Tuesday, 10 September 2019

Security Metrics: Persuading and Influencing the Board



Written by Chris Jeffers

The Importance of Security Metrics


A few years ago, I attended a meeting with senior management reviewing several security related initiatives. I was prepared as I knew I’d be asked to provide rationalization for these new projects. I talked through my justification process by first identifying the problem, then the need to address this problem, and finally how this new solution would resolve it. All was going as planned until one of them asked the question, “How will this align with the organization’s business initiatives?”.  Before I could answer, another senior leader asked me “Chris, how do we know what’s currently deployed is keeping us secure?”.

My first thought was you have to be kidding! I don’t have time and what’s the point? There’s a new story everyday about a data breach and an organizations’ data getting encrypted because a user clicked on a ransomware email; we should purchase the solution and get it deployed so we aren’t the next organization hitting the headlines - however, I realized that response would get me nowhere; in fact, that response could throw me out the door looking for a new job! The reality was those questions were valid and caused me to start thinking, so I responded by saying I’d get back to them with some answers. Now, I had to figure out how to do just that.


Using Metrics


I understood the primary reason for having these various security tools, processes and staff - to reduce the risks to the organization - but how can I show they’re accomplishing that? How can I provide evidence that illustrates risk is being reduced?

This is achieved by establishing items to measure and produce metrics. The metrics are numerical data that represent what is occurring and provide the means to tell the organization how the risk is being reduced. These metrics are not based on subjective judgment or interpretation, such as using a low, medium or high rating, but rather presented as a percentage or numerical value.

To better understand what these metrics are and some possible data sources, I started out with the following
  • Anti-virus code and definition versions currently deployed
  • Vulnerabilities discovered in the network and grouped based on CVS score
  • Monthly incidents
  • Email-related malicious events
  • Days from missing patch discovered to actual deployment

I recognized this as a good starting point, understanding we should have enough initial coverage to illustrate to senior management how we are reducing risk to the business:
  • Collecting the current anti-virus versions and definitions helped to identify whether our updating process was progressing or needed attention
  • Understanding the current vulnerabilities and their severity presented the assets at higher risk
  • The monthly incident data was used to understand the types of security incidents, resources required and realizing how effective the processes and staff were. This helped us to understand the type of additional training needed
  • Email-related metrics was all about understanding if the organization had been targeted and the effectiveness of our spam filtering and phishing awareness training
  • Reporting metrics on patching would enable us to understand the amount of time it was taking to get the correct patches deployed. From the point of identifying the patch(s) required, to the point of being applied, this was used to track how well the mandated SLAs were being addressed, as well as the amount of time the asset was left in a higher risk state


Advice for Establishing Your Security Metrics


When considering which data sources to use for your security metrics, try to avoid collecting from a source that presents a long and difficult process and attempt to implement an automated method of data collection over a manual process. The issue with the manual approach is it increases the risk of human error and it becomes harder collecting in a timely manner - timely collection being important to allow for current metrics and trending.

Now that you are collecting metrics from meaningful data sources, you need to put together the report to present to senior leadership. In doing so, be sure to follow some basic rules to help make your presentation well received.
  • Be sure you understand your audience and the strategic objectives of the business. Actually, as the one responsible for driving the security direction and operation for the organization, it is imperative that you understand the strategic business objectives. It’s very difficult to have a clear understanding of the risks to the organization without understanding the business and leaderships’ tolerance to risks.
  • The metrics data being presented must be relevant and meaningful to senior management.  Avoid using many IT abbreviations, jargon, and expressions which make it hard to understand. Ideally, the metrics should be self-explanatory or, if required, include a straight-forward definition. Consider including colorful, visual graphs which make information easier to absorb than text.
  • Lastly, you want to create a situation that will encourage conversation between yourself and the leaders. The goal is to provide information and insights into how risk is truly being reduced, whilst staying in line with the business’s objectives.


Summary


To summarize, security metrics are used for providing evidence that security tools, processes, and people are reducing risk in the organization. The metrics are objective numerical data, presented as a percentage or numerical value. In data collection, an automated process is preferable over a manual process, to avoid the risk of human error and to ensure the process of reporting is efficient. When reporting the findings to leadership, ensure you understand your audience and business objectives, and ensure the insights provided are clear.

Thursday, 22 August 2019

The Life of a GRC Information Security Consultant




Written by Ibraheem Khan


My career in Information Security Consulting began because of 3 reasons. The first, working with different businesses; learning and understanding how businesses in all sorts of industries operate is fascinating. What does the business specialise in, and what are their most critical assets? Secondly, being able to use the knowledge and skills I have acquired over the years to assist companies with their IT security posture. Thirdly, I really love the travel – a welcome bonus of the job!

Since becoming a consultant I’ve enjoyed other benefits too, such as client satisfaction; receiving positive feedback from clients, particularly from highly qualified and respected individuals, based on the work I undertook is very rewarding.

It’s satisfying recognising the difference I’ve made to an organisation’s information security posture, so observing cultural change through information security awareness and training is another benefit of my role. As time goes on without governance and risk management, organisations generally implement projects and conduct business as usual (BAU) activities through bad habits (even though they have the best of intentions) such as not conducting due diligence on a third party, prior to using their systems or sharing data. Observing the smallest of changes such as employees locking their screens when they leave their desks or wearing ID passes within company premises, to asking for assistance due to a supplier onboarding, is encouraging to see.


The challenges I’ve observed

Working for various clients has enabled me to take note of challenges most organisations face; regardless of the industry, I have noticed these common themes:

Challenge one: managing the information security risk due to increased connectivity, use of new systems/applications, and operational changes. A slow adoption of information security and fast development/business growth in a short timeframe.

Challenge two: an increase of risk due to the vast amount of neglected legacy systems and applications which are now embedded in an organisation as critical assets without appropriate operation procedures or plans to migrate to a new version.

Challenge three: profit outweighing security controls. The point of a security control is to protect an asset. However, it is not unusual for some departments to experience the thought process that implementing a security control will result in a longer timeframe to reach the end goal, thus losing out on potential business or profits, leading to the idea: not implementing a control is actually better for the business. This ideology is rather dangerous as, without the correct level of security control protecting an organisation’s most valuable assets, this can result in the demise of the organisation.

Challenge four: lack of knowledge around the architecture of an organisation’s network. Most organisations do not have an up-to-date network diagram or a diagram highlighting the security architecture of the estate. Without having current knowledge on the interconnectivity between network, systems, and applications, the chances of being able to identify potential vulnerabilities or understand project scope is greatly reduced.

Challenge five: lack of management around information security in third party suppliers; third party suppliers’ integration and business relationships can be complex, interdependent, sometimes international and evolving. This, with the lack of due diligence around how assets are protected and what assets are provided to a supplier, combined with total reliance on third-party suppliers, has led to more information exchange and consequently an increase in information security risk.

Challenge six: information security culture; changing the culture within fast paced organisations is an ongoing challenge. Most organisations want quick business changes and quick access to systems, applications, and other forms of information assets. Adopting a new culture which may impact and disrupt the current BAU processes may be considered as a hinderance resulting in rejection.


Overcoming the challenges

When clients ask me to advise on the above challenges, I recommend the following:

1.  Develop an information security culture, providing knowledge and awareness to help people understand issues and allow them to take ownership of information security, by:
  • Encouraging employees to be security conscious at home and work
  • Improving employee engagement to manage risk through understanding the potential impact of security incidents or attacks
  • Encouraging the reporting of suspicious activities, reducing misuse of business information or systems, and improving incident response timed

2. Develop appropriate information security training and awareness. Ongoing training and relevant information security awareness will provide employees with the knowledge needed to:
  • Reduce risk of security breaches or incidents as employees think and act in a more security conscious way
  • Increase organisational effectiveness through adherence to policy
  • Improve internal communications on information security

3. Understand the confidentiality, integrity and availability of your information assets. Knowing the CIA of your assets allows you to assess where vulnerabilities are and how best to minimise the extent of their exposure, by:
  • Identifying key assets that need protecting to minimise your potential attack vectors
  • Identifying how information is accessed, processed, stored and transferred

4. Take a risk-based approach to understand and manage the risk exposure of your information assets. Taking a risk-based approach will allow you to:
  • Manage your information security exposure through informed risk-based decision making across your systems, organisation and assets
  • Using risk prioritisation, allocate resources efficiently and effectively across your organisation

5. Have governance for information security within your organisation. Effective governance enables organisations to demonstrate commitment to information security, by:
  • Delivering strategic direction though policy, procedures and guidelines to manage information security consistently across the organisation
  • Allocating resources and funds to maximise and mitigate information security risk appropriately
  • Influencing information security culture through awareness and positivity

6. Work with third-party suppliers to reduce risk
  • Conduct relevant due diligence on third party suppliers and identify the purpose of each asset and how it shall be managed once in the hands of a supplier
  • Understand the information security risks that a third party supplier introduce from procurement through to BAU and how to appropriately manage them

7. Ensure information security measures are applied through the life of your assets and organisational changes by:
  • Ensuring all assets are owned, monitored and identified
  • Identifying poorly managed assets that may impact the organisation’s BAU operations

8. Prepare for and manage information security incidents. Having an information security incident response capability will allow you to minimise the effects of incidents.
  • Have adequate threat intelligence to respond appropriately to information security incidents
  • Include learning from events or incidents for improvement of plans
  • Conduct incident tests to identify areas for improvement and capitalise on them


Summary

Being an Information Security Consultant is a challenging but engaging role. This article summarises why it’s thoroughly enjoyable, some of the common challenges I’ve seen and how to start addressing them. I have been able to do what I enjoy on a day to day basis, working and meeting some amazing businesses and clients.

Who knows, I may have the opportunity to work with you one day. 

Wednesday, 14 August 2019

Spot the Bait: a Lesson About Phishing



Written by Adrien Souyris

We’ve all experienced phishing - those annoying, sometimes dangerous emails attempting to trick us into giving away money or sensitive information. Most of them are clearly scams, but some are smarter and more difficult to spot. 

Symantec identified in 2018 that 54% of all emails were malicious (spam or phishing). As well as this, an average user receives 16 suspicious emails per month. More astoundingly, Verizon reports that 90% of breaches involve phishing.

So, who's behind these phishy emails? In short, anyone from amateur scammers to Russian GRU operatives and skilled cybercrime groups. Phishing is a cybercriminal's favourite tool, but why? Well, IT departments understand how important it is to build a cyber castle around the company's network; firewalls are everywhere which make it harder to attack company networks. And because we built castles, attackers invented a Trojan horse: phishing emails.

It is nearly impossible for machines to automatically distinguish between a legitimate and a well-crafted malicious email. IT and security departments can’t guarantee a phish-free inbox, and with each malicious email displayed to users comes the risk of someone inadvertently giving away the castle's keys. 

What are the remaining options, then? If they are informed and trained, staff make up a company's immune system by reporting phishing and helping the company fight back. 

Phishes of all sorts and colours

There are several types of phishing - angling, spear phishing, vishing, to name a few. The most common one is mass, automated phishing, which consists of creating generic phishing emails aimed at the largest possible number of recipients (usually millions). Even if only 1% of the recipients fall for it, that’s still 10,000 victims.

More targeted attacks are called spear phishing. These consist of selecting high-value, well-researched targets, finding out information such as their online habits, relations and hobbies, and then carefully crafting a high-quality phishing email to be sent to this recipient only. These methods are usually employed by skilled cybercriminals or state-sponsored hackers. Intermediate steps exist between these two, for instance by targeting a specific company, department, or group of people. And what is the intention behind phishing emails? Usually one of two things: assets (information or money) going out or malicious content going in.

In preparation for the former, a cybercriminal will attempt to lure the recipient into giving away the asset. The most basic method is the scam; for instance, the criminal masquerades as a legitimate service - PayPal, Gmail, OneDrive, SharePoint, etc. By disguising the email as a notification or security notice, the sender lures the recipient into clicking on a link. 




Behind this link hides a fake login page where the victim then gives away their credentials. To avoid suspicions, the fake login page relays the almost-identical page of the legitimate service. 




To perform the latter, phishers may include a malicious attachment to the email like a Word or Excel file with macros or a script file. Both macros and script files are a form of coding which can be abused to download malware onto a computer. Alternatively, the cybercriminal may use a malicious hyperlink; behind it hides a web page which will attempt to install malware on the device. From there, the cybercriminal can gain access to the user's files, emails, or use his position in the network to compromise other company assets. 

Avoid taking the bait: stay aware

Phishers use social engineering, the art of hacking people using predictable human behaviour, to trick email recipients into performing an action in their favour. Social engineering in phishing emails can take many forms, but the following techniques are usually employed in phishing: 
  • Masquerading: most of the time, phishing emails will be crafted to be misleading and impersonate something or someone else. For this purpose, the email will make use of attributes which are usual for the stolen identity, including writing style and font appearance, colour schemes, and URLs.
  •  A believable scenario: building on the stolen identity, phishing emails create a story. For example, HM Revenue & Customs sending an email about your latest tax return or a colleague reaching out about a project.
  • Sense of authority: by masquerading as an authority figure, such as a professional body or manager, cybercriminals attempt to pressure the recipient without causing suspicion.
  • Sense of urgency: cybercriminals will usually build up on this false authority with pressure and urgency to achieve the result before the recipient becomes suspicious. Using terms like ‘the request is urgent’, ‘a lack of action will result in <insert threat here>‘, etc. encourages the recipient to act fast.
  • Sense of trust: some phishing emails may attempt to look like they originate from someone/something you trust like a friend or colleague.

Spotting phishing URLs

One of the easiest ways of spotting phishing emails is to check the structure of the URL to which the email is trying to redirect you. Let's take our previous fake URL and introduce how domain names work. We'll read the URL from right to left.

A domain name is just like a Russian doll, each ‘.’ represents a layer of doll. Here, the ‘.org’ is the largest doll, and ‘myaccount.’ is the smallest one.

The best way to read a domain name is to spot the rightmost ‘.’ (before the succession of a ‘/’ if applicable). This is usually a ‘.com’, ‘.org’ or ‘.co.uk’. The domain name is to the left of this. Here, our domain is ‘ml-security’. The URL confuses users by introducing a misleading ‘myaccount.google.com’.

Another deception to keep in mind is best illustrated through another example:


In the URL above, suspiciouslink.com is disguised as accounts.google.com. If you click on a link, you should always make sure it sent you to a legitimate place.

Taken the bait by mistake?

All human beings are vulnerable to social engineering. By hitting the right spot, a skilled cybercriminal can hack anyone. If you suspect you’re a victim of phishing, here are the steps you should follow: 

  • Don't panic, this can happen to anyone.
  • Send an email without delay to your IT helpdesk or to your security team. A point of contact should always be available in your organisation for these incidents.
  • Do not delete anything, unplug anything or turn your computer off, unless instructed by security or IT personnel, as the evidence may be needed. You can flag the suspicious email as spam or phishing.
  • Pay attention to and report any further suspicious behaviour on your laptop and applications, such as freezes, slower performance, emails or files disappearing, mouse stutters, etc.

Take the test

Google created a tutorial test that shows the typical techniques used in phishing. Don't worry, it isn’t a phishing link.

You can find it here.

Thursday, 1 August 2019

The Power of Social Engineering Part Three; First Line of Defence



Written by Stuart Peck

In the previous two articles, we covered the fundamentals of social engineering and techniques used by attackers to great effect to gain unauthorised access to sensitive information. In this post, we are going to outline some of the defensive techniques you can develop to reduce your exposure to social engineering. Note that I did not say mitigate or remove risk, because the reality is that even the most hardened security professional can be social engineered; it’s a matter of timing and a well-researched and crafted pretext, that could lead to an attacker striking gold.

What this article aims to provide is a range of tactics that reduce the exposure from simplistic to advanced techniques used by attackers on a regular basis.

People-Centric Attack Vector Requires People-Centric Defence

If you are reading this then you may have spent years learning about infosec, attended a few training courses, maybe you hold a few certificates, and consider yourself adept at dealing with phishing and other social engineering attacks. Now let’s talk about compliance based “Security Awareness” training; on average, this is an annual or biannual exercise, usually online or through a Learning Management System, and derives little engagement from the employees. The key here is that infosec professionals spend many years learning their tradecraft, and yet we expect users to change behaviours, become adept at spotting and reporting phishing emails and other attacks in a 1-2-hour CBT (Computer Based Training) course.

Changing behaviours takes time; on average, over 3 months before new habits form and become normal working procedures. The key to affect change is to get user buy-in, which usually is very difficult unless your training is highly engaging and preferably face to face. It’s made even more difficult given security departments are typically small in comparison to the rest of the IT team and verses the actual headcount of the business. This is where developing programs that encourage champions is vital, where the security team can increase their footprint within each of the business units with a person who takes an active interest in promoting information security, training, and is essentially the human sensor for the infosec team.

Defence is Much More Than Just Training

Specifically identifying your high-risk groups of people in your organisation that are likely to be targeted by social engineers, and providing targeted training is a quick win, but it’s also important to provide a wider and longer term strategy that does not just involve annual Computer Based Training activity. Social engineering defence is the balance between Education, well enforced Policies and Technology. Here are a few ideas:

1)      Know who your targets are and invest in regular face to face training. Everyone is a potential target for social engineering, however, here are some high-risk groups:

·         Executive Assistants
·         Customer facing employees
·         IT / Developers
·         Marketing / social media
·         Finance / Payroll

2)      Understand the risks of oversharing; are your employees making themselves an easy target?

·         Monitor social media, especially Instagram / Facebook and provide guidance on what could expose the employees and the company to risk of being targeted
·         Make employees aware of the exposure and provide regular training on the risks of oversharing

3)      Specific and regular training on the risks of social engineering is vital, but in addition:

·         Provide policies that do not penalise those who report, but actively encourage engagement. Buy-in is a must!
·         Principles of trust but verify destabilise social engineering and can be highly effective
·         Segregation of duties for high-risk targets is vital!

4)      Technology, people, and process need to work in harmony; without this, social engineering will always be a risk

·         Ensure everyone has multi-factor or U2F to reduce risks from phishing and credentials stuffing
·         Put in place processes and technology that allows employees to easily report potential phishing scams
·         Gamification and simulated attacks work but naming and shaming does not

5)      Understand the risks and exposures

·         Policy and procedure review - does everyone know their responsibilities? How can you prove this?
·         Data Risk Assessment and Discovery - where is the critical data? How well protected is it? Who has access?
·         Incident Response – how effectively can you detect, react and respond to a social engineering attack?

6)      Attackers Don’t Care About Compliance

·         Prevent social engineering attacks by conducting risk assessments to spot & remediate potential weaknesses
·         Regularly test for weaknesses in people, process and technology. Test, remediate, repeat
·         Compliance training does not drive lasting change! Make training fun, engaging, and about the employee; give them the skills and tools to improve their own personal security posture, therefore massively reducing risk

In Summary

Social engineering has been around for an extremely long time, but technology has enabled it to scale at a rate never seen before. Existing strategies of annual training, unclear policies and reliance solely on technology to fix what is a very human problem, are clearly not working.

What’s required is a long term strategy where regular face to face training is invested in; safe behaviours are championed; reporting is encouraged; policies are clear, well defined, and presented in a way that normal employees can understand; and technology is used in a way to help deter, detect, react and respond to attacks that target the human.

For more on this follow ZeroDayLab on Twitter or Linkedin.