You, Me, and Dystopia

We all remember the Ocean’s 11 styles of antics that criminals can emulate to gain access to IoT devices and, subsequently, the enterprise network on which they are hosted. It may have been an isolated incident, but it underscores that ANY vulnerability can be exploited.

The question of “why should we be bothered now?” begs to be answered, given that these risks have been around for a long time. But, interestingly, the 2020 COVID lockdown (and subsequent ones) and the impacts it had on the supply chain may help us to answer this question with surprising clarity.

Do you remember how difficult it was to get hold of toilet paper, pasta and hand gel in March of 2020? Panic buying meant that the supply chain struggled to meet demand; combined with the “just in time” supply models employed by most manufacturers and retailers, stocks were diminished quickly with no replenishment in sight. So far, so what, right?

According to the UK’s Office for National Statistics, there are well over 8,000 small to medium sized food suppliers in the UK (probably exacerbated by the gig economy as well). How many companies of this size do you know of that have a robust cybersecurity programme in place?

This puts them at a significant disadvantage when it comes to recognising a cyber-attack and defending against it. Given the fish tank scenario from my last blog, it is no stretch of the imagination to see circumstances whereby chilled and perishable goods are sabotaged and destroyed, either in situ or in transit. Remote monitoring is rapidly becoming the norm and will reduce costs and effort, something any small business would jump at. So protecting these environments, the sensors, and the control devices from the get-go becomes critical.

The incentives to disrupt and destroy the supply chains are sometimes manifest, but only occasionally. Terrorism, both domestic and international, will always try and attack a nation’s weakest point. But there are other threats to consider as well.

The (fairly) recent global lockdowns and various actions carried out by governments worldwide have changed the business and planetary ecosystem, and not always for the better. Without commenting on the politics of the situations themselves, activism has been on the rise globally, with people taking to the streets to defend their particular viewpoints and air their grievances.

The hacker group, Anonymous, are the epitome of so-called “hacktivism”, using their collective skills to disrupt and expose governments and corporations. Their particular flavour of activism involves attacking their targets and exploiting their weaknesses for political and social leverage. So again, it doesn’t take a leap of the imagination to see these current troubling times being a catalyst for more hacktivism, attacking vulnerable supply chains through their reliance on IoT technology.

The positive impact of technology always needs to be balanced against the sociological and cultural impractical it may have, as well as the environment in which it operates. With the commoditisation of security testing capabilities and offensive technological tools, the ability to attack and exploit weaknesses in the supply chain becomes open to the general populace. If that populace suffers a more significant division of wealth and disenfranchisement, the risk of the supply chain being attacked is greater.

Ocean’s 11 suddenly becomes The Hunger Games; the implications of an insecure supply chain vulnerable to attack can have severe consequences for what we consider to be our ‘normal’ lives. So taking precautions now to protect our society’s lifelines must be imperative.

Links to other interesting stuff on the web (affiliate links)

Introducing Cyber Advisor

BSidesAustin 2023: CyberSecurity In The Texas Tech Capital

Understanding ‘Lone Wolf’ Attacks Dissecting and Modeling 2022’s Most Powerful Cyber Attacks


Beer, PowerPoint and Politics

Gone are the days when being a CISO (or even just ‘the security guy/gal’) was about actual information security or IT security. Even the term IT Security is outdated now and emphasises a one-dimensional view of what security is really about. However, I digress…

The Information Security element of CISO is correct, but for various reasons, the CISO’s role is very different from what it was a decade ago. The role then required a strong technologist who understood the firewalls, their rules, the cryptographic controls and even how to code hotfixes on the fly. This isn’t surprising given the role almost wholly came from an IT background; after all, back in the day, mere lip service was paid to the human element, and the legal considerations were considered simply “someone else’s job”.

I was often asked what my job as a CISO entailed, and because I didn’t initially understand what I had actually got myself in for when I took on my first CISO job I used to jokingly say;

PowerPoint and politics

Me. Back Then.

The odd thing is that this response is not far from the truth. My role became significantly less about my understanding of specific niches of information security knowledge and more about putting across to the business what this information security lot was all about and how it helped the company stay competitive, out of trouble or even just in business. The more I was doing this, the more I was embroiled in the day-to-day machinations of how a business works and the inescapable conclusion I came to was this; even if information security is seen as essential to the business, it is still just one voice of many that are trying to influence, cajole and be heard.

Moreover, this is where the politics come in, unfortunately. It is human nature and the way of businesses around the world. Politics is everywhere, and any CISO who doesn’t see and at least understand what is going on is, at best, going to be ignored and, at worst, eaten alive.

Which brings me to my second quote from me (well, it makes attribution a whole lot easier, doesn’t it?);

The purpose of a CISO is not to make the company more secure per se, but rather to help it sell more beer/widgets, increase shareholder value (as appropriate), and let the business make risky decisions more easily… through the judicious use of security

Me, Just now. Again.

The CISO should not be concerned with the name on the front of the firewall or the specifics of the latest penetration test. Instead, they should focus on how best to align their security services to the business and ensure security isn’t just a cost centre but a capability that allows teams and the company to run faster, more efficiently, and with less risk.

That doesn’t take technical knowledge; that takes strategic and business knowledge.

Links to other interesting stuff on the web (affiliate links)

Shift Gears: How to Leverage Data-Centric Security Controls in AWS

Changes to the OWASP API Security Top Ten 2019 to 2023

Cybersecurity as an Operational Effort


When It All Goes Pete Tong…

Murphy’s Law states:

“If something can go wrong, it will go wrong”

Many CISOs will also state:

“it is not a case of if you have been breached, but rather that you have, you just don’t know it yet”

Depressing as both statements sound by themselves, put them together, and you enter into a worldview of doom and gloom from which it is hard to crawl. It doesn’t matter what you do; there will always be a breach and multiple mistakes in your team. These factors create a perfect storm for finding a new job relatively quickly.

But there is hope that when you start a new role or join a new company, there is one thing that needs to be in place before anything else; the Incident Management Plan*. In all but the most security mature organisations, any improvements put into place by you will take months and years to bear fruit, during which time a disaster can strike without notice (the unknown unknowns hitting at an unknown time, if you will.) So making sure you have a plan to fall back on at a moment’s notice gives you space and time to respond appropriately while still being able to focus on the more fundamental changes you have in mind for the organisation.

But what to put into these plans? There are a few key points that should always be adhered to whenever writing a response plan;

Keep it Simple

Human beings are emotional sacks of meat and adrenalin when things go wrong. They can simultaneously be forgetful, angry, scared, sad, and even stupid. Therefore your plans, and by association, your writing and grammar, need to be as simple as possible. It’s not an easy task and will require many edits, reviews and rewrites, but simplicity is your friend during a confusing and rapidly changing situation. 

Keep it Flexible

Extending the first point, you also cannot create a prescriptive document. If you define every action based on a specific input, your plan will fail when that particular input isn’t happening. The plan needs to work on the principles of what must occur during an incident rather than the specifics of what needs to be done. It is useful, for instance, to focus on roles and responsibilities rather than activities; in this way, someone is accountable for “public communications”; how they achieve that is up to them, but the plan does not define it.

Know What’s Important

This is another way of saying, “Understand your critical services”. These services could be technology-based, process focussed or even role/person-specific. During an incident, the immediate focus is to get the bare minimum of services/capabilities/business operating again as quickly and safely as possible. Going back to Business As Usual is for later on. You need to know what the bare minimum is to achieve it.

The ISO 22301:2019 – Security & Resilience – Business continuity management systems standard is a great place to start to understand the mechanics of this element in more detail (and great for this topic as a whole).

Collaborate While Creating

It never ceases to amaze me how often plans like this get created in isolation across companies, divisions and departments. What that means, more often than not, is a competition for resources because they all assume they will have exclusive access to the resources required to see them through a crisis just because they have a plan.

Ideally, there should be a single master plan for the organisation that allows each discrete business area to manage their plans (essential in larger organisations). Then, all of these plans and their requirements are fed back into the overarching strategy to carry out capacity planning and coordination more effectively and efficiently.

Multi-channel Sharing and Education

This is the one time I will permit using a few trees to print out your plans. Electronic documents are still valuable and should be saved in different formats and on other devices and platforms (for redundancy, obvs). Having paper copies of the entire document, in addition to aide memoirs, laminated “cheat sheets”, credit card numbers and any other creative approaches to ensuring the needed information is always available. Remember, this is a time of crisis; your laptop may be burning down with your building, and your phone may be out of battery with nowhere to charge. Base your communication and distribution methods on the assumption of Murphy’s Law above.

Test the Plan, Learn and Review

You must test the plan as much as possible, especially when creating it. If you feel brave enough, you can have a tabletop walkthrough or pull the plug on a data centre. Some third-party services allow you to test your plan in a virtual space using specialised communications tools that are even more realistic. Whatever the case, every time you check it, review it and feed the findings back into the plan. Even a slight improvement could make all the difference.

Test the Plan Again

Did I mention testing? Even if you have a real-life crisis, use the learnings and feedback to improve the plan again. Every opportunity to stress the crisis plan, people and procedures must happen.

Test it Again

It must be tested, whatever happens, at least once a year, and reviewed yearly. You will be surprised at how much your business changes over a year; a process may be updated, people and roles change, and telephone numbers and email addresses frequently updated. If your plan doesn’t reflect even these simple changes, it is more likely to fail.

The Holy Trinity Mantra

Finally, if in doubt, remember these three elements of your plan. I like to ensure they are seen through in this order, but you may feel differently according to your business and how it operates. (If people don’t list as number one on your list, take a long, hard look at yourself.) Nonetheless, The Trinity remains the same.

  1. Focus on People – without your people, you have no business to speak of, recovered or otherwise.
  2. Focus on Facilities – even with just a pen, paper, telephone, and somewhere to work, your people can work miracles in keeping the business afloat. Keep them safe, secure and happy.
  3. Focus on Technology – get the systems running to take the strain off the people. This may have taken days or weeks, depending on the incident. Ensure your critical systems are running first, and that includes payroll. Paid people pull together in a crisis. Unpaid people don’t.

Hopefully, you will never have to use the plan, but if you do, feeling prepared for anything is a powerful way to ensure your best work on everything else on your list. Knowing that you have it ready to go is like remembering to take your umbrella with you when you leave the house. Because you have it, it isn’t going to rain; mildly annoying but so much better than getting caught in a monsoon in your best work attire.

*Also known as the Crisis Management Plan, Business Continuity Plan, When It Hits The Fan Plan, or any other variable that works for you, your company, and your business culture.

Links to other interesting stuff on the web (affiliate links)

How to Upskill Your Cybersecurity Team

The AWS Security Cheat Sheet

Think Before You Share The Link


CISO Basics, Part 2

In the last post, I looked at some of the less apparent activities upon becoming a new CISO, namely:

  1. Stop thinking that infosec is your business.
  2. Stop making technology purchases.
  3. Ask your vendors to explain what you have in your services inventory.

In this post, we will take this a step further and closer to actual business as usual and maintaining your security team as a functional part of the organisation.

Don’t say “NO!” to everything.

This is an obvious thing to do, but it is much harder to do in practice. The reality is that this requires a complete change in mindset from the traditional view of the everyday CISO. As a species, the CISO is a defensive creature who is often required to back up every decision and be the scapegoat of every mistake (see One CISO, Three Envelopes https://thomlangford.com/2014/12/01/three-envelopes-one-ciso/) and generally rubber-stamp choices that are out of their bailiwick and control.

The mindset shift requires a leap of faith wholly because of this perceived threat of blame and accountability when, in fact, it does just the reverse. 

It starts naturally enough with the language that is used by the CISO and the team, for instance, changing the Change Approval meeting to the Risk Review meeting and not communicating a yes/no or go/no-go response to changes but rather a level of risk associated with the request and alternative approaches as appropriate. There is a need to communicate this shift in the culture, of course, but people will see that they are accountable for decisions that affect the business, not the security team. Shifting the mindset away from being a gatekeeper to a security team that provides sensible and straightforward advice based upon clearly understood risk criteria is a fundamental step towards avoiding being known as the Business Prevention Unit. Politely correct other’s language when they mention an action that requires sign-off or approval from “Security” and help them understand their role in the business decision.

This approach does not require a snap of the fingers for 50% of the problems to go away. Still, carefully planning and educating your stakeholders alters the impact you can have on the business dramatically for the better. It also allows you to more easily draw a line between the activities of the security team and the company’s performance, all for the price of merely no longer saying “no”.

Stop Testing Your Perimeter

What? Are you serious?! 

Absolutely.

As you enter a new environment, you will be taking many critical pieces of information on trust and from people with vested interests in their careers, livelihoods and reputations. Your arrival upsets the status quo and has the potential to disrupt the equilibrium; all reasons to not always be forthcoming with every piece of information you request. It isn’t about people being dishonest or deliberately misleading you, but merely being complex, multi-faceted human beings with multiple drivers and influences.

Your perimeter is one of the fundamental pieces of your information security puzzle. Despite cries of “the perimeter is dead”, it remains a prominent place for attacks to happen and where you should feel fully confident that you know every node in that environment to the best of your ability.

Whatever your testing cycle is, suspend it for some time and conduct as complete an investigation as possible into precisely what your perimeter comprises. It can be done automatically with discovery tools, manually through interviews with those responsible, visually in data centres (where you have old school “tin” still being used, and any combination of the above. You will likely find devices that you, and probably existing team members, weren’t aware of, especially with the proliferation of the Internet of Things devices being used throughout the enterprise now. Did facilities install a new access control system or room booking system? Did they consult IT, or more to the point, you?

It sounds like the stuff of legend or the script to the Ocean’s 11 movies, but do you remember when a Las Vegas casino was broken into… through their fish tank? Knowing what devices are where on your network and perimeter is vital and must be considered table stakes in any decent security programme. An alternative is simply a form of security theatre that gives the impression of security and does nothing but create a false sense of security. A cycle of no testing is worth discovering what you don’t know because you can do something about it.

Building your plan

Now you have a grip on your environment in a relatively straightforward, simple, effective and quick way. Through this process, you will ascertain your stakeholders, advocates and even a few potential adversaries. Then, armed with this information, you can provide an accurate picture of the business to the business in a way that makes sense and displays a grasp of the fundamentals.

Building your plan will always start with your initial assessment and what needs to be done to become operational or steady-state. The trick, however, is to ensure that this baseline achievement is perceived as the end state of security but rather merely the first stepping stone to ever more impressive services, capabilities and ultimately, profit and growth for the company.

The plan itself, however? That is yours and yours alone. Although other posts in this Blog will help as you plot your course into the future, nothing will replace your understanding of the local culture, organisation and, ultimately, what you need to achieve to meet the expectations of the business leadership. Know what the rules of your organisation are, when to adhere to them, when to bend them, and most importantly, when to break them (but only when experience tells you it is the right thing to do):

“The young man knows the rules, but the old man knows the exceptions.” 

Oliver Wendell Holmes

Be the Old Man, be the CISO.

Links to other interesting stuff on the web (affiliate links)

5 Ways Penetration Testing Reduces Overall Security Costs

Avoiding Security Theater: When is a “Critical” Really a Critical?

Game of Life Security and Compliance Edition


CISO Basics, Part 1

So you want to be a CISO? Perhaps you want to be a better CISO? In many cases, you could pick up a book, attend a conference or even talk to some peers and colleagues. Of course, there will be some good advice in these approaches too, but you don’t want to be just any CISO; you want to be THE CISO.

Across two blog posts, I will look at some of the more unexpected but necessary activities you can do from the moment you start in a new role or start with a new approach to being a CISO. Some may be counterintuitive; some may be a little odd, and you may even disagree with a few. But, whatever you feel about them, they should start you thinking about different ways to approach your role and how you see the contributions you make.

In summary, in this particular post, you will learn to:

  1. Stop thinking that infosec is your business.
  2. Stop making technology purchases.
  3. Ask your vendors to explain what you have in your services inventory.

Stop Thinking InfoSec is Your Business

As a CISO, your primary purpose is not to secure the business; as odd as that may sound, it simply isn’t. Instead, the objective of a company is to sell more stuff, increase profit and maximise shareholder value (there are exceptions such as charities, government and the like, but they still have goals that include maximising value nonetheless).

If that is the case, your purpose is to help it achieve that goal through your activities. However, if you put your (security) activities ahead of those of the business, you are, ergo, hindering its ability to achieve its goals. So flip the situation around and ensure that when you come into the picture, you are fully cognizant of what your organisation does, its goals, ambitions and vision. Then, look at how your security team can make that a reality. Simply slapping security measures onto the business without regard for its purpose and intent will, at best, cause friction and disgruntlement and, at worst, diminish its business operations.

Read the company report, talk to the CFO, talk to people on the shop floor, the road warriors, delivery leadership, and, wherever possible executive leadership. Understand where the business came from, its roots, its beginnings, the founding values and vision, and even how it has evolved (if at all) over the years. By doing this, you will understand how you and your security team can help. Then, and only then, can you start to build your services and security posture.

Stop Your Technology Purchases

Unless the ink is drying on the cheques, you should pause purchasing until you have a better idea of the business. This makes completing the first step all the more critical, as some of the purchases may be vital. However, purchasing something that aligns differently with your new way of thinking about the business makes no sense, and significant amounts of money can be wasted and misdirected.

You may find much pushback from various stakeholders in the business, mainly as their pet projects and mini-kingdoms rely on those purchases. As a result, you are stymying their efforts and potentially making them look bad. Your long-term security strategy, though, depends on solid business cases supporting sensible purchasing decisions that will actively help the company and its long-term goals. Anything else is a distraction and can drain the company’s resources.

Ask your vendors to explain what you have in your services inventory

Why would you ask your vendors what they have sold you? Surely you know that already. Probably not, actually, and it is down to human nature as to why.

Purchases and contracts entered into may have supported failed initiatives or even not been appropriately implemented at all. This so-called “shelfware” is an issue in many companies, supported by 451 Research in 2014 (https://www.rsaconference.com/writable/presentations/file_upload/mash-t07a-security-shelfware-which-products-gathering-dust-and-why.pdf), with an evident rise in the problem when it comes to larger organisations. Asking your vendors for a catalogue of services will reap more accurate results as they have a vested interest in maintaining correct records as they charge you for their services (even if you use them or not). Any vendor worth dealing with will happily sit down with you and discuss what they have sold you and what value it brings. If they don’t, alarm bells should be ringing!

Armed with this information, you can start to build a picture of technology services in the company and ascertain what is shelfware, what is used effectively, and what isn’t. At this point, and no earlier, should the old purchasing go live again, minus the services that provide little to no value to the company.

These basics will be challenging because you will be pushing against the weight of expectations from other people in the company or because it takes time and effort. That doesn’t mean that they shouldn’t be done, and in doing so, they will help set you up for the following three sets of basics that we will cover in the next blog. If you can’t wait until then, here is a little teaser:

  1. Don’t say no to everything
  2. Stop testing your perimeter
  3. Building your plan

Are you sufficiently intrigued?

Links to other interesting stuff on the web (affiliate links)
How the Dark web is Embracing ChatGPT and Generative AI
How To Upskill Your Cybersecurity Team
A Trip to the Dark Side of ChatGPT