Risk Management: Are your engineers the companies biggest risk?

CSO Movers & Shakers: An interview with HD Moore CSO of Rapid7

HD Moore, CSO of Rapid 7 explains why engineers are more dangerous than salespeople and why email security companies are laughing all the way to the bank.

Many security professionals complain about unwieldy desktop users, but HD Moore, chief security officer of Bostonbased penetration testing firm, Rapid7, says technically adept engineers pose the organistion the bigger risk. “These are folks that are very competent at what they do, and they already think they know what they’re doing, so they’ll go about setting up things that undermine security for the rest of the organisation,” says Moore.

Sales staff with laptops might “click on anything that runs”, but it’s the engineers who will set up test sites and servers, generally without concern for security.

“They’re generally job focused. And unless you can isolate your engineering department in their own subnetwork and prevent the damage from spreading, they can be one of the biggest risks to the organisation.” Further complicating the challenge, Rapid7, quite intentionally, runs large numbers of misconfigured systems to test its application vulnerability scanner products.

“By definition, one of my largest challenges is that we know we have lots of machines that are exploitable because they’re supposed to be,” says Moore, pointing out the answer to all this is sturdy segmentation. “We have to do something to make sure they are isolated and that if a Worm gets loose, it can’t spread across all the virtual machines or escape back out to the sales network.”

Delivering good security isn’t just about fending off internal and external threats. There are simple ways security can add value to the business, in particular when the business wants to improve its communications capacities. “Your job as head of security can actually be to look for secure ways to make that happen,” he says. “We have a challenge at Rapid7, internally, about how we go about sharing files with customers, like diagnostic logs, custom builds and things like that.”

Without naming the products, Moore said he tested two appliances, both widely used in US government agencies, which had received positive reviews. “We ended up finding a remote root for the first product within two weeks of looking at it, so that got thrown out,” he says. “The second one, we beat on and beat on until we finally got to the point we were happy with it.”

In February 2011, Moore published advisory R7-0039 detailing several flaws in Accellion’s file transfer appliance that “could lead to a remote root”.

"Really, the challenge is how do you secure the network, define and actually enforce your policies without preventing the business form getting the job done."

This responsibility leaves Moore facing “constant” battles with those who deploy business and production systems. “The problem is you’re getting pressure from all sides. If you’re the person making the call, whether it’s IT, operations, a third party service or a partnership, you’re getting pressure from sales people in your own company, from management wanting the job done. And they’re all going to blame you if it doesn’t happen,” he says. But it’s possible to get the two sides working together with a little leadership.

“If you get the folks on your team on side, it’s not just the security guy pooh-poohing your decision to buy this product. “What I usually try to do is make a lot of the hard decisions about whether we use the product and how it works early on — do a lot of the deep audits in the actual buying process for the service.”

Many IT departments continue to face pressure to do more with less, but Moore says this is not the case with IT security budgets.“Anyone who works in IT in a large organisation is getting the short end of the stick these days because they’re expected to use automation technologies that hit a lot of systems at once.

“On the security side, you’re not seeing much of that. Budgets are still growing and most of that is because the devices you need to put up all the borders, to secure access to the VPN — those requirements are going up all the time as we add more users to the systems.”

Thanks to the recent focus on WikiLeaks and the fallout faced by its defenders, such as the hacking collective Anonymous, Moore is betting email encryption will now sell like hotcakes.

“Email encryption is looking like gold at the moment ...all the drama around WikiLeaks, Anonymous, HB Gary Federal... PGP should have a really good year this year,” he jokes. “There’s also an argument, when you’re using corporate email, don’t say anything that makes you look like a schmuck afterwards,” he adds.

Follow CSO Australia on Twitter: @CSO_Australia

Join the CSO newsletter!

Error: Please check your email address.

Tags engineersemail encryptionrisksecurityAccellionHD MooreCSOdata protectionnetwork security

More about AccellionetworkPGPRapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by CSO staff

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place