Monday 20 July 2015

Breach Fatigue #ITSecurity #vulnerability

Nick Prescot

We welcome Nick Prescot, Infomation Security Manager at ZeroDayLab as our first new blog contributor.

 by Nick Prescot.

To those out there that have missed my blogs since January, fear not, I have been in a job transition and so busy with the new job that it has only recently become apparent that there was some point in continuing the blog as the marketing manager pushed me to get it going again!  So that’s enough about me and I hope to continue in my observations and musings about infosecurity.

There’s one thing that hasn’t changed over the last 6 months and that’s the continuum of breach notifications that has been hammering us on a daily basis.  On the back of the heartbleed and poodle bug that got everyone in the industry very excited, there seems to be a chase for the next big ‘bug’ that will get every infosec manager in the land the magic 15 mins of attention where they can remind everyone the importance of security and once it’s fixed, wait for the next one.

Having been the internal infosec manager for a while, and now on the other side of the fence where I’m being the consultant in this space, one does start to wonder about the impact that information security has in many of today’s businesses.  Every company has a different risk/threat picture, so just because you can’t have a scenario where email is down for more than 3 mins, or your payment gateway requires 99.99999%, it doesn’t mean that robust and resilient systems should take second precedence over availability and usability.

The infosec world seems to be chasing the next immediate action to the next zero-day vulnerability so that the SOC can prove themselves that they can react, respond, eradicate and contain any ‘bad’ that comes into their network and system…and then brag about it!

So, before I see another vulnerability that comes across my twitter feed, it’s always worth a look at how the airline industry and the car industry share their safety vulnerabilities that come into play…they are not hiding it but they are openly sharing information.  The infosec world could and should a lot better in this respect.  There are many aspects where CERT releases threats that are in the open…but the reality is that when I’m onsite and you are looking for patches and change management in response to the threat, quite often it’s not there because it’s too scary/painful/bureaucratic to deal with.

Therefore, there is a big gap in the culture between many of the teams, departments, divisions and corporations against the modus operandi of the safety-focused culture of the airline and the car industry. To give a classic example, the Euro NCAP rating is used as a tool to help the wider public know if their cars are safe; there are similar measures such as the CSA STAR alliance program that gives hosting providers that similar level of assurance to the wider public about their security posture which goes some way towards this but is unfortunately not widely adopted.

Going back then to the concept of breach fatigue.  We know that cars (and not so much, planes) crash or have faults the whole time, but we also learn from and adopt the safety improvements made to ensure that the future risks are kept to a minimum.  However, the same cannot be wholly said for the retail/commercial sector, for example.  When we shop online it’s sometimes hard to find the part on the website that shows that it’s secure.  We all assume that online banking is safe, but we are doing this on a basis of the fact that many online banking websites force us to use 2-factor authentication….but how many people check that the page is on HTTPS with a valid 3rd party signed certificate?

So, when you’re next reading the news about the latest vulnerability that affects Adobe Flash and Skype, think of the basics that stem from the security standards and apply them!  Whether you’re an infosec manager or a silver surfer…a lot of these breaches can be mitigated against;
     1) Make sure that your anti-virus is kept up-to-date (ok, people with an Apple Mac might scoff at this!)
     2) Update your laptop and phone ASAP.  Yes, that little number on settings on the iphone, there might be an update…it might be there to change things but it’s also there to download the latest security updates.
     3) If you use a browser, check for the extensions that you are using (especially Chrome).  Same goes for internet explorer toolbars.
     4) Check the padlock on HTTPS websites….and that it’s not a self-signed cert; especially when using online payments.
     5)  Use verified tools that scan your computer for unknown applications…Whilst they might not be malicious; if you don’t need ‘em..delete ‘em

Now, instead of looking like a puzzled minion when you do get breached, because you don’t know what to do or how to react, the above are some simple steps.  You wouldn’t buy a car without brakes or airbags on the open road, so why would one ignore the above?  This is for personal use, but if there is a bigger security problem you’re grappling with…er…ahem…this is what I do for a living so do contact me if there’s a bigger issue!

More about Nick...

'Nick Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd. and is responsible for Governance, Risk and Compliance (GRC) and Incident Response (IR) consultancy and advisory services at ZeroDayLab.  Nick aims to assist companies whom are looking to improve the cyber resilience and posture in the ever ongoing battle against the emerging and continuing cyber threats.  By taking a detailed and holistic view of client's policy and governance infrastructure entwined with incorporating information assets within corporate risk registers, Nick is able to provide a clear strategy to client in order that their infosec operations and processes are aligned to industry practice.

Nick is also a seasoned incident response manager and when there is a security and/or availability incident, Nick is able to ensure that the incident is remediated as soon as possible and deploy the specialist response assets can remediate the incident. Nick also assists with the crisis management and media elements so that all parties are correctly informed as part of the resolution efforts.'

No comments:

Post a Comment