Think like an attacker -- not a consultant

Security specialist Daniel Ayers tells IITP meeting that consultants need to give clients what they need - as opposed to what they want

A provider doing an ICT security review should give the client what they need, not what they want, says security specialist Daniel Ayers.

This means thinking like an attacker, outside the "box" of standard procedures and the client's initial motives for having the review done.

And if the persistence of similar kinds of vulnerability in successive reviews indicates an ICT management problem rather than a technical problem, the provider should not hesitate to go higher up the management structure with their findings, he says -- even if it's to criticise the competence of the manager who's paying for the review.

Ayers, managing director of security consulting company Special Tactics, led a sometimes contentious discussion of security reviews at a Wellington meeting of the Institute of IT Professionals on May 30.

Organisations request such reviews for a variety of reasons, he told the meeting: because there has been a change in their infrastructure; because an outside party has asked for assurance of the client's security; because the company is seeking its own assurance that a new collaborative arrangement will not expose it to new vulnerabilities - or simply because a review is set down for annual execution. "Those [last] are the clients I worry about most," Ayers says, because their mindset is on a fixed cycle.

A security review is usually motivated by a need for "assurance", he says; "they want to know everything's OK and that they've done everything they should be doing to protect themselves.

"A review is sometimes requested because the client wants to know if 'they' can get into the network," he says. Sometimes there's a real 'they' in their sights; a specific threat people are thinking about; at other times they're thinking of an ill-defined class of "internet hackers".

Traditionally we've thought about ICT security as protecting information; what's called the Confidentiality Integrity and Availability (CIA) model, Ayers says.

"In my view that no longer applies. We now attach more importance to infrastructure and attacks often aim at disrupting infrastructure rather than stealing information.

"As consultants we were set the challenge of whether we could switch the water off in a city. We could and it wasn't difficult; we just had to walk into a library and plug into a network port on the wall. If real attackers started doing that it could get really embarrassing."

Unfortunately, he told the IITP meeting, consultants too often think in terms of a fixed-time assignment which involves running through a standard methodology almost like a checklist; they don't think like an attacker who's been studying the company's specific environment for some months and constructing a specific plan.

Here Ayers was challenged by Colin Slater, a partner at PricewaterhouseCoopers, who accused him of confusing security review with the different and more straightforward activity of penetration testing.

"That's a very small part of a very large question; what is 'secure'?" he said.

"It's a bit disingenuous to say a methodology is a checklist; it is not and will never be. Methodologies such as the Open Source Security Methodology Manual (OSSTMM) and those promulgated by the International Standards Organisation "are not checklist-based; they're principles-based" and will take the advisor into the country of what the client needs rather than what they want, Slater said.

Ayers stood his ground; "I've seen security reviews done literally as a checklist," he said. It's relatively rare in my experience to see it done properly under a standard like OSSTMM.

"Danger arises when you have consultants looking at it like consultants. It's typically done in a fixed period of time -- say a week - because that's how consultants think. My concern is that sometimes when you're looking at a thing through the lens of a consultant you're trending away from the way threats work. [So] the value of the process is diminished and you can get an invalid result."

"You talk about what in your view clients expect; I've never come across clients who expect any of that -- if ever," said Slater.

"Clients they don't want to be told [they're safe]; they understand that's an unrealistic expectation. They want to understand -- in English -- what are their current risks. They will assess that information in the context of their business."

The security review, Ayers says, should go further than immediate assessment of vulnerabilities to an assessment of the organisation's competence to cope with an attack.

"I've spent a lot of my career in forensics, as the ambulance at the bottom of the cliff," he said.

"My experience is that when we respond to an incident, the organisation is often not well prepared for it. The transition from business-as-usual to 'we have a problem' is not pre-planned and often not very smooth." This point was emphasised in the book Responding to Targeted Cyberattacks, reviewed in Computerworld, June 3.

Finally, Ayers says, managing security risk is not just a job for the ICT people. It crosses over to the executive team. The human resources department has a role to play too, in formulating a posture in response to the threat of internal attacks. "This can be a matter for employment contracts; what you can and can't do to investigate your employees; what obligations your employees have.

"There are legal questions; if you outsource some of your IT to a third party, is there a contractual obligation on that third party to assist you in a review or penetration test," Ayers says -- "or are they going to say: "you're not allowed to do that to our network"?

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about IT ProfessionalsPricewaterhouseCoopers

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stephen Bell

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place