A post after my own heart. We need to take a step back and look at the bigger picture when it comes to risk management. What is important, what can go wrong, how can it go wrong, who can make it go wrong? Is it really important? What is the method, motivation and opportunity? Very good read!
Coincidently, this is a theme common to some of my previous posts. I believe it is a sign of the times – that as we continue to experience data breaches we find fundamental control failures are behind many of them, which is what prompted me to write my previous posts.
October is ‘Cyber Security Awareness Month’ over at the SANS ISC diary page.
Tom Liston has put together a post highlighting the concern mentioned above, and then in social networking style opened up the floor to the Twitter universe to see what we thought were some of the fundamental security basics the community (in general) needs a reminder about.
It’s a great little summary with real life context that is definitely worth a read. The post is at:
Three suggestions I put forward (admittedly I was a little late for 2 of them), speak to where my thoughts and concerns are:
1. Writing a Policy & not implementing/monitoring doesnt constitute a control. Thats like buying the firewall and leaving it in the box
2. As pessimistic as it sounds, ‘TRUST’ is not a reliable information security model
3. Security teams that work in isolation and without transparency will fail. Collaborate with other risk mgmt – audit, ops risk, etc
There are plenty of great contributions on the site. Putting forward suggestions was a great excerise as it forces you to think in (very) succinct terms of key controls and basic security principles.
This content should be part of a training programme somewhere…
Is there a relationship between the increase of breaches and hacks and the paradigm shift to outsourcing and cloud services? Logic suggests that if services are consolidated then these points of control should be more mature and better equipped to deal with issues, but is this reality or a mindset that leaves us vulnerable to simple attacks?
The connection may be very difficult to see, as the other key factor to consider is why the attacks are taking place. Let’s consider this 1st. My early InfoSec studies taught me to consider method, motivation and opportunity when assessing threat and risk of a given asset. If we consider what is happening across the ‘net these days it is clear that political drivers are behind certain attacks and hacks (motivation), and both complex and simple attack vectors (method) are used to achieve the intended result. However there are a bunch of other attacks taking place in which the motivation is questionable. I.e. in the recent DNS compromise why were UPS, The Register, National Geographic and Vodafone the targets? The only visible connection is that they use the same DNS provider, NetNames, which suggests the motivation was to disrupt DNS services of major online brands rather than the specific brands themselves. This is of course one possible explanation, although does seem the most likely if you look at the hacking group’s track record. However it is difficult to say as we tend to piece together motivation and action from a single point of reference and based on the facts known to us – much like archaeologists try to join the dots using fossils. One must also consider the nature of the attack – in this case redirecting sites results in a mildly irritating denial of service, which goes back to questioning the motivation. Based on current knowledge it appears that the group behind this attack have some political motivation. But what is the connection between this and global western brands? I’m not sure there is one. To me it appears that some attacks are motivated, while others are merely opportunistic (completing our attack triad) and at most provide a platform to further advertise a particular group’s message. So the motivation is rather to reach a desired audience (or audience size), and not to focus on a particular target. Once an attack vector has been discovered to be successful, the inherent nature of the Internet’s interconnectedness puts it at risk of repeated opportunistic attacks. As noted in the previous blog post there are many soft targets out there that struggle with fundamental controls, so it is only a matter of time before these targets are discovered and exposed through tried and tested successful attack vectors.
So what does this mean to the broader Internet community? Stating the obvious – you need good security in place if you have an online presence, regardless of your line of business as some attacks frankly don’t care and are driven by underlying infrastructure or services. Alternatively, a more lackadaisical way of looking at this is to suggest you only need to have marginally better security than your neighbour, as often the attack identifies the softest target. However, this can only ever provide a false sense of security given that some part of your online service offering relies on other providers that may not be as secure as you hope. My fear is that all the current hype about the cloud could mean organisations chose to rather transfer (and to a point accept) the risk. This approach will not be conducive to the Internet community as a whole determining the best way forward to collaboratively protect against future attacks.
If I kept a running commentary of all the system, service and data breaches currently being disclosed this blog would probably look like it was scrolling in real time. Thankfully a bunch of other sites do a great job of keeping us up to date on the somewhat gloomy happenings across the Internet.
The recent DNS attacks are of particular interest, and concern. DNS is part of the fabric of the Internet, and without it many people’s (click-and-mortar) businesses and livelihoods could come to an abrupt halt. In this case it was large corporations targeted, but it is easy to see smaller home-based companies suffering collateral damage.
It sometimes feels like we have built our Internet/E-commerce house on sand. What is more concerning is that the simple, well-known attacks (SQL injection in this case) are still highly effective. The DigiNotar incident audit report also puts fundamental security control failures at the root of the breach – log management, password controls, patches and network segmentation.
Why do we spend time worrying and analysing APTs and advanced cyber-crime techniques when we still can’t get the basics right?
Brian Honan summed it up well in his Editor comment on the SANS NewsBites email yesterday (Brian I hope you don’t mind me quoting you!):
“This (DNS) attack and the one on DigiNotar highlight how fragile, insecure and unsuitable the Internet is for conducting the type of transactions we are using it for. Putting security solutions as add-ons to the infrastructure is not working. We need a fundamental rebuild of the security architecture we are using and we need it now! ”
http://www.theregister.co.uk/2011/09/05/dns_hijack_service_updated/ (I like the irony of posting this link)
Recently I’ve been giving a lot of thought to the role of information security practitioners in an organisation. The role of the CISO, CSO and IT security are fairly well embedded in many industries by now, and Carnegie Mellon’s ‘Governance of Enterprise Security’ 2010 CyLab report notes an increase in the number of CSOs . This isn’t a surprise given the environment we find ourselves in, but what are they there to do, what are the differences, and how do we measure their value?
It’s an intentionally broad question as I don’t want to focus on the detailed view based on company market, size, location, etc (although I acknowledge these are critical factors to consider). Rather I ask about the principles of information security. We will all probably agree that the CISO job spec will address topics such as security strategy, policy, awareness, incident response and in some cases business continuity. What seems harder to get consensus on is the level of responsibility assigned to this role.
Bill Brenner at CSO Online  ran a series of podcasts recently which discussed this topic in some detail. He interviewed CISOs and asked questions around reporting lines, the difference between CISO and CSO, and what should a CSO be worried about.
The key points that stood out for me were:
1. Many organisations don’t have both a CISO and CSO;
2. However, a CSO often has a focus on physical security only,
3. While a CISO is often a promoted IT security administrator.
I find these results a little worrying. A CISO should be responsible for information security, both physical and electronic. Reporting lines need to reflect this, so they can have a line into the CRO or the CIO, proving the latter is also not still solely focused on IT (which is often still the case). Physical security is an element of information security, although it is broader as information is not the only asset the CSO should be worried about protecting. I can believe the last point about the evolution of an IT security manager into the role of CISO – the security function originated from IT (typically network and server admins), and organisation’s realised the need for security to gain a higher presence with senior management and the executive, and so promoted those that knew the most about the technical aspect into the CISO role.
So in terms of responsibilities, I don’t think there should be too much ambiguity. The often grey areas in terms of requirements for a CISO and/or CISO depend on the DNA of the company (i.e. its structure, delegation of responsibilities and classification of critical assets). Regardless, they are there to drive strategies, implement and monitor programs that manage the risk of (information) security in the context of the business.
Measuring value is harder to quantify. To start with, I believe any role that carries the title of ‘officer’ comes with a high level of responsibility and accountability. However this is difficult to implement for the security officer who often sits at the centre of an organisation, while the actual risk is borne in the divisions – areas not directly under this person’s command. Also, a large part of a CISO’s ability to succeed will depend on the responsiveness and cooperation of the business. Working in audit I appreciate that it can be very difficult to identify and manage risk if the business does not have a culture of open and honest communication. It can be a double-edged sword, as the business may want to see the value the CISO provides (despite their exec-level mandate) before warming up to them.
These days organisations can be very complex in structure, and often evolve to match or make market conditions, take on new lines of business, etc. So it would be a little unfair to expect the CISO to solely keep tabs on the changing security risk landscape and to measure their success in isolation. Rather I believe an equally important factor to gauge is the amount of interaction with other security, risk and assurance provider practitioners in the business. The collaborative approach will have a greater chance of success as coverage across all business processes and technologies will be more effective, not to mention leveraging of different skill sets and more resources. I’m not sure if the performance of a CISO always includes this measure, but it should.
On another note, organisations are not immune to the risk of inadequate security functions, as with any other specialist function. Many employees, including senior management, may not fully understand the role and responsibility of security officers. Thus they will find it difficult to measure the success of these staff. For example if no security incidents occur over the course of a year, was it because the security function was effective in thwarting any attacks or events, or were they not good enough to detect any incidents that did take place? I don’t see a simple answer to this. Often it is those who shout loudest in an organisation that come across as being in control, so if this is the CISO, then it would be difficult for another non-InfoSec person to challenge their effectiveness, while if it is the CIO or CRO that shouts loudest, then it will be very difficult for the CISO to gain respect with and access to the execs.
For me the most important elements of a security function are accountability, responsibility and ownership. It is a role that requires someone to be practical yet, in my opinion, also sceptical (almost paranoid) as someone in the organisation needs to play the role of asking ‘what if’? or ‘what could go wrong?’. And they need to be at a sufficient level in the organisation to discuss and challenge senior staff.
If I were to draft a CISO job spec I would certainly include the details at the start of this blog, but would also include the following:
• Responsible for managing the security of the information assets
• Accountable for strategies and initiatives that improve insight into security protection and monitoring
• Responsible for implementing a culture of ownership relating to company information, and driving related ethical and moral standards in accordance with corporate governance best practices
• Actively involved in driving collaborative assurance and risk management processes with stakeholders such as internal audit and operational risk
• Responsible for implementing a dynamic control environment, leveraging off continuous monitoring processes (I would certainly recommend looking into the SANS Top 20 Controls )
I believe that by using the correct language the role and expectations can be clearer, leading to a greater chance of success for the CISO, which is of course what we all want.
In terms of personal characteristics, I would include the following:
• Must be knowledgeable of the business and practical in aligning security business strategy and operations (this may be a challenge if pure IT-folk fulfil the CISO positions)
• Must have the ability to exercise professional scepticism when identifying and assessing risk
• Must have the ability to quantify information security risk in terms of the business
I guess the next question is: What should the CISO’s team look like and how far should they reach into the organisation…?
Lots of news online already
Lets see how the testing goes