What’s keeping CISOs up at night?
(Part I)

Perhaps, unsurprisingly, everything most CISOs need to know about Zero Day Vulnerabilities is that they’re one of the hardest threats to mitigate against, let alone detect. That kind of says it all.

Zero Day Vulnerabilities are tough to see coming and sometimes, even the most protected environments are vulnerable. While there are some technical solutions that will detect potential threats arising from unexpected changes to an environment related to a zero day vulnerability, they’re not widely deployed. They’re also not bullet proof.

Zero day vulnerabilities are essentially breaches arising from security problems with existing software, patches or new releases of software or firmware. They’re vulnerabilities which previously did not exist and often are not detected until someone finds them and exploits them. And even then, as in several recent cases, the exploits remain undetected for days, months or sometimes many years until someone discloses them.

The proliferation of devices, applications, cloud service providers, co-location data centres and the often complex operating environments of larger organisations can make zero day vulnerabilities tough to find. They’re usually brought to your attention by academics, industry researchers or the vendors themselves, and occasionally white hat hackers. The black hat hackers will often want to keep the information secret or sell it on the black market so they can use it for malicious purposes.

So, what to do?

Well, plenty of us just have it top of mind all the time and we spend a lot of time locking down our critical infrastructure and identifying and controlling possible attack vectors. It’s part of most ITSM programs and an important part.

Patches need to be tested and not released into production without verification and, for critical systems, usually after the initial industry feedback on the patch has settled down, as sometimes vendors can get it wrong. Sometimes patches are so buggy that they create more issues than they solve and more patches are released to address the problems they introduce. Some patches really, for certain environments, offer no tangible advantages and are never released or implemented.

So, for a lot of CISOs, unless there’s a very high security priority given to the patch and we’re forced to potentially release them very quickly, they may not be deployed. For other systems we lock them down and test in sandboxes, and test and test until we’re as sure as we reasonably can be that we’re not introducing a problem or other vulnerability.

Unfortunately, complexity is the enemy of security, and as we move into more complex systems and networks more security issues will be found. It’s part of the world now, and we must manage it.

Why do CISOs worry about zero day vulnerabilities?

It’s because, on top of keeping a watchful eye on malicious attacks, we also have to keep an eye on the legitimate technology we deploy or connect to as part of our everyday work.

It’s like having a much loved pet which one day, unpredictably, bites you when you simply aren’t expecting it. You simply can’t be complacent – and that gets tough sometimes. You just don’t expect the authorised and lovingly managed technology your team has painstakingly secured to suddenly become a threat vector. It keeps plenty of CISOs awake at night.

Why else do we worry about zero day?

It’s because, by definition, zero day vulnerabilities are brand new to the world. While a new virus in the wild can be quickly dissected and analysed, it’s a lot harder to detect, let alone understand, the magnitude of the threat discovered in a zero day vulnerability. In one environment it may be benign. In another it could lead to a catastrophic security breach or malfunction of mission critical infrastructure or applications.

It’s unlikely this challenge is going to go away soon, although more advanced tools are likely to help in the future.

In the meantime, CISOs like me keep one eye open at all times, train our staff and ensure our people and processes are the best they can be, but still look out for the likely random appearance of zero day vulnerabilities and someone trying to get into our systems.

About Steve Challans

Steve has more than 33 years’ experience working in the IT security sector and over 20 years specialising in Information Security. He has been the CISO at Prophecy International for 5 years.

Steve holds security qualifications including the CISM, CISA, CRISC, CISSP, PCIP, and ISO27001 Lead Auditor certifications.

Part 1: Australia & the National Data Breach Scheme

 There has been little media attention on the Privacy Act amendments which came into effect on February 22^nd. Inspired by the proliferation of information stored in e-format, the Australian Government has introduced new data breach regulations governed by the Office of the Australian Information Commissioner (OAIC). The Privacy Amendment (Notifiable Data Breaches) Act establishes new requirements for businesses responding to data breaches – introducing reporting and data breach investigation obligations for many Australian businesses when a breach is suspected.

Do you need to comply?

You will be obligated to comply with the National Nata Breach Scheme (NDBS) if you are:

• an Australian Government Agency, Business or Non-Profit with annual turnover greater than AU$3 Million; or
• a private sector health provider; or
• a childcare centre or private education institution; or
• a credit provider, or if your business handles consumer credit, or tax file numbers

Ultimately, the government has cast a wide web, and many Australian businesses will be obligated to comply.

What are your obligations if you suspect a breach?

When you suspect that a breach has occurred, you are obligated to take all reasonable steps to perform a comprehensive investigation of the breach within 30-calendar days of the breach being identified to determine its extent and severity. Should you determine that the breach could result in serious harm to the individuals, then you are obligated to notify the affected persons and the OAIC. Where you suspect that the breach is likely to result in serious harm, when it is first identified, you are obligated to immediately notify the OAIC.

 How do you meet these expectations?

Mandatory Data Breach laws require your businesses to have the right mix of technical and administrative controls in place. It is crucial that you assess the policies and procedures that you have in place, undertake an audit of the information that you store, and implement policies that will protect this information

What are the ramifications for failing to comply?

The Australian Government views a failure to comply with the NDBS as “…an interference with the privacy of an individual”, and accordingly attaches sever pecuniary penalties. The financial penalty on individuals is up to AU$360,000 while the penalty for businesses is up to $1.8 million.

There is no silver bullet to complying with the regulations. Compliance requires a combination of people management, administrative processes and technological controls – working together to keep data secure. Using Snare can help you implement the requisite technical controls, if you need help with one or more of the other areas, then seek advice from a trusted advisor.

 For more information on how Snare can support your Privacy Act Compliance, refer to our whitepaper: Mandatory Data Breach Disclosure: Equipping your business for Privacy Act Compliance with Snare

 For more information specifically on the NDBS refer to these useful links:

https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme

https://www.oaic.gov.au/resources/agencies-and-organisations/guides/data-breach-preparation-and-response.pdf