You, Me, and Dystopia

Leave a comment

We all remember the Ocean’s 11 styles of antics that criminals can emulate to gain access to IoT devices and, subsequently, the enterprise network on which they are hosted. It may have been an isolated incident, but it underscores that ANY vulnerability can be exploited.

The question of “why should we be bothered now?” begs to be answered, given that these risks have been around for a long time. But, interestingly, the 2020 COVID lockdown (and subsequent ones) and the impacts it had on the supply chain may help us to answer this question with surprising clarity.

Do you remember how difficult it was to get hold of toilet paper, pasta and hand gel in March of 2020? Panic buying meant that the supply chain struggled to meet demand; combined with the “just in time” supply models employed by most manufacturers and retailers, stocks were diminished quickly with no replenishment in sight. So far, so what, right?

According to the UK’s Office for National Statistics, there are well over 8,000 small to medium sized food suppliers in the UK (probably exacerbated by the gig economy as well). How many companies of this size do you know of that have a robust cybersecurity programme in place?

This puts them at a significant disadvantage when it comes to recognising a cyber-attack and defending against it. Given the fish tank scenario from my last blog, it is no stretch of the imagination to see circumstances whereby chilled and perishable goods are sabotaged and destroyed, either in situ or in transit. Remote monitoring is rapidly becoming the norm and will reduce costs and effort, something any small business would jump at. So protecting these environments, the sensors, and the control devices from the get-go becomes critical.

The incentives to disrupt and destroy the supply chains are sometimes manifest, but only occasionally. Terrorism, both domestic and international, will always try and attack a nation’s weakest point. But there are other threats to consider as well.

The (fairly) recent global lockdowns and various actions carried out by governments worldwide have changed the business and planetary ecosystem, and not always for the better. Without commenting on the politics of the situations themselves, activism has been on the rise globally, with people taking to the streets to defend their particular viewpoints and air their grievances.

The hacker group, Anonymous, are the epitome of so-called “hacktivism”, using their collective skills to disrupt and expose governments and corporations. Their particular flavour of activism involves attacking their targets and exploiting their weaknesses for political and social leverage. So again, it doesn’t take a leap of the imagination to see these current troubling times being a catalyst for more hacktivism, attacking vulnerable supply chains through their reliance on IoT technology.

The positive impact of technology always needs to be balanced against the sociological and cultural impractical it may have, as well as the environment in which it operates. With the commoditisation of security testing capabilities and offensive technological tools, the ability to attack and exploit weaknesses in the supply chain becomes open to the general populace. If that populace suffers a more significant division of wealth and disenfranchisement, the risk of the supply chain being attacked is greater.

Ocean’s 11 suddenly becomes The Hunger Games; the implications of an insecure supply chain vulnerable to attack can have severe consequences for what we consider to be our ‘normal’ lives. So taking precautions now to protect our society’s lifelines must be imperative.

Links to other interesting stuff on the web (affiliate links)

Introducing Cyber Advisor

BSidesAustin 2023: CyberSecurity In The Texas Tech Capital

Understanding ‘Lone Wolf’ Attacks Dissecting and Modeling 2022’s Most Powerful Cyber Attacks

CISO Basics, Part 2

Leave a comment

In the last post, I looked at some of the less apparent activities upon becoming a new CISO, namely:

  1. Stop thinking that infosec is your business.
  2. Stop making technology purchases.
  3. Ask your vendors to explain what you have in your services inventory.

In this post, we will take this a step further and closer to actual business as usual and maintaining your security team as a functional part of the organisation.

Don’t say “NO!” to everything.

This is an obvious thing to do, but it is much harder to do in practice. The reality is that this requires a complete change in mindset from the traditional view of the everyday CISO. As a species, the CISO is a defensive creature who is often required to back up every decision and be the scapegoat of every mistake (see One CISO, Three Envelopes https://thomlangford.com/2014/12/01/three-envelopes-one-ciso/) and generally rubber-stamp choices that are out of their bailiwick and control.

The mindset shift requires a leap of faith wholly because of this perceived threat of blame and accountability when, in fact, it does just the reverse. 

It starts naturally enough with the language that is used by the CISO and the team, for instance, changing the Change Approval meeting to the Risk Review meeting and not communicating a yes/no or go/no-go response to changes but rather a level of risk associated with the request and alternative approaches as appropriate. There is a need to communicate this shift in the culture, of course, but people will see that they are accountable for decisions that affect the business, not the security team. Shifting the mindset away from being a gatekeeper to a security team that provides sensible and straightforward advice based upon clearly understood risk criteria is a fundamental step towards avoiding being known as the Business Prevention Unit. Politely correct other’s language when they mention an action that requires sign-off or approval from “Security” and help them understand their role in the business decision.

This approach does not require a snap of the fingers for 50% of the problems to go away. Still, carefully planning and educating your stakeholders alters the impact you can have on the business dramatically for the better. It also allows you to more easily draw a line between the activities of the security team and the company’s performance, all for the price of merely no longer saying “no”.

Stop Testing Your Perimeter

What? Are you serious?! 

Absolutely.

As you enter a new environment, you will be taking many critical pieces of information on trust and from people with vested interests in their careers, livelihoods and reputations. Your arrival upsets the status quo and has the potential to disrupt the equilibrium; all reasons to not always be forthcoming with every piece of information you request. It isn’t about people being dishonest or deliberately misleading you, but merely being complex, multi-faceted human beings with multiple drivers and influences.

Your perimeter is one of the fundamental pieces of your information security puzzle. Despite cries of “the perimeter is dead”, it remains a prominent place for attacks to happen and where you should feel fully confident that you know every node in that environment to the best of your ability.

Whatever your testing cycle is, suspend it for some time and conduct as complete an investigation as possible into precisely what your perimeter comprises. It can be done automatically with discovery tools, manually through interviews with those responsible, visually in data centres (where you have old school “tin” still being used, and any combination of the above. You will likely find devices that you, and probably existing team members, weren’t aware of, especially with the proliferation of the Internet of Things devices being used throughout the enterprise now. Did facilities install a new access control system or room booking system? Did they consult IT, or more to the point, you?

It sounds like the stuff of legend or the script to the Ocean’s 11 movies, but do you remember when a Las Vegas casino was broken into… through their fish tank? Knowing what devices are where on your network and perimeter is vital and must be considered table stakes in any decent security programme. An alternative is simply a form of security theatre that gives the impression of security and does nothing but create a false sense of security. A cycle of no testing is worth discovering what you don’t know because you can do something about it.

Building your plan

Now you have a grip on your environment in a relatively straightforward, simple, effective and quick way. Through this process, you will ascertain your stakeholders, advocates and even a few potential adversaries. Then, armed with this information, you can provide an accurate picture of the business to the business in a way that makes sense and displays a grasp of the fundamentals.

Building your plan will always start with your initial assessment and what needs to be done to become operational or steady-state. The trick, however, is to ensure that this baseline achievement is perceived as the end state of security but rather merely the first stepping stone to ever more impressive services, capabilities and ultimately, profit and growth for the company.

The plan itself, however? That is yours and yours alone. Although other posts in this Blog will help as you plot your course into the future, nothing will replace your understanding of the local culture, organisation and, ultimately, what you need to achieve to meet the expectations of the business leadership. Know what the rules of your organisation are, when to adhere to them, when to bend them, and most importantly, when to break them (but only when experience tells you it is the right thing to do):

“The young man knows the rules, but the old man knows the exceptions.” 

Oliver Wendell Holmes

Be the Old Man, be the CISO.

Links to other interesting stuff on the web (affiliate links)

5 Ways Penetration Testing Reduces Overall Security Costs

Avoiding Security Theater: When is a “Critical” Really a Critical?

Game of Life Security and Compliance Edition

CISO Basics, Part 1

1 Comment

So you want to be a CISO? Perhaps you want to be a better CISO? In many cases, you could pick up a book, attend a conference or even talk to some peers and colleagues. Of course, there will be some good advice in these approaches too, but you don’t want to be just any CISO; you want to be THE CISO.

Across two blog posts, I will look at some of the more unexpected but necessary activities you can do from the moment you start in a new role or start with a new approach to being a CISO. Some may be counterintuitive; some may be a little odd, and you may even disagree with a few. But, whatever you feel about them, they should start you thinking about different ways to approach your role and how you see the contributions you make.

In summary, in this particular post, you will learn to:

  1. Stop thinking that infosec is your business.
  2. Stop making technology purchases.
  3. Ask your vendors to explain what you have in your services inventory.

Stop Thinking InfoSec is Your Business

As a CISO, your primary purpose is not to secure the business; as odd as that may sound, it simply isn’t. Instead, the objective of a company is to sell more stuff, increase profit and maximise shareholder value (there are exceptions such as charities, government and the like, but they still have goals that include maximising value nonetheless).

If that is the case, your purpose is to help it achieve that goal through your activities. However, if you put your (security) activities ahead of those of the business, you are, ergo, hindering its ability to achieve its goals. So flip the situation around and ensure that when you come into the picture, you are fully cognizant of what your organisation does, its goals, ambitions and vision. Then, look at how your security team can make that a reality. Simply slapping security measures onto the business without regard for its purpose and intent will, at best, cause friction and disgruntlement and, at worst, diminish its business operations.

Read the company report, talk to the CFO, talk to people on the shop floor, the road warriors, delivery leadership, and, wherever possible executive leadership. Understand where the business came from, its roots, its beginnings, the founding values and vision, and even how it has evolved (if at all) over the years. By doing this, you will understand how you and your security team can help. Then, and only then, can you start to build your services and security posture.

Stop Your Technology Purchases

Unless the ink is drying on the cheques, you should pause purchasing until you have a better idea of the business. This makes completing the first step all the more critical, as some of the purchases may be vital. However, purchasing something that aligns differently with your new way of thinking about the business makes no sense, and significant amounts of money can be wasted and misdirected.

You may find much pushback from various stakeholders in the business, mainly as their pet projects and mini-kingdoms rely on those purchases. As a result, you are stymying their efforts and potentially making them look bad. Your long-term security strategy, though, depends on solid business cases supporting sensible purchasing decisions that will actively help the company and its long-term goals. Anything else is a distraction and can drain the company’s resources.

Ask your vendors to explain what you have in your services inventory

Why would you ask your vendors what they have sold you? Surely you know that already. Probably not, actually, and it is down to human nature as to why.

Purchases and contracts entered into may have supported failed initiatives or even not been appropriately implemented at all. This so-called “shelfware” is an issue in many companies, supported by 451 Research in 2014 (https://www.rsaconference.com/writable/presentations/file_upload/mash-t07a-security-shelfware-which-products-gathering-dust-and-why.pdf), with an evident rise in the problem when it comes to larger organisations. Asking your vendors for a catalogue of services will reap more accurate results as they have a vested interest in maintaining correct records as they charge you for their services (even if you use them or not). Any vendor worth dealing with will happily sit down with you and discuss what they have sold you and what value it brings. If they don’t, alarm bells should be ringing!

Armed with this information, you can start to build a picture of technology services in the company and ascertain what is shelfware, what is used effectively, and what isn’t. At this point, and no earlier, should the old purchasing go live again, minus the services that provide little to no value to the company.

These basics will be challenging because you will be pushing against the weight of expectations from other people in the company or because it takes time and effort. That doesn’t mean that they shouldn’t be done, and in doing so, they will help set you up for the following three sets of basics that we will cover in the next blog. If you can’t wait until then, here is a little teaser:

  1. Don’t say no to everything
  2. Stop testing your perimeter
  3. Building your plan

Are you sufficiently intrigued?

Links to other interesting stuff on the web (affiliate links)
How the Dark web is Embracing ChatGPT and Generative AI
How To Upskill Your Cybersecurity Team
A Trip to the Dark Side of ChatGPT

Risky Business

Leave a comment

<updated with missing risk matrix image>

Risk is a topic that I like to talk about a lot, mainly because I managed to get it ‘wrong’ for a very long time, and when I finally did realise what I was missing, everything else I struggled with fell into place around it. For me, therefore, Risk is the tiny cog in the big machine that, if it is not understood, greased and maintained, will snarl up everything else.

In the early days of my career, risk was something to be avoided, whatever the cost. Or rather, it needed to be Managed, Avoided, Transferred or Accepted down to the lowest possible levels across the board. Of course, I wasn’t so naive as to think all risks could be reduced to nothing, but they had to be reduced, and “accepting” a risk was what you did once it had been reduced. Imagine my surprise that you could “accept” a risk before you had even treated it!

There are many areas of risk that everyone should know before they start their risk management programme in whatever capacity they are in, but here are my top three:

Accepting the risk

If you want to know how not to accept a risk, look no further than this short music video  (which I have no affiliation with, honestly). Just accepting something because it is easy and you get to blame your predecessor or team is no way to deal with risks. Crucially, there is no reason why high-level risks cannot be accepted, as long as whoever does it is qualified to do so, cognizant of the potential fallout, and senior enough to have the authority to do so. Certain activities and technologies are inherently high risk; think of AI, IoT or oil and politics in Russia, but that doesn’t mean you should not be doing those activities. 

A company that doesn’t take risks is a company that doesn’t grow, and security risks are not the only ones that are being managed daily by the company leadership. Financial, geographic, market, people, and legal risks are just some things that need to be reviewed.

Your role as the security risk expert in your organisation is to deliver the measurement of the risks clearly as possible. That includes ensuring everyone understands how the score is derived, the logic behind it and the implications of that score. This brings us neatly to the second “Top Tip”:

Measuring the risk

Much has been written about how risks should be measured, quantitatively or qualitatively, for instance, financially or reputationally. Should you use a red/amber/green approach to scoring it, a percentage, or figure out of five? What is the best way to present it? In Word, Powerpoint or Excel? (Other popular office software is available.)

The reality is that, surprisingly, it doesn’t matter. What matters is choosing an approach and giving it a go; see if it works for you and your organisation. If it doesn’t, then look at different ways and methods. Throughout it all, however, it is vital that everyone involved in creating, owning and using the approach knows precisely how it works, what the assumptions are, and the implications of decisions being made from the information presented.

Nothing exemplifies this more than the NASA approach to risk. Now NASA, having the tough job of putting people into space via some of the most complicated machines in the world, would have a very rigorous, detailed and even complex approach to risk; after all, people’s lives are at stake here. And yet, their risk matrix comprises a five-by-five grid with probability on one axis and consequence on the other. The grid is then scored Low-Medium or High:

Seriously. That’s it. It doesn’t get much simpler than that. However, a 30-page supporting document explains precisely how the scores are derived, how probability and consequence should be measured, how the results can be verified, and so on. The actual simple measurement is different from what is important. It is what is behind it that is.

Incidents and risk

Just because you understand risk now, you may still need to be able to predict everything that might happen to you. For example, “Black Swan” events (from Nicholas Nasim Taleb’s book of the same name) cannot be predicted until they are apparent they will happen.

By this very fact, creating a risk register to predict unpredictable, potentially catastrophic events seems pointless. However, that differs from how an excellent approach to risk works. Your register allows you to update the organisational viewpoint on risk continuously. This provides supporting evidence of your security function’s work in addressing said risks and will enable you to help define a consensual view of the business’s risk appetite.

When a Black Swan event subsequently occurs (and it will), the incident response function will step up and address it as it would any incident. Learning points and advisories would be produced as part of the documented procedures they follow (You have these, right?), including future areas to look out for. This output must be reviewed and included in the risk register as appropriate. The risk register is then reviewed annually (or more frequently as required), and controls are updated, added or removed to reflect the current risk environment and appetite. Finally, the incident response team will review the risk register, safe in the knowledge it contains fresh and relevant data, and ensure their procedures and documentation are updated to reflect the most current risk environment.

Only by having an interconnected and symbiotic relationship between the risk function and the incident response function will you benefit most from understanding and communicating risks to the business.

So there you have it, three things to remember about risk that will help you not only be more effective when dealing with the inevitable incident but also help you communicate business benefits and support the demands of any modern business.

Risk is not a dirty word.

Links to other interesting stuff (affiliate links)

Building a Modern Exposure Management Program

Access Controls that Move – The Power of Data Security Posture Management

Vulnerabilities and Insights: A Look at Cybersecurity Challenges

Too Much of a Good Thing

Leave a comment

The one thing the current lockdown has taught me is that you really can eat too much chocolate… who knew?

Left to my own devices and without the distraction of a routine, regular work and people observing my unhealthy eating habits, my faulty brain tells me that more chocolate can only be a good thing and that I should continue to eat it until physical discomfort forces me to stop (in spite of my brain’s protestations.). It is an obsessive and compulsive behaviour that I recognise in myself, and do my best to contain, but it is a constant struggle arguing with myself that chocolate is not the most important thing in my life.

The same could be said to be true of many security professionals and their desire to roll out security practises to their organisations, implementing new procedures, standards, policies and ways of working that are designed to make the organisation very secure. They do this despite the protestations of the organisation itself telling them they have had enough, the new ways of working are too restrictive, difficult to follow and ultimately leave them with a security stomach ache.

This weeks Lost CISO episode talks about when too much security, like chocolate, is a bad thing.

This compulsion to think that security is the most important part of a business’ life is one that leads to users having security headaches all day and the business itself feeling slovenly, bloated and sluggish. (OK, that’s enough of the analogies.)

It is ultimately self-defeating, as users will do their best to work around draconian working practices, and the perception of a security organisation will be one of business prevention than vital service. I, and many others, have spoken about not being the department of “no”, but it goes well beyond just saying “yes”.

Agreeing to everything without thought of the consequences is potentially even more dangerous than saying no, especially in the short term. The vital distinction that needs to be made is that of a two way conversation between security and the end users and business. Finding out what is trying to be achieved is far more valuable than just focusing on what is being asked. Requests can be addressed in many different ways, not just by punching a whole in the firewall or switching off 2FA on the VPN, for instance.

In fact, this very conversation helps create even stronger relationships as it highlights two things:

  1. How seriously you take their request.
  2. How much you care about the organisation you both work for.

A great example of this in the above video is that of companies relaxing their security stance during the remote working ramp up of the lockdown. If the response was simply “no”, or even a straight “yes” with no consequences there would have been issues sooner or later. Working with the business, relaxing the standards for the initial growth and then methodically scaling and tightening the security once the initial growth is over is absolutely the right way to go.

So next time you feel yourself reaching for the chocolate wanting to say “no”, think beyond the the immediate consequences and how you can use security for the long term betterment of your organisation rather than your simple security stats.

And one bar of chocolate/security is always enough for everyone, right?

Do you need two re-align your security team to your business and don’t know where to start? (TL)2 Security has a proven track record helping security leaders and teams creat strtaegies and business plans that make real, competitive, differences to organisations. Contact (TL)2 to find out more.