WPA2

WPA2 / KRACK, and the Coming Storm of Marketing BS!

This is going to be my shortest blog ever, because basically it’s just a warning: IGNORE THE MARKETING BULLSHIT AND THE DOOMSDAY JOURNALISTS!

Every time there is an outbreak of malware, or a new vulnerability exposed, or a protocol deprecated, the marketing departments of every security vendor go into overdrive. Their only goal; to make more money. Not to help, not to provide sound advice so that people don’t make bad decisions based on FUD, and not even because they know what the Hell they’re talking about.

Just money.

And the newspapers do what they do best; create panic with little to no understanding of the subject.

Yes, WPA2 has likely been broken, but because of the integrity of the researcher who discovered it we won’t have any information about it until later today. Which means we currently have no idea of the impact.

Apparently this is the guy you need to be watching; http://www.mathyvanhoef.com/

So here is what I would be doing right now if I were you:

  1. Determine what the impact would be on your organisation is WPA2 were truly broken;
  2. Update EVERY relevant device, as by now most of the bigger manufacturers should have a patch or a workaround;
  3. Tell your entire employee base NOT to panic, but they too should update their home computers (anti-malware etc.), mobile devices and home routers;
  4. Update your incident response plan to cover any issues.

The one thing you should NOT do is be part of the problem! Don’t spread rumours, spread fact, and be part of the SOLUTION! Share this blog if you want, or at least articles like it.

The security industry is rapidly becoming a bunch of used car salesmen, let’s each do our part to get THIS one right.

[If you liked this article, please share! Want more like it, subscribe!]

Charlatan

GDPR: How to Spot the Charlatans

Here we go again. A regulation or standard gets released and suddenly everyone’s an expert, every vendor has a solution or silver-bulletin technology, and hundreds upon hundreds of organisation spend a fortune on something they were far better off doing themselves.

It happened with PCI, SoX, and a plethora of other smaller or more region/sector specific regulations, and now it’s happening to GDPR. All because most of us are just too damned lazy to do a little bit of homework to find a real expert.

Or in a lot of cases, too lazy to even read the damned standard! Yes, it’s dull, but it’s not that difficult to decipher to the point you can’t ask a few intelligent questions.

But the real problem stems from the fact that most people don’t even know what privacy is. Personally, I am not an expert in privacy, I’m an expert in cybersecurity. If you think those two things are the same, or even very similar, you are already way off the mark. Yes, there is an overlap, but only in so far as a data breach can possibly lead to a loss in privacy.

But that’s the point, it’s only a possibility. Just because someone stole your data, does not mean they’re going to use it against you.

To summarise in a very general way:

Security = Preventing unauthorised ACCESS to your data;

Privacy = Preventing unauthorised USE of your data.

It’s because this distinction is universally misunderstood, cybersecurity vendors are often the first ones organisations turn to. However, instead of steering these poor deluded fools in the RIGHT direction, vendors sell them what they asked for. What they got, and are still getting, is a fraction of what’s required. 3.34% to be exact.

I’m not saying a security expert cannot be a privacy expert as well. I’m also not saying that every vendor lacks integrity. But I am saying you’re the one blame if you end up with a muppet.

So How DO You Spot the Charlatans

Actually it’s rather easy, they use phrases like:

  • Avoid hefty fines by ensuring you’re GDPR compliant!;
  • Time is running out, save your business!;
  • Ask our security experts how to [enter rest of lie here];
  • They claim that ISO 27001 can cover the entirety of the regulation;
  • Any combination of words that includes “GDPR compliance” or “GDPR certification”;
  • Any sales pitch or article that leads with possible fines (unless it’s to put down those that try).

…or they are:

  • Regular cybersecurity vendors;
  • Any vendor selling ‘GDPR software’;
  • A recent Certified General Data Protection Regulation (GDPR) Practitioner (and has no other privacy experience);
  • Anyone with CISSP, CISA, CISM, CRISC etc. emblazoned on their LinkedIn profiles (and has no other privacy experience);
  • NOT A PRIVACY EXPERT!

Finding a real expert is not that difficult, you just have to look for people who have been doing privacy stuff for a long time. These people do not HAVE to be privacy lawyers, but it certainly helps. And while there will be a whole swarms of scum-bag lawyers chasing the GDPR ambulance, there are a lot of good ones anxious to help.

On the positive side, look for things like this instead. These were bullet points taken from a free seminar that I have actually signed up for:

  • Understand the implications of the GDPR on your business-critical processes;
  • Learn how to prepare for the implementation of the GDPR;
  • Gain invaluable instruction and insight on the regulation and how to comply;
  • Discover the security solutions that can help to mitigate risks and assist in meeting your security obligations under the GDPR

This is the kind of education I can get behind. I really hope it’s not a well disguised sales pitch…

[If you liked this article, please share! Want more like it, subscribe!]

Breach Vultures

To All the Breach Vultures: Better Get Your OWN House In Order!

[WARNING: Contains bad language.]

The 3 things I hate most about my chosen field of cybersecurity are, in no particular order:

  1. The proliferation of ‘silver bullet‘ / end-point protection technologies – when security is primarily concerned with people and process;
    o
  2. Security organisations using either F.U.D or regulatory compliance to make money without providing real benefit – with GDPR for example; and
    o
  3. Security ‘professionals’ who bad-mouth other security professionals at the lowest point in their careers – against Susan Mauldin for example.

In 4.5 years and close to 300 blogs I have never used the following words. But for those guilty of 3.;

Fuck you!

Seriously, how dare you!? Especially those who actually had the nerve to say Susan wasn’t qualified because she had a music degree and no other security related qualifications on her LinkedIn profile. Like certifications or even a degree are accurate representations of either a person’s skill-set, or their competence. I have no security relevant degrees, and my certifications were collected by reading a book and passing a pathetic multiple-choice test, but I will happily match my ABILITIES against anyone who does what I do.

More to the point, unless you actually work(ed) for the company that was just breached, you have no idea of what caused the breach in the first place. Yes, you can point to unpatched devices, and a host of other vulnerabilities POST-forensics, but you have NO idea of the business pressures the IS/IT teams were under. And if you think that should not matter, you’re not a true security professional.

I am in no way defending organisations that egregiously ignore security good practices just to increase profit. Nor am I defending the truly incompetent. But unless you have irrefutable evidence that either was the case, keep your opinions and reproaches to yourself. There is no such thing as 100% security, and there is no such thing as unlimited resources. The best you can ever hope for is that you have enough.

In security, a bad guy only has to be right once, security professionals have to be right ALL the time. Eventually we ALL make mistakes. Most of us are lucky, and our mistakes lead to nothing more than a minor event, but for some, the mistakes are career ending. Too often this is not because the people involved actually WERE incompetent, but because of the pressure to resign from the jerks who somehow think they are better. That the breach would not have happened under their watch.

Have you noticed though, that the people who are most critical and vitriolic tend to be mid-level no-bodies who will likely never make to the CISO level?

Do these people actually think that by taking cheap shots at the less fortunate that decent people won’t hate them for it. That Equifax and the other breach victims will suddenly reach out to them for help? That someone who has nothing better to do than kick someone while they’re down is just the kind of person they want on their team?

Let me ask you this: When was the last time you saw someone getting berated by his/her team for missing a penalty / field goal / you name it? You probably can’t remember, and why? BECAUSE THEY ARE ON THE SAME FUCKING TEAM!!

There are only 2 sides to cybersecurity; the good guys and the bad guys. Choose which side you’re on and stop being part of the problem.

[If you liked this article, please share! Want more like it, subscribe!]

Complicated

Cybersecurity is Difficult Enough, Don’t Complicate it as Well!

I think enough people are clawing over the Equifax carcass, so I’m just going to rant about how wonderfully simple security is instead.

Actually, it’s REALLY simple, or I would not be doing it! I’m lazy, and nowhere near smart enough to do something complicated. Therefore cybersecurity consultant is the perfect fit because it’s almost entirely common sense, and it’s not me who has to do the work! 🙂

Not only that, the things that you should be doing to secure your business have been written down for generations. Literally. So anyone who still thinks it’s complicated is not asking the right people the right questions, and anyone who says it’s complicated is probably extorting their clients by making it so.

Take GDPR for example. >96% of the GDPR is related to security of processing (basically privacy), and NOT the security of the data itself. Yet the number of security companies crawling out from under their rocks to capitalise on it increases daily. Anyone who knows the first thing about security would not be fooled by these charlatans. Cybersecurity security does NOT equal privacy, which IS complicated.

So here’s the real problem: If the cybersecurity industry was doing its job, it would be SIMPLIFYING things for everyone, not making them worse! Muddying the waters just to make a few extra quid is utterly reprehensible. But the fact that organisations are ALLOWING them to do this is just plain laziness. The answers are out there.

All that said, making security simple is actually very difficult, and only good consultants have this ability. This is the same in every profession and the sign of true mastery.

Rule of thumb: If you talk to a cybersecurity consultant and afterwards you have no idea how what they do benefits your business, they are the wrong fit for you.

Besides, the only reason you are talking to a consultant in the first place is because there is some business driver (regulatory compliance, contractual obligation etc.), so you’d better know how the deliverables are going to meet the objective. Frankly, if you are not a security practitioner yourself, I can pretty much guarantee you’re asking the wrong questions.

Crap analogy. When you go to the doctor do you:

  1. Tell them exactly what’s wrong with you and what they should be doing to fix it; or
    o
  2. Tell them you don’t feel well and where it hurts?

I assume you chose 2., but if the doctor then prescribes leeches, would you seek a second opinion? Of course you would, then you’d find someone whose solution to your illness made sense, right? Someone who explained things to you, someone who told what to expect (the good and the bad), someone who made sense. Right?

So why would you hire a cybersecurity person who can’t explain, simply, what you need and why you need it? Especially when 9 times out of 10 what they are proposing is likely not what you actually asked for? e.g. You asked a consultant to make you PCI compliant when what you should have asked for is a security program that covers the PCI requirements. Very different beasties.

In 4 years running my own consulting practice I have turned down several contracts because I knew they would go pear-shaped. In each of these cases I explained what it is that I do, what the long-term benefits would be. But in each case it was clear the prospect had absolutely no idea what I was talking about. Sometime simple just doesn’t sell, but it’s the only way I will do business.

I’ve just re-read this blog and I’ve completely failed to make my point. Oh well, I’m off to the pub…

[If you liked this article, please share! Want more like it, subscribe!]

CISO Hierarchy

To Whom Should the CISO Report?

I actually feel kinda silly writing this blog because the answer to the subject question seems so obvious. But even among seasoned cybersecurity professionals, the question on the CISO’s reporting structure has taken on a life of its own. I cannot imagine a more pointless debate.

But, for the sake of argument – and to keep this blog short – let’s assume there are only 2 types of ‘reporting’:

  1. To a direct line manager (Administrative Reporting); and
    o
  2. To the recipients of the CISO’s functional output (Functional Reporting).

The most appropriate example for this – due to it’s many similarities – is Internal Audit (IA). I’ve never seen these folks administratively report to a manager who is not either the Chief Financial Officer (CFO) or the Chief Legal Officer (CLO)/General Counsel (GC). Nor would I ever expect to, as what they do is so well established that no-one questions their hierarchy.

Why is cybersecurity more complicated?

The very concept of IA dictates that their administrative management cannot influence their output in any way. I believe such conflict of interest actually goes against some regulations/legislations. Not only must they have this complete autonomy in the creation of their output, they must have total immunity from any backlash related to its content. Especially from their direct line managers, in whose hands the auditor’s career rests.

Same for the CISO.

For IA, the recipients of the functional output just happen to be their protectors as well; The Board of Directors (or CEO if the BoD does not exist). This ‘dotted-line’ reporting structure allows the auditor’s to report the whole truth to the ultimate decision makers without fear of retribution.

Same for the CISO.

So why is the CISO role so different? Does it really matter to whom they report administratively as long as they have both access to, and the protection of the BoD? Just like IA, they only thing a CISO should have to worry about is their own ability/competence to perform the function. And if, as I HIGHLY recommend, make the CISO role a Board appointment (or don’t bother having one), both the BoD and CISO are fully aware of each other’s responsibilities in this regard.

So if you accept that it’s really only the BoD dotted-line that matters, to whom should the CISO report administratively to help avoid the inevitable politics?

Common CISO Administrative Reporting Structures

  1. Direct to the CEO – This is the ideal of course, as you can usually assume that to have this hands-on approach the CEO takes security seriously. Seriously enough anyway. That said, in this configuration the BoD must take a more active role in order to ensure full CISO independence.
    o
  2. To the CSO – A true CSOs will generally have more than just data security as their remit, but CISO and CSO are very often used interchangeably. So depending on what the CSO actually does, this can be a good fit if s/he does not interfere with the CISO’s access to the BoD.
    o
  3. To the CTO – To me this is almost the definition of conflict of interest, this never works even if the BoD dotted-line is in full effect.
    o
  4. Any other member of the C-Level – At this point, the duties of the CISO are so far removed from the knowledge/skill-set of their manager that it almost doesn’t matter which one you choose. This will be ‘administrative-only’ reporting to the nth degree. But as long as the CISO’s relationship with the BoD is healthy, this should not detract from the CISO’s ability to get the job done.
    o
  5. Below C-Level – If the CISO role is more than 2 layers beneath the CEO, don’t bother having one, it’s clear neither the CEO or the BoD gives a damn.

Frankly, the CISO’s reporting structure is irrelevant if you haven’t chosen the right CISO for the right reasons. And AS a CISO, if you had no input to your reporting structure why did you take the job in the first place?

I am reminded of the eternal classic “The Hitchhiker’s Guide to the Galaxy” by Douglas Adams.:

“Forty-two!” yelled Loonquawl. “Is that all you’ve got to show for seven and a half million years’ work?”

“I checked it very thoroughly,” said the computer, “and that quite definitely is the answer. I think the problem, to be quite honest with you, is that you’ve never actually known what the question is.

Don’t be Loonquawl.

[If you liked this article, please share! Want more like it, subscribe!]