The Troublemaker CISO: Laziness, Failure, Great ExpectationsSecurity Director Ian Keller Rants About Bad Coding Practices and So Much More
I am amazed by how easy it seems to break into an organization. In its reports of Company X being breached, the mainstream media make it sound as if someone left the keys in the door and put up a neon sign pumping out the words "Free for all" with a big arrow pointing to the door.
Why We Get Hacked
In some cases, the failure occurred because someone wasn't doing their job. In my very first rant, I said that we are getting hacked because we are too lazy to do our jobs to the extent required. Part of that is telling your principals that there is no 100% secure system and that there will always be residual risk - hence the need for risk acceptance.
But getting back to the media reporting about that neon sign, we are not correcting them. We, the people trying to defend companies, know that there are numerous layers of defense put in place to try and minimize the likelihood and impact of a breach. We also know that the only certainties in life are death, taxes and the fact that a secure system doesn't exist.
Let's take the instance of a breach that took place due to an API that was coded like its backside - i.e., the coder allowed for full, unauthenticated access to a database that held personal information - and allowed into production. Yes, it was foolish and supposedly easy to avoid, but hindsight is 20/20. I will wager that it took the attacker a long time to find that open API, let alone to exploit it.
A Year's Worth of Work
In that breach, the attacker eventually found an API that they could play with. Next, they systematically cracked it open to see what was going on inside - we use fancy words like "lateral movement" and "privilege escalation" for what happens. Then, they started refining ore for gold, be it personal information or whatever they can convert into some form of currency.
Once they find the treasure they are looking for, they evaluate the layers of defense that are or should be in place and poke them to find out how well those defenses are monitored. How the company reacts dictates how they will execute their well-planned attack.
If this sound like a precision operation, you have the right idea. It is that well planned - simply because they want their gold and to be able to spend their ill-gotten gains and not rot in jail. The process I described here was most likely a year's worth of work.
Failures All Around
Depending on the level of public visibility of the breached company, the impact on the CISO could be epic. In the worst case, the CISO is fired, which is widely publicized, and everyone jumps on the media bandwagon and says the CISO was ineffective. But a record of the CISO's discussions with company leadership, informing them of the risks and the actions needed to reduce said risks, would likely show that the leadership didn’t support the CISO's request for additional funds or staff.
That little gem of information never hits the media because of our confidentiality agreements and the mutual separation agreement the CISO must sign in order to walk away with some cash in their pocket to tide them over while they attempt to find new gainful employment.
Most breaches are not a simple point-and-click exercise, and those that are usually involve DDOS attacks or similar, with the express purpose of annoying you. The purpose of a sophisticated attack is to exfiltrate data.
Although we understand the scope and complexity of today's networks, we expect the information security department to be everywhere at once, know of everything going on, and find out when someone gets lazy and codes their API like its backside and sneaks it into production.
And all this has to be done while reducing budgets and not adding extra headcount amid an ever-changing technology landscape. I have so much more to say, but it's NSFW.
CyberEdBoard is ISMG's premier members-only community of senior-most executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Ian Keller, director of security at a telecom company, is an information security evangelist with over 30 years of experience. He started his career in the South African Defense Force's Combat School, where he served as an instructor in Army intelligence. Keller took this background into the corporate world and was instrumental in the creation of the global information security function for one of the country's Big Five banks. He subsequently was appointed as chief information security officer for one of South Africa's leading corporate and merchant banks.