Most of the time security professionals worry about zeros and ones – to simplify our entire industry somewhat. In essence, we’re trying to keeping our own assets protected and keeping outsiders, well, on the outside – and technology solutions, people and processes are obviously core to that.

However, there’s always one big grey area when it comes to putting effective cyber security protections into practice – our own people.

The reality is, if companies didn’t have people in them, they’d be a lot easier to secure. Unrealistic I know but it’s a fact. (And yes, in a previous blog I did also point out that not having the internet connected would also be quite good too).

No matter how secure your infrastructure, applications and devices, if a suitably-enabled staff member or contractor really wants to walk out the front door with private and confidential information, there’s little you can do to stop it from happening.

In addition, privileged users such as system and network administrators, database administrators, data owners, finance and HR staff can cause significant damage at an industrial scale if they maliciously attack systems or delete, change or leak sensitive information.

You’d hope it was detected very quickly, and perhaps DLP software will set off bells and sirens, and maybe even physical security will mitigate a malicious, physical attempt to steal information. But mostly – that information will just walk out the door.

So this is the interesting bit. In essence, after you have set access levels and rights correctly, you then have to trust that the people you also trust to serve customers and to behave within the cultural norms of common business practice have no intention of deliberately causing mayhem in your IT systems.

Of course with privacy and data protections laws and regulations tightening around the globe, that doesn’t seem like much of a security strategy. Naturally, every technology that should be deployed will be deployed to protect an organisation, relative to its business type and risk profile.

But what do you do about people!

It actually doesn’t come up as much as you’d think when you consider the discussions, news and general information coming across your desktop on a daily basis in relation to IT security. We see lots about devices and software that protects organisations or we hear a lot about the results of a breach from some malicious actors.

But the reality is that educating, supporting and communicating with staff about IT security (and all that entails) absolutely builds a more resilient and protected organisation.
There are a few things worth considering. These include:

  • How do we onboard new staff and contractors?
  • How do we reinforce various policies?
  • How do we oversee or educate employees that have been with the business for a longer period of time about issues like phishing attacks, shadow IT, securing sensitive information in emails, not plugging USB keys into devices on the network without security scanning (if it’s not already automatic) etc?
  • How do we ensure the business can still do business (and people don’t throw up their hands in frustration and look for a new job) but we still stay in business?
  • Implementing the relevant controls and tools that will help us verify the trust we have bestowed to some of our staff that have admin or access to privileged information.

Every company has their own approach, often built around international IT security standards.

However, dig below the surface and you can guarantee in all but perhaps military-grade sites, there can be big gaps between what should be happening and what is happening.
If it wasn’t true there wouldn’t be an entire dark web sector raking in millions of dollars per year from various nefarious activities.

So what’s the answer?

To some extent, (technology tools not withstanding), trust remains the watchword.

So trust comes from the overarching culture leaders create within a business.

Engaged, positive and tribe-oriented people value and protect their own. People who are aligned to their organisation’s success and take pride in their work, are less likely to deliberately steal or damage IT infrastructure and assets.

In most cases, accidents are captured by logging tools and security software and the like – and many people will put their hand up to admit they did something they shouldn’t have if it was an honest mistake. And of course, trust can also be verified to a reasonable extent with best-in-class logging tools.

What this means of course, is that for any CISO worried about security on a daily basis (and I’m pretty sure that’s at the top of the job description), they need to have one eye observing how their organisation looks after and treats people.

It may be that there’s not much we can do to influence a truly abysmal, pan-continental culture in a business, but we sure can be aware of what that means when it comes to setting a security posture and conducting internal audits. For example, it would also be prudent to review logs more assertively to verify staff activities and validate the trust levels that have been set.
It’s the difference between expecting and anticipating trouble.

In my last blog I drilled straight into the one of the biggest, ever-present threats in any network, zero day vulnerabilities.

I thought in this blog I’d be a little more circumspect and talk about the broader issues keeping CISOs up at night (the overall theme of this blog series).

The best analogy I can think of in describing the role of the CISO is, like a spider, we’re are at the centre of the security web in terms of over-arching control and management.

Our teams build, watch, react and maintain all of the security infrastructure across our organisations, locally and internationally.

At the same time, we’re working very hard to ensure our organisation (our people, information, assets) doesn’t become a fly in some-else’s web.

When all is said and done, this really boils down to two main area.

Managing access to systems and mitigating uncontrolled changes to systems (accidental, deliberate or malicious).

And while that sounds fairly simple, it covers a lot of ground and in practice can often be difficult. It includes network security, systems and application security, physical security, system and application access, privacy compliance, back-up and redundancy, setting the security culture within an organisation and a lot of communication between other primary stakeholders to ensure, at the end of the day, the organisation can still go about its business and not go out of business.

Communication is key, especially with the executive teams and the board as they want to understand risk to the business and potential personal liability, so it can be managed and treated accordingly. The CISO is a key person in helping to ensure they are all well informed so they can make well informed decisions.

After, all, you could just turn off the broadband internet connections to the company and a lot of security concerns would disappear instantly. I’m sure there’s a few CISOs out there who have that recurring dream. However, the business is there for a reason to provide a service or product to its customers, so this all comes with a level of risk and has to be managed.

So how do you balance it all?

Well, quite clearly, in all but the most chaotic organisations, CISOs try and architect for success. We’re not wanting to race around the organisation playing whack-a-mole on a daily basis as threats or concerns emerge, even though it may sometimes feel that way.

We build secure environments and everything that entails (people, process, and technology) but we’re also keeping a close eye on external information sources.

We listen to what critical vendors tell us about their technologies including roadmaps, patches and security flaws and performance issues. We gather intel from trusted security partners, ranging from cybersecurity groups publishing alerts about new threats as well as media reports and security vendors issuing specific alerts.

We all know that at some point something will go wrong and we need to have our incident response processes in place to help manage those times.

We also look at macro changes in the behaviour of our organisation in how it goes about its business and what that may mean to our security posture. Is BYOD becoming a more important part of our work culture? What does that mean? What about remote work and information leakage? What about shadow IT and what systems are they deploying? What third party connections or data flows are in place?

We consider the strategic plans in place for our organisation as well. How will organic growth or new branch offices or company acquisitions impact security considerations? Will it fit our security architecture? What gaps and risks do we have to manage with this process? Is this other business a square peg in a round hole? How hard will it be to fix or integrate? It all has to go into the mix.

Then there’s the fine detail of daily operational control. What signals should we pay attention to? What are our systems and fail-safes telling us? How’s our security posture? What is an acceptable risk and what’s not? What does our SIEM show us? What threats are we detecting? What are we missing and need to address? What do we have to do to address them?

It’s a complicated tapestry combining business, organisational and technical challenges into one job description and the CISO has to be the master weaver.

About Steve Challans
Steve has more than 33 years’ experience working in the IT security sector and over 20 years specialising in Information Security. He has been the CISO at Prophecy International for 5 years.

Steve holds security qualifications including the CISM, CISA, CRISC, CISSP, PCIP, and ISO27001 Lead Auditor certifications.

What’s keeping CISOs up at night?
(Part I)

Perhaps, unsurprisingly, everything most CISOs need to know about Zero Day Vulnerabilities is that they’re one of the hardest threats to mitigate against, let alone detect. That kind of says it all.

Zero Day Vulnerabilities are tough to see coming and sometimes, even the most protected environments are vulnerable. While there are some technical solutions that will detect potential threats arising from unexpected changes to an environment related to a zero day vulnerability, they’re not widely deployed. They’re also not bullet proof.

Zero day vulnerabilities are essentially breaches arising from security problems with existing software, patches or new releases of software or firmware. They’re vulnerabilities which previously did not exist and often are not detected until someone finds them and exploits them. And even then, as in several recent cases, the exploits remain undetected for days, months or sometimes many years until someone discloses them.

The proliferation of devices, applications, cloud service providers, co-location data centres and the often complex operating environments of larger organisations can make zero day vulnerabilities tough to find. They’re usually brought to your attention by academics, industry researchers or the vendors themselves, and occasionally white hat hackers. The black hat hackers will often want to keep the information secret or sell it on the black market so they can use it for malicious purposes.

So, what to do?

Well, plenty of us just have it top of mind all the time and we spend a lot of time locking down our critical infrastructure and identifying and controlling possible attack vectors. It’s part of most ITSM programs and an important part.

Patches need to be tested and not released into production without verification and, for critical systems, usually after the initial industry feedback on the patch has settled down, as sometimes vendors can get it wrong. Sometimes patches are so buggy that they create more issues than they solve and more patches are released to address the problems they introduce. Some patches really, for certain environments, offer no tangible advantages and are never released or implemented.

So, for a lot of CISOs, unless there’s a very high security priority given to the patch and we’re forced to potentially release them very quickly, they may not be deployed. For other systems we lock them down and test in sandboxes, and test and test until we’re as sure as we reasonably can be that we’re not introducing a problem or other vulnerability.

Unfortunately, complexity is the enemy of security, and as we move into more complex systems and networks more security issues will be found. It’s part of the world now, and we must manage it.

Why do CISOs worry about zero day vulnerabilities?

It’s because, on top of keeping a watchful eye on malicious attacks, we also have to keep an eye on the legitimate technology we deploy or connect to as part of our everyday work.

It’s like having a much loved pet which one day, unpredictably, bites you when you simply aren’t expecting it. You simply can’t be complacent – and that gets tough sometimes. You just don’t expect the authorised and lovingly managed technology your team has painstakingly secured to suddenly become a threat vector. It keeps plenty of CISOs awake at night.

Why else do we worry about zero day?

It’s because, by definition, zero day vulnerabilities are brand new to the world. While a new virus in the wild can be quickly dissected and analysed, it’s a lot harder to detect, let alone understand, the magnitude of the threat discovered in a zero day vulnerability. In one environment it may be benign. In another it could lead to a catastrophic security breach or malfunction of mission critical infrastructure or applications.

It’s unlikely this challenge is going to go away soon, although more advanced tools are likely to help in the future.

In the meantime, CISOs like me keep one eye open at all times, train our staff and ensure our people and processes are the best they can be, but still look out for the likely random appearance of zero day vulnerabilities and someone trying to get into our systems.

About Steve Challans

Steve has more than 33 years’ experience working in the IT security sector and over 20 years specialising in Information Security. He has been the CISO at Prophecy International for 5 years.

Steve holds security qualifications including the CISM, CISA, CRISC, CISSP, PCIP, and ISO27001 Lead Auditor certifications.