When it comes to choosing careers, some people have a distinct moment when they realise that “this is what they want to do”. In my experience, this moment was when I was sitting in a lecture theatre at University, I was studying what would have been similar to an IT degree today but I wasn’t a computer hacker, I didn’t really have a lot to do with computers. It was before Internet Banking, smart phones, tablets but something about listening to cryptography made me sit up, listen and not leave the lecture before it finished. I’ve now been working in the Information Security industry in Australia and overseas over the years, in many roles and many organisations.
One thing I’ve noticed, which has been a constant during this time, is that simple yet critical aspects continue to be ignored, or are unidentified or unrealised by the industry. In this article, I’ll discuss some of these and the unfortunate affect I believe it is having on our industry—contributing to waste, cost and a loss of productivity, as well as exposing organisations to the risk of being compromised.
A simple definition of Cryptography can be found on Wikipedia, it states that it is the use of codes and ciphers to protect secrets and that it began thousands of years ago. Humans have had to secure and protect information that was important or held some value a long time before computer technology came into existence. Although the realm within which things operated was a lot simpler than today (Caesar’s Cipher vs. DES encryption algorithm for instance) information was secure until that particular method of securing information was exploited, leading, in time, to improvements and evolutions of the methods of protection.
Unfortunately, with modern day security, improvements may appear to be occurring in the implementation of technical solutions such as next generation firewalls or risk management systems, however key issues remain because organisations still don’t clearly know what information to protect or why it should be protected.
I’ll discuss some of my personal observations on this below, as well as my thoughts on improvement.
Asset Register – know what you have.
I can count on my fingertips the number of organisations that actually know their assets, meaning their servers, databases and applications.
Although organisations can sometimes hold thousands of assets which seem incomprehensible to even identify, it is worthwhile investing in a staff member to commence an inventory. Start when an asset is purchased, this can be a point at which the asset type and its basic characteristics, such as size, type, and hostname can be recorded.
Undertake a discovery vulnerability scan across the network in order to identify the technical assets. This will begin the process of building a profile of your technical ecosystem (techo-system) supporting your organisation and facilitating access to its information.
I have also seen companies tie their ‘knickers in a knot’ trying to define ‘an asset’, from a printed hardcopy email to chairs in their office. My suggestion is to think about the critical processes in your business, define in your policy what an asset is and go find and capture these, preferable in an asset register that is continuously maintained.
Until you know what you have, no matter how much you invest into securing your technologies, you will fail to even understand what should be protected.
Data value – know why you have it.
Most companies have an idea of their information that is sensitive or important, but I rarely see the rationale for this understood by staff, it is more of a perception.
Have clear criteria for defining the data that is being transmitted, processed or hosted, and the value this has to the organisation. It will paint a clear picture of why this data is important to the organisation and hence the rationale as to why it should be protected. What will happen to the business if that information is stolen or changed? Will it really cause a damage to the reputation? Or do we think it will? Can we push ourselves to be a more fact-based and identify the true value of the information? Clarity of the value of the information and the awareness of the asset that is used to access this information will enable thinking of what could go wrong, but it can also empower staff to want to protect it.
Understand your evolving information security threat landscape – know what could go wrong.
Threat landscape is a term I see and hear vendors use frequently. In my opinion, it is the numerous threats, both internal and external, which are applicable to organisations and could cause some form of damage. Thinking about this may seem overwhelming to begin with but a good threat library and a comprehensive list of applicable threats can be a good start in determining what could go possibly wrong—whether it’s a malicious botnet or a staff member with elevated privileges. This can lead to a point at which you can determine how to go about protecting that information.
There are numerous threat libraries available online, from Verizon’s Data Breach Investigation Report to OWASP Top 10. The key is to consider both technical and non-technical aspects applicable only to the information and environment which you are trying to protect.
Control - know how to protect it.
The How To of protecting information is usually referred to as a control or counter-measure. This is probably the most vulnerable thinking for any senior information security stakeholder, especially if it can be exploited by third parties or vendors trying to make a sale.
The biggest weakness for any CIO or CSO is to not know enough about the organisation or be misinformed—funding the wrong solution or one which fails to meet objectives.
A good CIO or CSO, in my opinion, should mandate the identification of detailed business, technology and security requirements prior to determining the solution. This will ensure that money is spent effectively on what’s important and that the expected objectives are achieved.
Purist view – only choose what matters to fix.
I also feel it’s important to expand on my discussion and emphasise that not everything can be addressed in this overwhelming industry. We are plagued by both the demands of the business and the restrictions of technology.
Information Security professionals are diverse in the domains within which they operate, whether it is penetration testing, writing policies or assessing risk. Throughout these there exists the challenge of the purist security mind. I believe that these two factors—our diversity and our purist mind—contaminate the realistic view of what’s achievable. It is always important to keep a perspective and focus on what matters the most. The key driver for determining this is what matters to the business, as ultimately we operate as a service to support the business ecology (‘b-ecology’).
This is why we must know what we have, why we have it, what could go wrong and how to fix it. And, we must choose to fix what is realistic in the world in which we are employed. For that which is unfixed we must try to manage the risk of this continuously and move to fix it when the time comes and it becomes a priority.
People – don’t forget the most important element.
Whether it is a hacker or a trusted staff member or customer, only the human mind can contemplate the most malicious activities. The motivation to cause harm, whether to an individual or an organisation can vary—financial, vengeful, or reasons that we might never expect.
The most serious incidents, whether it is fraudulent transactions via phishing attacks or provisioning of elevated privileges to access highly trusted information, generally have a common factor.
This factor is a feeling of disappointment or anger held by the perpetrator (be that anger towards a manager or anger at the world). It is always a human being who puts in the effort to exploit, invests the time to cause harm and obtain the benefits. If well detected (through well implemented real time alerts and logs) and effectively managed (through incident programs) the attacker can be identified and their impact limited.
Along with detecting, corrective and preventive technical controls, my advice is simply to always treat people well.
My final thought is more about the world of ‘b-ecology’. In modern day organisations, hierarchy largely rules with the assumption that the higher someone is in an organisation, the more they know about the business.
I strongly disagree with this topology, especially in our industry as great ideas and improvements results from contributions made by everyone, no matter where in an organisation you reside. In improving the way we do things, in addition to the items discussed in this article, I vouch for camaraderie, autonomy, respect and creativity.
The best futuristic thinking won’t come from dinosaurs wanting to simply meet KPIs but from a mix of all minds, and this is why I still choose to do what I am doing today.