Cyber Security & Information Risk Management, the Devil’s Dilemma
by Tim Thurlings
Why do People Matter Most?
Security is not about Technology. I’m a big advocate of this statement and pose it anywhere I possible can. Why? Because nowadays the security vendor landscape seems to be all about the holy grail and “nextgen 2.0” products.
What is missing is the core foundation of people making mistakes, all day, every day. Technology can’t prevent people from making mistakes, and they never will! And this is OK! People should make mistakes, it’s what makes them better! Some of biggest achievements in history originated from mistakes; take antibiotics as an example! Without that mistake, we’d be dead by now.
The Information Risk Management arena can be considered a wild west. There is a belief that having many policies will result in a secure world. Policies aren’t making your company safe, the people following them are the ones making your company safe. Security is about People.
Malicious attackers won’t obey any written policy and will try whatever they possible can to bypass and bend the rules that have been carefully crafted. And they will find a way around it, there is no question about that.
What matters most is accepting the fact that any company will inevitably be compromised, and bad people will sit in your network. With the firm belief that Security is not about Technology but about People, the world can become a safer place to life and work in.
Security testing makes a company better. I’m not the threat, you are.
During my career as a hacker, I’ve experienced many different responses of customers. Most of them where happy to have me, breaking their environments in order to learn and improve. But there where occasions where developers where stubborn, reluctant to cooperate and doing everything in their power trying to make my task fail.
Why? Fear for the possibility of failure. Our natural behavior isn’t about failure, it’s about willing to succeed and be the best at everything. It’s survival instinct. When we fail, we won’t be the best. We need to be the best to survive…
Do we? Maybe in the past, when fighting over meat and being the best hunter of the group. But in today’s work, failing is no longer a problem. Fail fast and fail often. At least that what we teach new penetration testers and hackers. If you don’t know how to do something, try. Try again if something doesn’t go as expected and fail a lot. By failing, we learn. We learn what can go wrong and we grow in experience. The more experience we have, the more we can prevent going wrong again.
Failing once on new matters is just fine, failing twice on the same flaw is becoming tricky. Failing and hide your failure is devastating. An attacker will learn about these failures and use them against you.
It’s much better to have me discover security vulnerabilities during an assessment and trying to help to improve than when a malicious attacker finds the loophole and steals the crown jewels of the company because of it.
Risk Management won’t do you no harm, but can hunt you down when done wrong
Estimating risk adequately is important and notoriously difficult. How do you properly estimate a risk appetite and how are risks calculated? What happens when an issue is identified and fixed by teams or mitigated?
Performing penetration tests or security assessments is great, well done! But how are you handling the results from these tests inside you company? Do you have adequate controls in place that validate if issues are followed up and fixed?
In several cases in the past I’ve seen that security assessments are being performed multiple times a year, spending serious cash on testing. But when the cycle is complete a new assessment is done on the same environment. If the security specialist is from the same company, and they have a good system in place to track results from previous tests, they will find the same issues appearing in their reports.
Such system should be able to track how long it takes before issues are resolved and ideally how many hours of productive time it took. These metrics will help you to stay on course budget wise and will tell you how long security issues are inside your companies’ network. This helps you with Vulnerability Management, patch management, change management and a variety of compliancy statistics.
Having these metrics in place gives you a clean and direct benefit and will help you to identify the painful weaknesses inside your company.
Also important: Are you challenging the security specialist with their report, ensuring that calculated risks are in line with the network structure? It won’t be the first time that high or critical findings in a report are not so high risk when you take the entire network topology into account? But worse, it can also be the other way around! Having a low or informational issue that, when combined with other issues, will result in a total network compromise.
When you are not accurately estimating the risk, it will also be possible that efforts are made to resolve a problem that isn’t worth resolving. These costs a lot of time, but also a lot of money. Having a way to identify and score risk adequately is of value. There are various systems in place to calculate individual technical risk, but mapping these to a specific company environment is something that can only properly be done by the CISO and Risk Management.
Attackers will always get in, they just need time
While you are building controls, policies, guidelines, procedures and what else you can think of; eventually there will always be that one loophole, that one phishing email that will slip through. The reason why this happens is simple, attackers have no time limit. If they want to break into your company, they will succeed eventually.
Continuous security awareness and a 24/7 detection and capability function within your company’s perimeter is needed to spot the attacker and stop them as quickly as possible. Building your network setup around the assumption that attackers are already inside will help securing your perimeter. It will make it more difficult for attackers to pivot through your network and move laterally, causing more damage.
Performing red team assessments will help you to identify various ways into your company’s environment. Each time such assessment is done, your maturity level increases one step to resilience.
The goal is to become more secure than your neighbor, as usually attackers are lazy and will go for the easy target if they can. If they are after you specifically, it will cost them a lot more effort and money to succeed. If they are willing to invest that depends on the value of your crown jewels. The higher value, the more they are willing to invest. It’s a normal business model, only less bound by rules and regulations. There is always an investor willing to pay if the return is good enough.
Security is about People
As I said before; malicious attackers don’t care about the procedures of policies you’ve carefully crafted nor are they getting scared of the technology stack inside your network. They will find a way around these.
I am a firm believer that testing on security level is essential within any environment. Testing infrastructure against loopholes, applications on programming mistakes and policies on missed controls with social engineering assessments, as part of red teaming.
With the outcomes of these assessments, any company requires to have adequate follow-up on the identified issues in order to prevent the problems from residing within the network. This would only increase the security risk and would mean a waste of the investment made to identify security problems.
Any company will eventually be part of a digital attack, whether its directly targeted against them or as collateral damage. It is not about ‘if’ it will happen, but ‘when’ it will. Attackers have got time, don’t have to obey the law and will use any available exploit to breach into networks. The longer a security hole is present within your company’s perimeter, the bigger the chance gets that one of these holes will be used against you.
Security is not about technology, it’s about People. When we can improve our security mindset, we will be able to make our world more secure. The more we train, learn and fail the stronger we all become. Try to stay one step ahead by identifying weaknesses of our organizations with help of security professionals, that is what matters most!
About the Author
Ever since he was a little boy, Tim was fascinated by computers and the fact that people made them work. He would take apart computers and reassemble them to understand them better and try to improve them. With a dream to make the world a better place, Tim joined medical school, so that he could improve people’s lives directly. However, his interest in computers far outweighed that in medicine and it was only a matter of time before he found himself experimenting with programming and hacking.
Tim Thurlings envisioned a world where the window for attacks was reduced to the minimum, which would go on to decrease cyber-attacks. This provided the motivation to launch Bluedog Security Monitoring. The company today boasts of numerous clients that belong to various sectors such as banking, finance, insurance, telecommunications, etc.
Tim's LinkedIn profile: https://www.linkedin.com/in/timthurlings/
Bluedog Security Monitoring website: https://bluedog-security.com/
The article has been originally published at: https://www.linkedin.com/pulse/cyber-security-information-risk-management-devils-tim/