That is to Say, There Are Things That We Know We Don't Know

Guest Blogger: Nick Prescot 
Senior Information Security Manager

I am sure that we all know who the guy in the picture, he's Donald Rumsfeld and whilst he is/was a distinguished U.S. politician he is perhaps best known for a slightly odd quote made in 2002 when asked about the government of Iraq/terrorist groups/ evidence of WMD. I'm not in the business of holding the suspense any longer and this is what he said,

“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.”

And in the parallel universe of cyber security 10 or so years later, many people ask me what the biggest threat to today's networks within the corporate environment.  As a median response, I ask as a opening question, ‘do you know what's bad in your network/systems/access points and are you doing anything about it?’  The response is usually lukewarm, sometimes there is a strong level of assurance, sometimes not; but what is constant is that it has been the same biggest strategic threat to a corporate infrastructure for about 15 years. However, there is a shift that is going on here; the level of awareness within industry and the market is moving from the 'don't know what they don't know' to the 'don't know what they know.'

And this is the most dangerous conundrum that a company can be in, because once you don't know what's in your network and people realise that it's a problem...then it's clear that something needs to done.  Standards like PCI DSS have been trying for nearly 10 years to get people to understand what data they are processing, and given that the standard is slowly becoming more prescriptive and part of 'business as usual', a token presence in front of the QSA isn't going to cut it.

Also if you thought that the raincloud of PCI DSS was going to be a case of staying indoors whilst the rain fell, then there is the storm on the horizon in terms of the implementation of the EU General Data Protection Regulation.  I'm not going to list the FUD facts here, but it makes PCI look like chicken feed. Fines will hurt and reputational damage through compulsory disclosure will keep the PR people busy.

It's part of the security maturity process (and yes, we have a nice powerpoint slide on this); once you have moved from the 'don't know what you know' to the 'know what you don't know' then you will have a better handle on your information flows  within your networks.  I take the view that once you 'know what you don't know' this means that you have a sight of all the information within your network, and its case of having good threat intelligence to see the trends of who and when you are going to be hit.  The added bonus with this plan is that when you're hit you will have an idea of how to react and respond to the hack.

But this is the speak of an infosec manager speaking to his peers, there needs to be a plan to educate the CIO's, marketing, finance, HR and others within the business.  Instead of this message being harped on to members of the infosec community, a progressive message to the finance and HR people should be next on the list.  They are in a position of 'don't know what they don't know' because they see this as an IT problem...but hang on, they are the owners of that data.  IT provide the systems and logins...they are the teams that control, process and store the confidential and sensitive data at a much greater volume that any other department(s) within a modern day business.

So that's my soapbox moment of the week and I think that there might be some comments on this one just for being random, aloof, circumnavigational, odd, bizarre and just downright strange, but it all comes down to one thing...educational, so people are made aware and training so people don't get fired.

Are You Hiding Behind a Security Technology Comfort Blanket?

Guest Blogger: Stuart Peck,
Pre Sales Manager at ZeroDayLab

Having recently moved into a Pre-Sales Manager role my perspective on information security has changed tremendously over the last 18 months, quite something after being in this industry for over 10 years.

The threat landscape is ever changing. The shift in sophistication of Cyber Criminals and State Sponsored Actors using covert tactics and tools to evade detection is testified by daily press reports of yet another breach in security at a well-known brand; just take Carphone Warehouse or Ashley Madison. There’s one thing that hasn’t changed over the last 10 years; the reliance on technology to fix a problem that is very human, I think the following quote sums this up quite well:

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand technology.” Bruce Schneier.

I’m not suggesting that technology doesn’t solve problems created by current threats, just that there is still focus on trying to find the silver bullet through technology solutions.  Unfortunately this does not exist (yet at least). Take Spear Phishing as an example; IT Security departments employ Anti-Spam, URL Filtering, Web Proxies and Advanced Detection Technologies but find they are still battling a problem that in essence targets human behaviour and psychology.

When a highly-targeted campaign of just 10 emails yields a 90% chance that at least one person will click on a link or open a weaponised document; this is not a problem that technology in isolation can fix. That statistic is even more potent when you understand the ease of crafting and deploying these attacks; for example why would a threat actor waste hundreds of man-hours crafting a targeted campaign when they could apply to a job opening on an organisation’s website with a well-crafted email, delivering a weaponised CV attachment that will quickly get an attacker a foothold on the target company’s network.

The popular solution is to deploy the latest shiny toy that counters “today’s latest threats”, and report back to the board that the current residual risk has been treated. High fives all round right? No, it’s the technology comfort blanket effect.

In theory the risk has been addressed, maybe but just until cyber-criminals have devised another tactic to bypass the controls.  It does not overcome the core risk of Spear Phishing; humans opening well-crafted weaponised emails. Your technology comfort blanket may give a warm feeling that the business is defended but it cannot account for human error, lack of awareness of the security policy, and changing threats.

A human problem created by humans, underpinned by technology.

Let’s consider the Target breach where over 40 million credit card details were harvested and stolen by Cyber Criminals. Target had deployed FireEye (in monitor mode), which detected the malware used to breach the POS systems, however Target’s US-based security analysts ignored the alerts raised not only by FireEye but Target’s very own security operations team in Bangalore. The technology actually did its job, but it was let down by a lack of a robust incident response process allowing Malware to execute without intervention.

I see this countless times; companies invest in technology to provide alerts and management reports on threats, which either don’t get actioned in time or end up in someone’s drawer. It’s the technology comfort blanket effect #2, the reliance on technology but no human interpretation of the data, notification or action to manage the security event, which is even more critical than the information being generated in the first place.

So how do we put down the comfort blanket?

Technology has become the core focus for information security strategy; whether this is driven by analysts such as Gartner or Forrester, or highly-effective vendor marketing- the reality is that the changing environment demands that it sets as part of a wider strategy that Actionable Threat Intelligence combining Business Philosophy, Governance, People, Process and Technology are closely aligned. 

1) Generate Actionable Threat Intelligence

Understanding threats, especially adversaries is a great place to start, and I’m not talking about scenarios on a risk register, I'm talking about real threats, generated through proactive intelligence.

Knowing the capability, intent and techniques used by an attacker generated through intelligence should drive decisions around where controls around Governance, Processes and Technology can be tightened in anticipation of attack.

2) Continuous education top-down, bottom-up, fed by actual threat intelligence.

With the increased number of attacks targeting employees and executives, security awareness training shouldn't be a once-a-year, tick box exercise. Create a network of human sensors through a programme of continuous education, driven by governance and fed by intelligence.

This will ensure that humans become more of a failsafe in the kill chain and attacks that penetrate protective controls are less likely to be executed. As I always mention in security awareness training sessions, if you don’t click on the link or open the attachment the attack won’t work.

3) Create a strategy that focuses on reducing the time from detection to responding to security incidents.

The key here is implementing processes and procedures that ensure that information generated by detection and monitoring technology is actioned quickly. Technology, People and Process should work in harmony to ensure the right information is disseminated to the correct recipient, who can then react in the appropriate manner to deal with the attack.

The quickest way to reduce detection to response time is regularly testing the organisation’s incident response policy through red-teaming exercises to ensure that the company has the capability to protect, prevent, discover, detect and respond to each scenario.

If correctly implemented the business should not need to ask the questions about whether they are protected from breaches they are reading about in the news, they will already know- and won’t be hiding behind that comfort blanket!

Ah! I See That You Have a Machine That Goes 'Ping'

Guest Blogger: Nick Prescot
Senior Information Security Manager at ZeroDayLab

Many of us have seen the scene from Monty Python...an group of surgeons having lots of kit ready to deliver a baby; the administrator comes and all the machines are going 'ping' and the umbilical cord is severed with a meat cleaver and the machines that go ping have done absolutely nothing.  And this is what happens a lot of the time when a hacker gets into a system, it has bypassed all the machines that are supposed to go ping, but they didn't.

As much as I love technology, and I do have a fair amount of gadgets and 'Gucci kit', I do wonder on the over-reliance of technology within the information security sector. Yes, information security is a technical domain and the profession that we are prescribing is not talking about analysing works of art here where subjective matter and opinions count, but there is a certain tendency to solve a problem with a new machine that has a slightly different ping, rather than understanding the architecture that befits the networks that we process data on. One of many great quotes from Bruce Schinder recently is this; 

'If you think that technology can solve your security problems, then you don't understand the problems, and you don't understand the technology' 

We all know that Bruce likes to make hard-hitting statements and this one got me thinking...this is one of those quotes that looks great on a powerpoint slide but how does one educate the listener as to why it's important.  It's not the kind of quote that vendors are going to like because they want you to buy the technology because that will solve the problem. It's not the machine that goes ping that solves the problem, it's when it goes ping and what does that ping actually mean...and when the ping goes off, what happens next?

As with many things in life, the devil is in the detail here is understanding the security problems and technology has never been able to judge risk in the same way that a human does; we are not filling our SOC's with Cyberdyne systems T-101 robots where they think for themselves and provide a secure network.  It's a case of what is the risk appetite for your data.  For example, if you are just reposting news stories to a selected audience and you are not taking anyone's login details or payment details, you don't need a military grade firewall.  Then again, if you a processing financial data you need to take it more seriously. 

Every company has a different security posture and one of the biggest challenges is to gauge what the level of risk appetite and what controls you are looking to put in to mitigate the risk.  This does seem simplistic but the reality is a lot harder; you try and get your management team to understand the level of cyber-risk that there is when there is little data to support it and you don't know who's attacking you and why. 

This is where the realm of threat intelligence comes into play but a lot of the time it's just pinging alerts at you.  If you turn on a threat intelligence tool on in a corporate and enterprise environment, it's not long before the number of alerts become quite numerous and onerous.  It's a machine that goes ping and there's a lot of pings to deal with. 

So, how do you solve a problem like Maria?, I mean this whole information security thing when all these machines are going ping, the technology is overwhelming and the hackers are getting into all these websites.  Well, the key thing is not to put another box in your data centre that sends out lots of alerts and tells you that user A is being infected by malware but nothing much is being done about it because they are out of the office, working from home, they are in the middle of a sales deal and you can't bring in the laptop...spend hours looking at the malware and then giving it back to the person. 

There needs to be a blend of understanding what the risk appetite is in terms of how much time energy and effort is spent investing in security....i.e. the strategy.  Once that is ascertained, you need to appoint someone to be in charge of infosec (yes, that's people like me who have a job title of information security manager) and then develop and deliver operational parameters of what kit is used, policies and procedures enforced and the reporting of the information gathered for the auditors/management etc so that they know what their ROI is.  ROI in this case is not the profit of putting these systems but the amount of times that you haven't been hacked...yes the machines that go ping will tell you that when they are setup properly but they need to be articulated in the right format and meaningful. 

That said, this is a lot easier said than done....

More about Nick...contact me

'Nick Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd. and is responsible for Governance, Risk and Compliance (GRC) and Incident Response (IR) consultancy and advisory services at ZeroDayLab.  Nick aims to assist companies whom are looking to improve the cyber resilience and posture in the ever ongoing battle against the emerging and continuing cyber threats.  By taking a detailed and holistic view of client's policy and governance infrastructure entwined with incorporating information assets within corporate risk registers, Nick is able to provide a clear strategy to client in order that their infosec operations and processes are aligned to industry practice.

Nick is also a seasoned incident response manager and when there is a security and/or availability incident, Nick is able to ensure that the incident is remediated as soon as possible and deploy the specialist response assets can remediate the incident. Nick also assists with the crisis management and media elements so that all parties are correctly informed as part of the resolution efforts.'