When It All Goes Pete Tong…

Leave a comment

Murphy’s Law states:

“If something can go wrong, it will go wrong”

Many CISOs will also state:

“it is not a case of if you have been breached, but rather that you have, you just don’t know it yet”

Depressing as both statements sound by themselves, put them together, and you enter into a worldview of doom and gloom from which it is hard to crawl. It doesn’t matter what you do; there will always be a breach and multiple mistakes in your team. These factors create a perfect storm for finding a new job relatively quickly.

But there is hope that when you start a new role or join a new company, there is one thing that needs to be in place before anything else; the Incident Management Plan*. In all but the most security mature organisations, any improvements put into place by you will take months and years to bear fruit, during which time a disaster can strike without notice (the unknown unknowns hitting at an unknown time, if you will.) So making sure you have a plan to fall back on at a moment’s notice gives you space and time to respond appropriately while still being able to focus on the more fundamental changes you have in mind for the organisation.

But what to put into these plans? There are a few key points that should always be adhered to whenever writing a response plan;

Keep it Simple

Human beings are emotional sacks of meat and adrenalin when things go wrong. They can simultaneously be forgetful, angry, scared, sad, and even stupid. Therefore your plans, and by association, your writing and grammar, need to be as simple as possible. It’s not an easy task and will require many edits, reviews and rewrites, but simplicity is your friend during a confusing and rapidly changing situation. 

Keep it Flexible

Extending the first point, you also cannot create a prescriptive document. If you define every action based on a specific input, your plan will fail when that particular input isn’t happening. The plan needs to work on the principles of what must occur during an incident rather than the specifics of what needs to be done. It is useful, for instance, to focus on roles and responsibilities rather than activities; in this way, someone is accountable for “public communications”; how they achieve that is up to them, but the plan does not define it.

Know What’s Important

This is another way of saying, “Understand your critical services”. These services could be technology-based, process focussed or even role/person-specific. During an incident, the immediate focus is to get the bare minimum of services/capabilities/business operating again as quickly and safely as possible. Going back to Business As Usual is for later on. You need to know what the bare minimum is to achieve it.

The ISO 22301:2019 – Security & Resilience – Business continuity management systems standard is a great place to start to understand the mechanics of this element in more detail (and great for this topic as a whole).

Collaborate While Creating

It never ceases to amaze me how often plans like this get created in isolation across companies, divisions and departments. What that means, more often than not, is a competition for resources because they all assume they will have exclusive access to the resources required to see them through a crisis just because they have a plan.

Ideally, there should be a single master plan for the organisation that allows each discrete business area to manage their plans (essential in larger organisations). Then, all of these plans and their requirements are fed back into the overarching strategy to carry out capacity planning and coordination more effectively and efficiently.

Multi-channel Sharing and Education

This is the one time I will permit using a few trees to print out your plans. Electronic documents are still valuable and should be saved in different formats and on other devices and platforms (for redundancy, obvs). Having paper copies of the entire document, in addition to aide memoirs, laminated “cheat sheets”, credit card numbers and any other creative approaches to ensuring the needed information is always available. Remember, this is a time of crisis; your laptop may be burning down with your building, and your phone may be out of battery with nowhere to charge. Base your communication and distribution methods on the assumption of Murphy’s Law above.

Test the Plan, Learn and Review

You must test the plan as much as possible, especially when creating it. If you feel brave enough, you can have a tabletop walkthrough or pull the plug on a data centre. Some third-party services allow you to test your plan in a virtual space using specialised communications tools that are even more realistic. Whatever the case, every time you check it, review it and feed the findings back into the plan. Even a slight improvement could make all the difference.

Test the Plan Again

Did I mention testing? Even if you have a real-life crisis, use the learnings and feedback to improve the plan again. Every opportunity to stress the crisis plan, people and procedures must happen.

Test it Again

It must be tested, whatever happens, at least once a year, and reviewed yearly. You will be surprised at how much your business changes over a year; a process may be updated, people and roles change, and telephone numbers and email addresses frequently updated. If your plan doesn’t reflect even these simple changes, it is more likely to fail.

The Holy Trinity Mantra

Finally, if in doubt, remember these three elements of your plan. I like to ensure they are seen through in this order, but you may feel differently according to your business and how it operates. (If people don’t list as number one on your list, take a long, hard look at yourself.) Nonetheless, The Trinity remains the same.

  1. Focus on People – without your people, you have no business to speak of, recovered or otherwise.
  2. Focus on Facilities – even with just a pen, paper, telephone, and somewhere to work, your people can work miracles in keeping the business afloat. Keep them safe, secure and happy.
  3. Focus on Technology – get the systems running to take the strain off the people. This may have taken days or weeks, depending on the incident. Ensure your critical systems are running first, and that includes payroll. Paid people pull together in a crisis. Unpaid people don’t.

Hopefully, you will never have to use the plan, but if you do, feeling prepared for anything is a powerful way to ensure your best work on everything else on your list. Knowing that you have it ready to go is like remembering to take your umbrella with you when you leave the house. Because you have it, it isn’t going to rain; mildly annoying but so much better than getting caught in a monsoon in your best work attire.

*Also known as the Crisis Management Plan, Business Continuity Plan, When It Hits The Fan Plan, or any other variable that works for you, your company, and your business culture.

Links to other interesting stuff on the web (affiliate links)

How to Upskill Your Cybersecurity Team

The AWS Security Cheat Sheet

Think Before You Share The Link

We Have Both Types of Teaching Here; Education AND Awareness

Leave a comment

It is an accepted truth (trust me, I am a professional), that security is often seen as just a technical profession; firewalls, DLP, DMARC, SFTP and TLAs (Three Letter Acronyms)are thrown around with gay abandon. Being resilient is a matter of hardening the OS, having a SOC fully staffed, and running the industry’s latest SIEM services. CISOs should be technical and know all of the TPLAs (Three Plus Letter Acronyms) having spent their formative years in their Mother’s basement while they hacked the Pentagon/GCHQ/Kremlin.

It may surprise you that I dislike this approach and viewpoint.

I found a wonderful quote on (where else?) the internet that, unfortunately, I cannot attribute to anyone. So, if you know where this comes from, please do tell me:

“People aren’t the weak link in security; they are the ONLY link.”

(Unknown)

Information security is primarily a people industry. Technology isn’t a panacea but merely an accelerant and amplifier of the existing processes and solutions. Without the people, there is no information to secure in the first place. If we, as CISOs and business leaders, don’t embrace and support our people, we make our jobs so much more problematic when securing the business and helping it do more, sell more, and create more.

So, in my usual style, here are the three things I suggest everyone who has “people” in their business and is responsible for education in one form or another should bear in mind.

Crowd Sourcing

So many of us (I know I did for the longest time) overlook the rather undeniable fact that having many people means they can all carry a small part of the security load. Crowdsourcing works because many people put a small amount of something in to help someone else build something big. You can make this approach work for you in several different ways.

Firstly, approach certain people to be “super contributors” to your infosec crowdsourced campaign. These are the folks that are your primary eyes and ears on the ground, the folks that people go to when they have an immediate problem. Think of them as the cyber first-aiders, if you will, with a few of them dotted around each floor or department.

Give them some face-to-face training if you can or at the least some detailed role briefing notes. They are doing this role because, like first-aiders, they want to help people and be a part of the solution. Reward them with a token monetary compensation, some swag, recognition or whatever fits into your organisational culture.

Secondly, the rest of the people in the organisation can also be encouraged to play a part; connect their ability to spot phishing, social engineering, reporting incidents and breaches to their role in the organisation and its successes. Finally, make it fun (see below), make it engaging and make it educational. 

Doing that is, of course, an essential subject in of itself, but the real message here is to embrace what you might see as your biggest weakness as your biggest strength. Making this leap of faith in your mind means your approach to training, problem-solving, and how you address the people in your organisation changes to positive and collaborative rather than cynical and combative.

Story Telling

 Storyteller is probably the second oldest profession in the world; we can easily imagine stories being told from one generation to the next around the campfire. But, before the written word was used, it was vital before Grandpa died that he told us the secret to successfully hunting that particular breed of rabbit/buffalo/mammoth (depending upon what part of the world you came from).

And yet we can also imagine that after hearing the same story over and over again, night after night, while Grandpa gets slowly drunk on his fermented yak’s milk becomes quite tedious. His tales of daring-do and athletic ardour, as he leapt onto the back of the killer rabbit, became very tiresome after the 954th time. And then last night, as he was getting carried away with the demonstration of his rabbit chokehold, he broke wind. Not only was that the version of the story you passed on to your children, but it was also the birth of the third oldest profession: Comedian (probably).

I am a huge fan of humour in the workplace, especially when it comes to educating people; a good joke conjures up images, feelings, experiences, and smells. But, above all, it is a story. Stories help people create worlds in their minds, relate their experiences to those worlds, and establish a visceral feeling in their bodies, an actual chemical change. Of course, there are few guarantees in this world. Still, one I pass on with a cast-iron guarantee is that no positive, memory-creating chemical changes in any brain anywhere in the world were created by putting people in a room and shouting PowerPoint at them for an hour.

The lesson here is that a good story goes a long way to helping people retain the information; build your message with a strong start, a fantastic middle and a resounding end, and you have the makings of impactful and memorable education.

Don’t Stop

“Oh no, it is that time of year again; we must do our security training”.

Don’t be this company. If you do something once a year because you have to, it becomes an obstacle, something that needs to be completed quickly and with as little effort so you can get on with the fun stuff.

If educational activities in the rest of our lives are continual activities, then why do we not apply this to our infosec training? First, of course, it is not an educational experience that people have opted into, but keeping a cadence to the activities that go beyond just one activity works. Ensuring the format changes and evolves, so it isn’t just posters all year round but lunch and learns, videos, emails, intranet, competitions, and the like means people who struggle to learn in one format can pick it up in another and keeps them on their toes, wondering what the next activity is. It piques their interest and keeps them engaged.

Try creating a 24-month schedule of activities and subjects; it’s not easy, but even having that schedule open and visible allows you to think much more long-term rather than just at a compliance, box-ticking level. Of course, you can still do quizzes (so many auditors and standards require that kind of box-ticking, unfortunately), but by avoiding the one-shot PowerPoint training and ten easy-to-guess questions, you are keeping the content new and fresh. You are also building a reputation as someone who cares about the educational process and the positive outcomes it brings, not just ticks in boxes.

Wrestling Rabbits can be fun AND educational.

Links to other interesting stuff on the web (affiliate links)

Five Key Dark Web Forums to Monitor in 2023

What is Cybersquatting? The Definitive Guide for Detection & Prevention

Seven Questions About Firmware and and Firmware Security

CISO Basics, Part 2

Leave a comment

In the last post, I looked at some of the less apparent activities upon becoming a new CISO, namely:

  1. Stop thinking that infosec is your business.
  2. Stop making technology purchases.
  3. Ask your vendors to explain what you have in your services inventory.

In this post, we will take this a step further and closer to actual business as usual and maintaining your security team as a functional part of the organisation.

Don’t say “NO!” to everything.

This is an obvious thing to do, but it is much harder to do in practice. The reality is that this requires a complete change in mindset from the traditional view of the everyday CISO. As a species, the CISO is a defensive creature who is often required to back up every decision and be the scapegoat of every mistake (see One CISO, Three Envelopes https://thomlangford.com/2014/12/01/three-envelopes-one-ciso/) and generally rubber-stamp choices that are out of their bailiwick and control.

The mindset shift requires a leap of faith wholly because of this perceived threat of blame and accountability when, in fact, it does just the reverse. 

It starts naturally enough with the language that is used by the CISO and the team, for instance, changing the Change Approval meeting to the Risk Review meeting and not communicating a yes/no or go/no-go response to changes but rather a level of risk associated with the request and alternative approaches as appropriate. There is a need to communicate this shift in the culture, of course, but people will see that they are accountable for decisions that affect the business, not the security team. Shifting the mindset away from being a gatekeeper to a security team that provides sensible and straightforward advice based upon clearly understood risk criteria is a fundamental step towards avoiding being known as the Business Prevention Unit. Politely correct other’s language when they mention an action that requires sign-off or approval from “Security” and help them understand their role in the business decision.

This approach does not require a snap of the fingers for 50% of the problems to go away. Still, carefully planning and educating your stakeholders alters the impact you can have on the business dramatically for the better. It also allows you to more easily draw a line between the activities of the security team and the company’s performance, all for the price of merely no longer saying “no”.

Stop Testing Your Perimeter

What? Are you serious?! 

Absolutely.

As you enter a new environment, you will be taking many critical pieces of information on trust and from people with vested interests in their careers, livelihoods and reputations. Your arrival upsets the status quo and has the potential to disrupt the equilibrium; all reasons to not always be forthcoming with every piece of information you request. It isn’t about people being dishonest or deliberately misleading you, but merely being complex, multi-faceted human beings with multiple drivers and influences.

Your perimeter is one of the fundamental pieces of your information security puzzle. Despite cries of “the perimeter is dead”, it remains a prominent place for attacks to happen and where you should feel fully confident that you know every node in that environment to the best of your ability.

Whatever your testing cycle is, suspend it for some time and conduct as complete an investigation as possible into precisely what your perimeter comprises. It can be done automatically with discovery tools, manually through interviews with those responsible, visually in data centres (where you have old school “tin” still being used, and any combination of the above. You will likely find devices that you, and probably existing team members, weren’t aware of, especially with the proliferation of the Internet of Things devices being used throughout the enterprise now. Did facilities install a new access control system or room booking system? Did they consult IT, or more to the point, you?

It sounds like the stuff of legend or the script to the Ocean’s 11 movies, but do you remember when a Las Vegas casino was broken into… through their fish tank? Knowing what devices are where on your network and perimeter is vital and must be considered table stakes in any decent security programme. An alternative is simply a form of security theatre that gives the impression of security and does nothing but create a false sense of security. A cycle of no testing is worth discovering what you don’t know because you can do something about it.

Building your plan

Now you have a grip on your environment in a relatively straightforward, simple, effective and quick way. Through this process, you will ascertain your stakeholders, advocates and even a few potential adversaries. Then, armed with this information, you can provide an accurate picture of the business to the business in a way that makes sense and displays a grasp of the fundamentals.

Building your plan will always start with your initial assessment and what needs to be done to become operational or steady-state. The trick, however, is to ensure that this baseline achievement is perceived as the end state of security but rather merely the first stepping stone to ever more impressive services, capabilities and ultimately, profit and growth for the company.

The plan itself, however? That is yours and yours alone. Although other posts in this Blog will help as you plot your course into the future, nothing will replace your understanding of the local culture, organisation and, ultimately, what you need to achieve to meet the expectations of the business leadership. Know what the rules of your organisation are, when to adhere to them, when to bend them, and most importantly, when to break them (but only when experience tells you it is the right thing to do):

“The young man knows the rules, but the old man knows the exceptions.” 

Oliver Wendell Holmes

Be the Old Man, be the CISO.

Links to other interesting stuff on the web (affiliate links)

5 Ways Penetration Testing Reduces Overall Security Costs

Avoiding Security Theater: When is a “Critical” Really a Critical?

Game of Life Security and Compliance Edition