Cybersecurity & Information Risk Management: The Devil's Dilemma
Security is not about Technology.I’m a big advocate of this statement and share it whenever I possible can. Why? Because nowadays the security vendor landscape seems to be all about the Holy Grail of “Nextgen 2.0” products, while ignoring one crucial truth.
People make mistakes, all day, every day. Technology can’t prevent people from making mistakes, and they never will! That’sOK! People should make mistakes, it’s what makes them better! Some of the biggest achievements in history originated from mistakes. Take antibiotics as an example! Without that mistake, we’d be dead by now.
Many believe that a secure world is the result of multiple policies. But policies aren’t making your company safe. The people following them are.
Security is about People.
The Information Risk Management arena is like the wild west. Malicious attackers won’t obey any written policy and will try whatever they possibly can to bypass and bend the carefully crafted rules. And they will find a way around it, no question about that.
In order to manage security effectively, we must accept the fact that any company will inevitably be compromised and bad people will gain access to our networks. However, when we’re driven by the firm belief that Security is about People, the world can become a safer place to live and work in.
Security Testing Makes a Company Better (I’m Not the Threat, You Are)
During my career as a hacker, I’ve received many different responses from customers. Most of them were happy to have me breaking their environments, in order to learn and improve. But there were occasions when developers where stubborn, reluctant to cooperate, and doing everything in their power to make my task fail.
Why? Fear of failure. We’re naturally inclined to want to succeed and be the best at everything. It’s a survival instinct. If we fail, we won’t be the best, and we need to be the best in order to survive.
Do we? Maybe in the past, when we were fighting over meat and trying to be the best hunter of the group. But in today’s world, failing is no longer a problem. Fail fast and fail often. At least, that’s what we teach new penetration testers and hackers. If you don’t know how to do something, try. Try again if something doesn’t go as planned. Fail a lot. By failing, we learn. We see what can go wrong and we gain experience. The more experience we have, the more we can prevent mistakes from happening again.
When it comes to security, failing once when working on something new, is just fine. Making that same mistake twice, makes things tricky. But failing again and then hiding your failure, is devastating.An attacker will learn about these failures and use them against you.
It’s much better if I discover security vulnerabilities during an assessment, instead of a malicious attacker finding the loophole and stealing the crown jewels of the company.
Risk Management Won’t Do You No Harm, but Can Hunt You Down When Done Wrong
Estimating risk adequately is important and notoriously difficult. How do you properly estimate a risk appetite? How are risks calculated? What happens when an issue is identified and fixed by teams or mitigated?
Performing penetration tests or security assessments is great, well done! But how are you handling the results from these tests inside your company? Do you have adequate controls in place that confirm if issues are addressed and fixed?
In several past cases, I’ve seen security assessments being performed multiple times a year, with companies spending serious cash on testing. But when the cycle is complete, a new assessment is repeated on the same environment. If the security specialist is from the same company, and they have a good system in place to track results from previous tests, they will find the same issues appearing in their reports. But nothing is done about them.
These systems should be able to track how long it takes before issues are resolved and, ideally, how many hours of productive time it took. These metrics will help you stay on course budget wise and will tell you how long security issues are inside your companies’ network. This helps you with Vulnerability Management, patch management, change management, and a variety of compliancy statistics.
Having these metrics in place gives you clean,direct benefits and will help you to identify the painful weaknesses inside your company.
Are you challenging the security specialist with their report, ensuring that calculated risks are in line with the network structure? It won’t be the first time that high risk findings in a report are not as critical when you take the entire network topology into account. But worse, it can also be the other way around! You can also think you’re at a low risk but, without looking at the big picture, find yourself dealing with a total network compromise.
When you are not accurately estimating risk, efforts may be made to resolve a problem that isn’t worth resolving. These actions cost a lot of time and a lot of money. Having a way to identify and score risk adequately is of value. There are various systems in place to calculate individual technical risk, but mapping these to a specific company environment is something that can only be properly done by the CISO and Risk Management.
Attackers will Always Get in, They Just Need Time
Even with all the controls, policies, guidelines, procedures, and anything else you can think of in place, there will always be that one loophole, or that one phishing email that slips through. The reason why this happens is simple; attackers have no time limit. If they want to break into your company, they will succeed eventually.
Constant security monitoring and a 24/7 detection and capability function within your company’s perimeter, is needed to spot an attacker and stop them as quickly as possible. Build your network around the assumption that attackers are already inside. This will strengthen the security of your perimeter, andmake it more difficult for attackers to pivot and move laterally through your network, avoiding more damage.
Performing red team assessments will help you to identify various pathways into your company’s environment. Each time this assessment is done, your maturity level increases one step closer to resilience.
The goal is to become more secure than your neighbor, as attackers are usually lazy and will go for the easiest target. If they are after you specifically, it will cost them a lot more effort and money to succeed. Their willingness to invest in that challenge depends on the value of your crown jewels. The higher the value, the more they are willing to invest. It’s a normal business model, only less bound by rules and regulations. There is always an investor willing to pay if the return is good enough.
Security is About People
As I said before; malicious attackers don’t care about the procedures or policies you’ve carefully crafted, nor are they scared of the technology stack inside your network. They will find a way around these barriers.
I am a firm believer that security testing is essential within any environment. Test everything, like your infrastructure against loopholes, or applications on programming mistakes. Test policies on missed controls with social engineering assessments. These are all vital parts of red teaming.
Every company should have requirements in place to follow up on the outcomes of these assessments. Any identified issues must be addressed in order to prevent problems from residing within the network. Otherwise, your company will face an increased security risk, which would mean that your security testing was a wasted investment.
Any company will eventually be part of a digital attack, whether its directly targeted against them or as collateral damage. It is not about ‘if’ it will happen, but ‘when’ it will. Attackers have the time, don’t have to obey the law, and will use any available exploit to breach networks. The longer a security hole is present within your company’s perimeter, the bigger the chance gets that one of these holes will be used against you.
Security is not about technology, it’s about People. When we can improve our security mindset, we will be able to make our world more secure. The more we train, learn, and fail, the stronger we all become. Try to stay one step ahead by identifying weaknesses in organizations, with the help of security professionals. That is what matters most!
You can start your security professional journey by watching the ‘Introduction to Penetration Testing’ course that I’ve designed specially for INE. This will kickstart your knowledge with the needed information on how to conduct your first penetration test from start to finish. You can also learn more about how I apply my own knowledge to real-world scenarios with Bluedog Security Monitoring. Knowing what kind of opportunities are available to you will help you focus on the specific direction you want your career to go in.
Tim's expertise is here to help you advance your security skills. Take advantage of his course, today!