to hear is that we have a clear framework and know
what we are the dots we are trying to see, then what happens when we
think that we have spotted such phenomenon?
Question 2 – How do you know select your team and partners?
This is clearly a role where you want a leader that has clarity
around what capabilities his team is great at and where he chooses to
outsource and partner externally.
In the interview I would be looking to hear a really clear message
around the roles of key reports and how he would manage them. The whole
idea of ‘trust but verify’ is really critical in a CISO and this also
applies to any outsourced service that is acquired.
The key question I would be asking is how does he know what ‘good’ looks like – what are the key attributes and why?
Question 3 – Are you confident that you know all the latest vulnerabilities and industry knowledge?
A trick question in my mind, and I would be a little nervous of a
CISO that is over confident or under confident. I’d like to hear about
how they stay up to date with various sources and what their personal
radar and network provides to them in terms of intel.
Being able to tap into a powerful and trusted network is really
critical, as you ‘can’t know what you don’t know’ and that is where the
external ecosystem has to provide you that support.
You really want a CISO that doesn’t suffer from ‘Failure to see’.
Question 4 - How do you know which White Hat Hackers you can trust?
I’m not sure that there is a correct answer for the question. But you
want to hear what is a considered response and without any hint of
recklessness.
This is all about personal judgment as well as ensuring that there is
sufficient due diligence that the CISO has used in the past. The CISO,
should talk about counter measures that ensure any commissioned white
hat hacking is contained and monitored.
As a follow-on question, I would ask the CISO around how does he \
she balance continuity of reusing the same resource with the potential
that familiarity breeds comfort.
You would want your CISO to be both corporate and a bit on the edge.
That means he \ she needs to understand the ‘dark’ side and what is
happening there but just prefer to live in the ‘light’.
Question 5 - Tell me what is your average day?
As a CISO there are many facets of the role from daily operational
risk management to strategic projects that have potential security
implications. There would be an expectation that the CISO is able to
divide and segment his activities between Run and Change the Business
tasks.
I really want to know what makes this person tick. What drives and
motivates this person to get out of bed and make a difference. It would
be really insightful to hear how well this is balanced and when
tradeoffs are required what does the CISO do? Question 6 – What would you Cyber Security Strategy look like?
A really tricky question as this is really critical. What I would
want is to hear a longer term vision of how vulnerabilities will be
managed with a strong bias to action for higher risk items.
It is really important to hear a story around how Cyber Security will
be addressed across People, Process and Technology. I would be very
worried if the CISO just talked about new tech as the answer to the
strategy question.
How the CISO plans to engage the business and ensure that the function is proactive and not just reactive is also critical.
Question 7 – How do you know that we are not already been compromised?
The glass half empty or half full question – it never pays to be too
optimistic or pessimistic in the role as a CISO. To possess a degree of
skepticism and not be defensive is going to be a winner in my view.
While you always want a degree of confidence this has to be tempered
with caveats of where we need to take further action. To me the ideal
answer will be a mix of caution and with a clear understanding of what
we are doing to check our own data and the intelligence applied to
looking for those patterns that may provide clues to something not being
right.
Question 8 – Have you tried already to test our Cyber Security defences?
This is somewhat of a ‘loaded’ ethical question, you do want a CISO
that is ‘hands on’ and has the capability to understand a hacker and
hacking culture. It would depend upon how the question is actually
answered.
If a CISO told me that they had a quick scan of the perimeter to
understand what he \ she could learn as part of the due diligence then
that would be a great conversation starter and I’d expect that they
would have a few insights that required further investigation and
probing.
That would be a healthy response and acceptable in my view.
Question 9 – How do you manage interactions with the teams that are doing digital innovation ?
As the CISO, they are going to be the villain in the relationship
with the Digital team who are hell bent on testing their proof of
concept as a Minimum Viable Product. Invariably this usually means
taking short cuts and sticking to a hard schedule.
I’d want my CISO to be clear that they will be personally ensuring
that the organisation manages risks sensibly and that he \she will take a
strong ongoing monitoring role for each of these projects. That means
having coffees with the innovation teams during the early stages so that
risks are understood early and that the CISO doesn’t become the person
that stopped the project just before it is due to be piloted.
Question 10 – When Sh*$T happens, how will you keep me informed?
This is where you want the maturity, clear level headed and
understanding of the business impact to be front and foremost. I would
be looking to hear about how they manage communications in a crisis and
what mechanisms are used. In particular, how this integrates with the
Business Crisis management and with other parts of IT.
A person who over communicates during a crisis but also understands
the importance of the brand, so that there the ‘spin’ is minimized and
the attention is centred around ‘root cause’ analysis and not covering
one’s backside.
I’d also look for leadership behavior examples of having the back of
the team, so that they are not disturbed while the restoration and
recovery efforts are being completed.
The Interview
When you do the interview, the other key question is who to bring
into the panel? The Head of IT Infrastructure, Head of Digital Business
would be two obvious candidates for me. But I’d also bring in the COO
and have a really clear ‘voice of the business’, for me this is a great
opportunity for the new CISO to get a balanced view of the impact and
obligations of cyber security that apply to all components of the
enterprise.
Good luck with the search. It is not going to be easy as you want
that special combination of Leader, Technologist and Networker that is
able to both ‘see’ and ‘act’. Give these questions a try and let me
know, how you make out?
Most organisations have embraced mobility as strategy to fully enable
their mobile workforces. In essence, this has meant that we have
striven to provide for the remote worker access to all the tools that we
have in the Headquarters.
In fact, with the trend to office refurbishments we have usually
removed any permanent desktop seating that any mobile staff once
possessed, as we really want them to maximize their customer time.
As we push to digitize our operations and provide direct access for
your mobile workforce, what are the additional risks that you have to
manage?
Apps for your mobile workforce
In any vacuum, it is only natural that what emerges are ‘home grown’
and some renegade IT apps.
Such applications are never taken through any
of the rigor of testing, nor would any penetration test be typically
part of the deployment.
That’s how a small mobile app can become a major risk for your organisation.
Bypassing normal security measures
Too often, I’ve heard of Shadow IT systems that have been implemented
without the right degree of professional scrutiny. Often these are
systems that are used by the remote mobile team.
For most cases the intention is not directly to bypass normal
security, but it just happens. Often this manifests as some really
simple things such as Administrator passwords that are default or don’t
expire.
These are measures that also occur in IT, but there are control
mechanisms that through audit and risk management that these gaps are
uncovered.
Good not Great
There are many enterprises that have adopted Airwatch, Good or one of
the Mobile Device Management approaches. In essence these approaches
address the security requirement and bring this to a mobile phone or
tablet.
Some of these provide a good encrypted platform but really not a
great customer experience. Yes, it is secured and when staff leave, an
Administrator can wipe the entire device or just a part of this.
In essence, such solutions provide security for the mobile workforce but
are somewhat clumsy.
Lack of integration of Security
What I mean by this is that these options add an additional layer of
security above and beyond what is required at the device level. While
this makes sense as it is always possible that one’s partner also knows
the device password, what is not taken into account is some of the
biometric security.
For instance, my iPhone has finger scanning and that’s the first line
of defence. But then I have to enter an additional password to access
my corporate email.
I’m just not sure why this can’t be integrated? Who’s looking over your shoulder
I once worked at an organisation that insisted on any mobile device
having privacy screen filters. My first reaction was that this appeared
to be perhaps a tad over engineered.
However having inadvertently seen other fellow passengers emails etc,
I realise that security of mobile workforces really takes an extra
level of paranoia.
We forget that mobile workforces end up working in the most random
locations, such as airport
lounges, coffee shops and sometimes where a
good signal is available.
How secure is your mobile staff?
I’ve been a CIO of an organisation that all laptops and USB devices
were encrypted. Given the sensitivity of that country to privacy laws,
there was a requirement that any loss of a single USB, would require a
newspaper advertisement to apologise for a incident.
We all realise that losing a USB, is really easy and this is
multiplied with the size of the workforce.
With encryption we were able
to avoid this embarrassing scenario.
Thankfully these stringent laws don’t apply in Australia. But what
remains is the question around how secure is the work that your mobile
staff perform?
This week at a Big 4 Bank there was a presentation in Cyber Security.
The presenter who was an ethical hacker started by saying that he would
introduce himself and he rarely does that. In the spirit of that I will
leave him unnamed.
Let’s call him Bob. Bob talked about his experiences in collecting 18
flags at DEFCON at Las Vegas a few years ago. This is the largest event
for hackers in the world.
Just for background on DEFCON, there was an article just two days ago
that talked about how DEFCON hackers were able to crack a new physical
Brinks safe in 60 seconds.
These guys are seriously good……
I don’t use any Social Media
Bob started by saying this, which brought some grasps from the
audience. He then went on to say that he does have a few hundred social
media accounts that use aliases.
So much for the concept of Real Names, which I note is getting challenge from some countries like Germany on Facebook recently.
For the DEFCON event Bob had a challenge to penetrate this large
multinational soft drink name and collect a series of information.
But first Bob, spent a few weeks setting up and doing reconnaissance.
This included setting up a fake Linkedin account as IT Analyst for this
organisation.
Linking In
On assuming this alias on Linkedin, Bob was able to gain access to
other persons in that organisation.
He noted that a CFO, that he
connected with on Linkedin also suggested that as his PC was not working
could he fix this?
You can see, how amazingly easy it would be for a hacker to use social media engineering to gain access.
Just observe and listen
Bob was able to learn that there is a favorite pub that was near the
headquarters and it was easy to just learn information from being there.
One snippert that he learnt was that there was a KPMG audit that was
just completed.
These small pieces of information provide Bob with the material that can enable the deception.
Bob, then called the Helpdesk.
Hello this is Fred, What’s your Employee Number?
Fred, how’s your day? Fred mentioned that actually it’s not that
great as I’ve had an argument with my partner. Bob added after the
chatter that he would be happy to be a sounding board as he had really
screwed up himself over the years.
Once warmed up, Bob went on…..look I’ve been asked by Tony to
followup on the KPMG Audit.
Tony used to be the Manager in this area and
Bob had researched him on Facebook and noted that he had a new baby and
a really cute puppy.
On mentioning the Baby and the Puppy, Bob could sense that the trust
was increasing. So could you help me out with a few questions??
Collecting Flags
Bob’s goal was to collect 18 pieces of information about this organisation. This included:
- What company is used for File archives?
- What days are pay day?
- Is there wireless on site?
-
What about the cafeteria?
The trick was that Bob, was careful to listen to Fred’s voice for any
pauses and sense if there was any reluctance on the other end of the
line. Bob noticed that Fred may be getting suspicious and added.
“Hey
I’m going to be in town next week, can I buy you a beer at the pub?”
That was the clincher as Bob had researched the types of craft beers
and in mentioning his favorites, there was a rewarming of the
conversation.
A little scary
The question is what’s stopping this happening at your organisation?
Does your team realise how Social Media Engineering attacks happen??
I know that most Help Desk staff tend to be younger and usually
active on Social Media. Thus this formula would work in most
enterprises.
Yes, you should be concerned and perhaps a mock social media
engineering attack is in order. There are Bob’s out there that can help
you.
For any CSO or CIO, you are charged with protecting the enterprise.
That’s a significant responsibility and you know darn well that your
reputation indeed your role depends on how well you can manage through
the issues that will arise.
How do you with a limited budget, provide the protection that the Board and in particular the Risk Committee is expecting?
First, let me quote Salman Rushie:
"There is no such thing as perfect security, only varying levels of insecurity."
Hmmm that’s an interesting perspective, but there is truth and insight in that statement.
No such thing as Nirvana
I believe that indeed you can achieve good but never perfect. For
most things in life this is absolutely true and IT Security is no
different. How then do you work out what is going to be ‘good’ enough?
Spend alone is not a good indicator of ‘goodness’. In most IT shops
we always install too many tools, that overlap in functionality and we
don’t often use these products to their full intended value.
Recently in a discussion with a number of Architects I was explained
that all three of these IT Security tools were mandatory and ‘must be’
in place. Of course as you start to ask questions around why and how
come, you learn that actually one of these was ‘important’ and not
‘mandatory’.
The issue really isn’t about which tools to use. It is more about
clarity of purpose and knowing that every action is taking you towards
the required level of ‘good’.
Never declare victory
Yes, this is an endless journey and persistence is going to be an
incredibly important attribute. You can never say that the work is done,
but the balance will be to recognize the progress and keep a strong
sense of self awareness of what is critical.
In IT Security, there will be constant shifting sand around what is
the latest Malware of Advanced Persistent Threat (APT). This does take a
certain mentality that combines a degree of paranoia along with a
structured thinking approach to understand where to apply one’s limited
bandwidth.
Never declare victory, as Murphy’s Law will always work against you. I
once saw the Chief Security Officer of a Big 4 Bank declare at an
external SIBOS event that his company had advanced security and ‘was in
great shape’.
While I was not working for that organisation, it made me squeamish…..
Patching, Patching, Patching
I’ve seen so many cases of Security 101 being totally ignored, with
teams just too busy to do the simple things such as patching. In a
similar vein all the usual audit chestnuts such as access control and
privileged access.
Show me a company that always does the simple things right over the
long term and I will award you a prize. Unfortunately human nature and
staff turnover end up with less than optimum results.
Then patching becomes a major finding……..I can see you smile as I’m
sure you have had this situation. There is always another priority that
trumps your activity to patch that server.
Machine Learning
The answer has to be that we need advanced analytics to detect and
respond to patterns of threats. In today’s world the CISO has to deal
with a continuous stream of data from various internal and external
sources.
There will be ‘too many false positives’ and the trick is to be able
to filter through the ‘noise’ and get onto correcting any real
vulnerabilities.
Big Data is at an infancy stage in many organisations, but this is a
domain where machine learning can make a massive difference.
Who’s Perfect?
That exactly is part of the problem, and no one wants to admit to be
either at a position of strength or weakness. There is only downside to
declare this both internally or externally.
This lack of being able to measure best practice and replicate this, means that the bad guys get a free kick.
But let’s remember that actually no one is perfect and that there are only different levels of insecurity.
As humans have always used a physical signature as a method to
provide a verification of identity. Hence we sign contracts and in the
past we used our (John Hancock) signature to access our bank accounts.
If I have a signed document, then it is attributed a degree of trust.
On the internet we have adopted Digital Certificates to provide a
similar level of assurance. This entails a 3rd party organisation that
issues a certificate and having this provides a proof point of your
identity. By this very act we have entrusted someone else to provide
this verification as a service. But let's realise that these Certificate
Authorities are not all the same.
Each issuing authority is different organisation, cost structures and
the actual price of the certificate can have large variance. Moreover,
each organisation own approach to security can also have dramatic
variance. It is not surprisingly therefore that you can't really trust a
Digital Certificate.
Who do you trust?
You want to use a Certificate Authority that has a good track record
of securing their own systems. This means that due diligence is required
to ensure that they robust security and processes. Plus that they
haven’t issued improper certificates in the past.
We trust a Certificate and the implication of this trusted position;
is the belief that it does not include any malicious code. This has
resulted in the increased attractiveness for Cyber intruders to invest
time to have their malicious code signed by a ‘trusted’ certificate
Once the cybercriminals have gained access to the network of software
manufacturer’s, they can introduce a malicious file into the build and
hence the threat of a valid certificate with risky intent.
This has led to some of the largest organisations such as Google
having their share of incidents. Even organisations like China Internet
Network Information Center (CNNIC) have been implicated around concerns
around some cyber attacks.
Man in the Middle
On the internet, we communicate with others through many tools and
channels. We inherently trust that the connection is secure and unless
we see or hear something suspicious, and we will share our most personal
and private information.
Our messages from A to B, clearly are addressed to usually people
that we know. If your digital certificate is compromised through a 'Man
in the Middle' attack, where we think we are talking to B, but actually
these messages are being relayed to C. This alone can be a high risk,
and then let's not forget that C can also change the message that you
receive.
Trust the Certificate?
This internet that we use everyday has been established using Public
Key infrastructure PKI as the foundation of trust. In reality every PC
connected has a list of trusted root Certificate Authorities. In turn
this has led to a 'chain of trust'.
In Banking apps we operate with a secure connection where there is a
signed file is “trusted”. A digital certificates is used to secure
websites and also to secure email. When a browser is confronted with a
HTTPS server with an untrusted server certificate, it will generate an
immediate warning.
The problem is that the assumption is that we have entrusted the
Certifying Authority to only issue certificated to appropriate users.
There are many documented examples of organisations that have by
possession of a certificate have been able to mount a man in the middle
attack.
In effect ownership of a certificate provides a scenario that the
system is seen as valid. Which in normal cases is exactly as designed.
The problem is when this falls into the wrong hands.
Gaps in Process and System create risk
Each Certificate Authority has to maintain vigilance and ensure that
their systems are secured. Their own internal processes also need to be
robust, and therefore only issue certificates to validated parties. This
process could include some element of second and third factor
authentication so that only registered email addresses or phone numbers
can request certificates.
At the end of the day, this can be susceptible to the human factor
and we know that this can result in variance to what is supposed to
happen. We all trust our fellow humans to a different degree and I think
we have to also use that same judgment when it comes to different
Digital Certificates and the organisations that we process these.
