Charlatan

GDPR: How to Spot the Charlatans

Here we go again. A regulation or standard gets released and suddenly everyone’s an expert, every vendor has a solution or silver-bulletin technology, and hundreds upon hundreds of organisation spend a fortune on something they were far better off doing themselves.

It happened with PCI, SoX, and a plethora of other smaller or more region/sector specific regulations, and now it’s happening to GDPR. All because most of us are just too damned lazy to do a little bit of homework to find a real expert.

Or in a lot of cases, too lazy to even read the damned standard! Yes, it’s dull, but it’s not that difficult to decipher to the point you can’t ask a few intelligent questions.

But the real problem stems from the fact that most people don’t even know what privacy is. Personally, I am not an expert in privacy, I’m an expert in cybersecurity. If you think those two things are the same, or even very similar, you are already way off the mark. Yes, there is an overlap, but only in so far as a data breach can possibly lead to a loss in privacy.

But that’s the point, it’s only a possibility. Just because someone stole your data, does not mean they’re going to use it against you.

To summarise in a very general way:

Security = Preventing unauthorised ACCESS to your data;

Privacy = Preventing unauthorised USE of your data.

It’s because this distinction is universally misunderstood, cybersecurity vendors are often the first ones organisations turn to. However, instead of steering these poor deluded fools in the RIGHT direction, vendors sell them what they asked for. What they got, and are still getting, is a fraction of what’s required. 3.34% to be exact.

I’m not saying a security expert cannot be a privacy expert as well. I’m also not saying that every vendor lacks integrity. But I am saying you’re the one blame if you end up with a muppet.

So How DO You Spot the Charlatans

Actually it’s rather easy, they use phrases like:

  • Avoid hefty fines by ensuring you’re GDPR compliant!;
  • Time is running out, save your business!;
  • Ask our security experts how to [enter rest of lie here];
  • They claim that ISO 27001 can cover the entirety of the regulation;
  • Any combination of words that includes “GDPR compliance” or “GDPR certification”;
  • Any sales pitch or article that leads with possible fines (unless it’s to put down those that try).

…or they are:

  • Regular cybersecurity vendors;
  • Any vendor selling ‘GDPR software’;
  • A recent Certified General Data Protection Regulation (GDPR) Practitioner (and has no other privacy experience);
  • Anyone with CISSP, CISA, CISM, CRISC etc. emblazoned on their LinkedIn profiles (and has no other privacy experience);
  • NOT A PRIVACY EXPERT!

Finding a real expert is not that difficult, you just have to look for people who have been doing privacy stuff for a long time. These people do not HAVE to be privacy lawyers, but it certainly helps. And while there will be a whole swarms of scum-bag lawyers chasing the GDPR ambulance, there are a lot of good ones anxious to help.

On the positive side, look for things like this instead. These were bullet points taken from a free seminar that I have actually signed up for:

  • Understand the implications of the GDPR on your business-critical processes;
  • Learn how to prepare for the implementation of the GDPR;
  • Gain invaluable instruction and insight on the regulation and how to comply;
  • Discover the security solutions that can help to mitigate risks and assist in meeting your security obligations under the GDPR

This is the kind of education I can get behind. I really hope it’s not a well disguised sales pitch…

[If you liked this article, please share! Want more like it, subscribe!]

Top 10

Froud on Fraud’s Top 10 Cybersecurity Technologies to Implement in 2017

In direct response to a certain organisation’s ‘Top 10 Cyber Security Technologies to Watch in 2017’, [cough, Gartner, cough], I have come up my own list of bleeding edge security technologies that every organisation should spend millions of $/£/€/¥ on.

Yes, even if you don’t MAKE millions, you should borrow the money and buy them anyway.

Being honest, my fight to bring security ‘back to basics’ has failed – despite my enormous 210 person following – so I have decided to sell-out and promote nothing except buzz-phrases and acronyms. You know, like everyone else.

However, I am convinced that if you buy, implement, and actually take these technologies seriously, you can forget the security basics. The combination of these 10, never-seen-before, shiny new objects will provide the silver bullet you’re looking for:

  1. Directorate Approbation Paradigm (DAP) – Historically, achieving ‘management buy-in‘ was the ultimate goal for anyone attempting to implement a security program. Quite rightly, caring about the future of an organisation was considered naive, and proponents of this stone-aged technology were left begging for work on LinkedIn. Some of these poor souls even became CISOs. Now, with DAP technology, every single person in an organisation will take security seriously, even if their bosses don’t!
    o
  2. Command & Control Commission (CCC) – While not strictly a technology the CCC is responsible taking the output from the EIC below, combining it with the DAP above and obtaining the budget to buy everything else on this list. This is the spider in the middle of the web, making sure that all technologies work together. Called ‘governance‘ in the old days, the new CCC is clearly superior given that you’ve never heard of it, and it’s an acronym.
    o
  3. Protocol, Method, & Archetype Orchestrator (PMAO) – Much as leeches were seen as the go-to technology in medieval medicine, ‘policies, procedures and standards‘ were seen as a foundation for every security program. While clearly nothing more than a quaint superstition, they nevertheless laid the groundwork for the PMAO revolution. Imagine it; a series of artefacts designed to record not only an organisation’s entire security culture, but their process knowledge and system baselines as well! No way just policies, procedures and standards could do all of that!
    o
  4. Exposure Investigation & Computation (EIC) – I almost feel sorry for the poor saps who only had the ‘risk assessment‘ process to measure their risk profile. Can you imagine basing you risk treatment and technology purchasing decisions only on expert opinion and business goals!? Instead, EIC, in combination with AI, big data, The Cloud, and fairy dust, can tell you exactly how many millions to spend on technology! No more embarrassing moments when you try to explain to your boss how you tried to save them money by fixing the actual problem! Like people and process could ever be the problem!
    o
  5. Intelligence Preservation Administration Schema (IPAS) – Can you imagine the nerve of the International Standards Organisation when they came up with the Information Security Management System (ISMS)? A so-called ‘framework’ designed for “systematically managing an organization’s sensitive data” with – and you won’t believe this- “a set of policies and procedures”! How naive! Instead, with IPAS, you can basically ignore the hard work and common sense approach to doing security properly and hide behind an expensive appliance with flashing green lights! Blinking green, you know it’s working!
    o
  6. Transformation Regulation Authority (TAR) – Before the advent of TAR technology, organisations across the globe relied on a ‘change control board’ to ensure that unmeasured risk was not introduced into an environment. As yes, once again, actual humans – apparently those with ‘expert’ knowledge – were allowed to determine what was right for the business. A clearer case could not be made to put this in the safe ‘hands’ of technology written by someone else.
    o
  7. Episode Reply & Adversity Restoration (ERAR) – We’ve all seen those commercials from the 50’s where attractive actors extolled the virtues of smoking? Well, ‘incident response & disaster recovery‘ were just as misleading, and just as dangerous! Like anything involving people and process could possibly help you stay in business! ERAR on the other hand, will not only detect bad things happening, it will keep your business up and running! Surely THAT’S worth a few million all by itself!!
    o
  8. Capital Durability Projection (CDP) – The future of any organisation should never be placed in the hands of those who care. The experiment called corporate social responsibility failed because it was assumed that it’s the people who are the most important aspect of a business. At least now we know it’s money that’s most important, so the old concept of ‘business continuity planning’ can be replaced by EDC and those making the world better with technology. Finally the people can be safely ignored.
    o
  9. Asset Management (AM) – This is one aspect of security where technology is actually sadly lacking. Asset management is the centre of everything, and without it, no other aspect can be truly be done well. Spreadsheets just don’t cut it, and no GRC that I’ve seen gives asset management its due. This much change, even in The Cloud.
    o
  10. Continuous Compliance Validation (CCV) – This is an idea whose time has come, it’s about time technology provides a REAL solution to overly manual processes.

All facetiousness aside, I am a huge fan of technology. Or more accurately, I am a huge fan of the appropriate application of technology. If you buy something based on anything other than 1) the results of your risk assessment, and 2) answers to the RIGHT questions, you have no business being in charge of a budget.

[If you liked this article, please share! Want more like it, subscribe!]

Cybersecurity Collage

Without 3rd Party Security ‘Vendor Brokers’, AWS and Azure May Not Be For You

…at least for PCI anyway. It’s just too damned difficult to get all the security wrappers PCI requires without Vendor Brokers.

Cybersecurity has now be made too complex – by security vendors – to be able to mix-and-match with individual vendors from the AWS/Azure marketplaces. I don’t know of any single vendor who can cover even a majority of the PCI requirements related to platforms.

i.e.

  1. Firewall Management;
  2. Configuration Standard(s);
  3. Anti-Virus;
  4. Vulnerability Management;
  5. Patching;
  6. Access Control;
  7. Authentication Mechanism(s);
  8. Logging & Monitoring;
  9. Web Application Firewall; and
  10. File Integrity Monitoring

There are many reasons for this, one of which is that ever since security became a multi-billion £/$/€ a year industry, hundreds of companies have started up to try bring us the ‘silver bullet’ appliances.  Not only do silver bullets not exist in cybersecurity – and you should be shot for using the phrase in any way that’s non-derogatory – but where are the overwhelming majority of those companies now?

They either failed, or have been ‘collected’ by larger companies who have tried to duct-tape the disparate products into silver-bullet solutions.

Which have also failed.

It’s not that the original products didn’t work, some of them actually did, it’s that;

  1. Organisations threw technology at business problems without knowing why they were doing it;
  2. The big companies that collected the smaller ones tried to integrate the individual products together under one GUI, instead of unifying the functionality under a single code base; and
  3. There has never been, and there never will be, a one-size-fits-all solution to security.

But the market is still ripe for innovation, and there will continue to be companies starting up with the goal of bringing a single product to market that will catch the latest security hype/wave/buzz and make them their fortunes (UEBA for example).  They may even succeed, but only if they make their impact in the first year or two, otherwise the market will have moved on.

And if they’re VERY lucky, the larger companies will be naive / ignorant enough to buy them and save them the trouble.

Don’t get me wrong, I am not against combining single products into a larger solutions. In fact it’s the only way to go, but only if it’s done correctly.  Single product companies have 100% focus, which gives them drive, short-term goals, and a dedication to making their one product the best. The second you absorb that company however, every one of those attributes that put them on (or near) the top, are lost in the larger mix.  The functionality is diluted, innovation ceases, and the the whole thing quickly becomes obsolete.

True integration of functionality can only be accomplished with a single code base, and a single platform, which means that any organisation that absorbed the smaller companies better have a plan in mind to migrate not only the applications over to their growing solution, but they will need to consider all of the clients who bought the product prior to the M&A.  These guys often suffer from a total lack of customer service and support, and there’s no way they’ll buy into the larger program.

In my experience, the due diligence necessary to combine product companies is not overly abundant, and until it is, we should all be VERY careful when we look to resolve our security issues with multi-function solutions.

I call these Vendor Brokers ‘collage companies’, as the picture might be pretty, but it’s in no way whole.

Here are a few questions you might want to ask your potential providers;

  1. Can your solution replace some / most of my current functionality?
  2. Do you provide a consultancy ‘wrapper’ around these solutions to help us manage them against our business goals?
  3. Will the output from your solution feed into my current collection mechanism, or can my current output feed into yours?
  4. Are the various aspects / functions of your solution ‘home grown’, or obtained through acquisition?  If acquisition, how have you unified the back end code and platforms?
  5. How do you ensure that the different functions of the solution receive a similar attention to what the single product vendors provide?
  6. Do you have a single customer support process to handle all functionality questions?

Regardless of the shenanigans going on in the security product market, your choice of Vendor Broker should only be driven by what your risk assessment and gap analysis said you need, and your due diligence should cover any requirements you may have regarding integration and ongoing maintenance.

If is doesn’t, don’t expect Vendor Brokers to help, they have enough problems keeping their own houses in order. 

[If you liked this article, please share! Want more like it, subscribe!]

GDPR Fines

GDPR and Cybersecurity, a Very Limited Partnership

If a security vendor has ever told you that the GDPR is imposing fines of up to 4% of annual global revenue for data breaches, they are either:

  1. ignorant of the standard; and/or
  2. lying to you.

Being generous, they may not actually know they are lying, the General Data Protection Regulation (GDPR) isn’t exactly easy to decipher, but even a cursory review tells a rather obvious story. I will attempt to address the following assumptions in the course of this blog:

  1. The GDPR is >95% related to enforcing the RIGHT to privacy, not the LOSS of privacy through data breach;
    o
  2. The maximum fines for ANY organisation are 2% of ‘annual turnover’ for even the most egregious loss of data through breach, not 4%; and
    o
  3. Fines are entirely discretionary, and an appropriate security program will significantly reduce any fines levied.

Wait, there are 2 types of privacy!?

Ask a lawyer in the EU what privacy is and s/he’ll likely quote Article 12 of the Universal Declaration of Human Rights: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

From a GDPR perspective, this equates to two of its three fundamental aspects. Grossly simplified these are:

  1. Explicit consent; and
  2. Legitimacy of processing.

In other words, the vast majority of the GDPR is concerned with obtaining explicit consent for the personal data collected, and then ONLY using that data for legitimate purposes in-line with the consent received.

Even when GDPR refers to ‘security’, it is more concerned with these two fundamentals than it is with security of the data itself. That is what they mean by “security of processing“.

However, from a cybersecurity professional’s perspective – and the third fundamental aspect of the GDPR – privacy also involves loss. i.e. The data was stolen during a breach, or somehow manipulated towards nefarious ends. This is a very important part of the GDPR, Hell, it’s a very important part of being in business, but it should never be used to sell you something you don’t need.

Maximum fines?

Of the 778 numbered or lettered lines of text in the GDPR Articles section, there are only 26 that relate directly to data security (or 3.34%). These are contained within Articles 5, 25, 32, 33 and 34.

Per Article 83(4)(a) (a.k.a. ‘2% fines’) – “(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

While Article 5 is contained within Article 83(5)(a) (a.k.a. ‘4% fines’), all but one line refers to security of processing, not the security of the data.

So, if it can be assumed that if the maximum fine for ANY data breach, no matter how egregious, is 2% of the annual revenue from the previous year (in the case of an undertaking), that 2% is what the EU considers the maximum for a fine to qualify as “effective, proportionate and dissuasive” (per Article 83(1)). Therefore, a fine of €10,000,000 would be reserved for any organisation with revenue over €500,000,000 annually. Fines are never there to put you OUT of business!

It must follow that if 2% is the maximum, then fines will go down the less egregious is your offence. Everything you need to determine the level of ‘egregiousness’ is contained in the 11 lines of Article 83(2)(a) – (k). Words like ‘intentional’, ‘negligent’, ‘degree’, and ‘manner’ are bandied around, all of which can be answered by you.

In this spreadsheet, I have taken a stab at adding specific questions to each of the (a) – (k) line items. Answer them all truthfully and you’ll get an indication of what I consider to be an appropriate fine based on your annual revenue: GDPR Fine Worksheet. Caveat: I am NOT a lawyer, and this is based entirely on my own experience, not anything resembling known fact.

Finally, bear in mind that as per Article 58(2), there are many ‘corrective powers’ that a supervisory authority can resort to long before levying a fine, including simple warnings (Article 58(2)(a)). Fines should be considered as a worst case scenario in their own right, let alone the amount.

Appropriate security program?

There is no such thing as 100% security, so the more you can demonstrate that your security program is appropriate to the levels of risk, fines should be the least of your problems. As long as you have everything from senior leadership buy-in, to incident response, to disaster recovery and breach notification – you know, the basics! – it is not a foregone conclusion that fines will even be considered.

Go here for more on what a security program should look like: What is a Security Program?

In conclusion…

In the UK, if you are an organisation that processes personal data and you were already a) complying with the Data Protection Act (DPA), and b) doing security properly, GDPR compliance would require only relatively minor adjustments. For those that weren’t, you have a lot of work to do now once the supervisory authority has the powers that GDPR bring to bear, and not much time to do it in (May 25, 2018).

That said, don’t do anything for compliance alone. Do it for the business, do it properly, and compliance will fall out the back end. So while it is reprehensible that security vendors are trying to exploit the GDPR for profit, if you fall for it it’s entirely your fault.

By the way, if you’re a business that is predominantly centered around the processing of personal data, the Article 58(2)(f) – “to impose a temporary or definitive limitation including a ban on processing;” can take you offline indefinitely. And yes, you can be fined on top of that.

I hate to say it, but don’t do anything until you’ve spoken to a lawyer.

[If you liked this article, please share! Want more like it, subscribe!]

Virtual CISO

Are ‘Virtual CISOs’ a Good Idea?

Type “virtual CISO” into Google and you’ll get ~240,000 hits, with the top 10 being mostly vendors who offer this as a service. I have no doubt much of the remaining pages are the same.

In other words, just about every security vendor out there is seeing a need, and they want to be the ones to fill it. As a corollary, if organisations weren’t crying out for the service, no-one would be offering it.

I am no different, in that I too see a massive gap in senior leadership security expertise that no one in-house can fill. Due to price constraints, it is quite often inappropriate to fill such a senior and specialised role on a full-time basis. Where I differ is the length and function of the v-CISO, as I cannot see how an indefinite ‘outsourcing’ is in my client’s best interest.

Let’s face it, once you outsource the function of something, it is a very small step to try and outsource the responsibility for it too. And finally, if you got away with that, an attempt at shirking the accountability is never far behind. This is where both organisations asking for help, and v-CISOs alike, make their biggest mistake.

The v-CISO should never be a long-term proposition, which is why I call my service an ‘Interim Security Chief’. While this may seem like semantics, it’s the difference between doing the work for you, and enabling you to do it for yourselves.

First and foremost, a v-CISO should be a teacher and a mentor, not [necessarily] a ‘doer’. Yes, they can design big-picture processes, from secure architecture to governance charters, but they had better not be expected to own them. A good v-CISO is nothing more than an consultant at the senior management level, and any deliverables must be sustainable long after they have moved on.

That said, I see nothing wrong with a v-CISO remaining part of ‘steering committees’, providing ongoing security awareness training, or even taking part in incident response testing. But, once the CISO functions have been absorbed internally, the v-CISO becomes part of the cycle for continuous improvement only. They stay around to provide strategic input on industry trends and the changing threat landscape, they don’t dictate the enterprise goals.

What You Should  Expect From a v-CISO

These are the three main things you should expect from a v-CISO, take particular note of the transience of each deliverable.

  1. Governance Charter Development – There is no security program without Governance, and there is no better platform onto which the v-CISO can pass on their operational function. This committee can in fact replace the v-CISO in due course, but may bring them back in as a trusted advisor or SME. The members of the governance committee will share the CISO function amongst themselves based on individual capability, and their meetings will bring it all together.
    o
  2. Policies & Security Awareness Training – Along with governance, policies are intrinsic to a security program, and along with the formation of that committee, represent the most important part of a v-CISO’s role. Unless the polices are in place, and all employees appropriately trained, nothing else they try to do will work effectively.
    o
  3. Process Development – Security programs consist of a number of critical processes, all of which must be developed, tested, tested again, and take their place in the never-ending cycle of improvement and business as usual. These are the big ones:o
    • Risk Management – Includes the enterprise-wide risk assessment and risk treatment procedures.
    • Vulnerability Management – Keeping up with the threat landscape.
    • Vendor Due Diligence & RFPs – Significant aspects of the security program will likely be outsourced to skilled providers, so the right questions must be asked.
    • Event Management & Incident Response – Bringing all the controls together into a business saving process.
    • Disaster Recovery & Business Continuity – What to do if everything goes completely pear-shaped.

Anything else the v-CISO does will depend on the organisation’s needs and the v-CISO’s skill-set.

But what about Strategic Advice, Board Level Interface, Regulatory Compliance Lead and a whole host of other fancy names / clichés? Yes, these are all important, but are utterly meaningless until the basics are in place.

Any security program put in place by a v-CISO must be in-line with the business’s goals, appropriate to their needs, and sustainable in their absence. So if you’re on the market for a v-CISO, you had better know what you need, or you’ll get what a salesperson thinks you asked for.

[If you liked this article, please share! Want more like it, subscribe!]
o