The CEO Cybersecurity Challenge

It is with thanks to Chad Loder that I write this blog. His post on LinkedIn made me laugh out loud and is what inspired me to propose the CEO Cybersecurity Challenge (#ceocybersecuritychallenge). The very simple post was:

From: Security Team
To: All Employees
Subject: Security Awareness Training

To opt out of this year’s security training, click here.

Security experts will instantly see the simple genius of this social engineering tactic. In just 10 words you get:

Continue reading
Information Security Policies

Why Information Security Policies are Pointless

The title should be; Why YOUR Information Security Policies (ISP) are Pointless, but I figured this title was far more contentious/click-worthy.

If you’ve come this far, you’re in one of two groups:

  1. You’re horrified at my ignorance and want to rip me a new one (good for you by the way); or
  2. You’re thinking the equivalent of “I knew it!”, in which case you need this more than anyone.

When I say that your ISPs are pointless, it’s because in all likelihood they are. Assuming you even have a policy set (policies, standards and procedures), ~20 years of consulting experience has shown that they invariably:

  1. are not sponsored/supported/signed-off by the highest levels within and organisation – does anyone really care about something their bosses don’t visibly to care about?;
  2. are not managed by a governance function to ensure adherence to business goals / regulatory compliance / corporate responsibility etc – who else is going to do this? The CEO? A CXO by him/herself?;
  3. include no overarching framework policy that 1) spells out a commitment to security, 2) breaks down the responsibilities for everyone from the CEO to the interns, or 3) details the consequences for non-conformance – how well do buildings stand up without foundations?;
  4. are generic templates with zero attempt to fit them to the prevailing culture – sometimes the phrase “That’s not how we do things here!” is perfectly acceptable;
  5. are non-aspirational – it’s actually a good practice to set your policies above your current security capability, IF you have a comprehensive exception/variance process linked to a risk register / risk treatment plan as part of the framework;
  6. are not DIRECTLY linked to robust risk management processes to ensure full policy coverage and continuing suitability to the business – how do you know they’re right?, now and in the event of significant change?;
  7. are not part of an [annual] internal audit process to measure adherence – few companies even have an internal audit function, let alone one capable of assessing IT/IS policies;
  8. are not part of employee on-boarding and ongoing security awareness training programs – every role should have relevant policies assigned to it, and appropriate training should be continuous;
  9. are not maintained appropriately/consistently – you don’t need a librarian to do document management well, you just have to be organised; and
  10. are not distributed or made available to everyone whom they impact – “Policies, what policies?”

Bottom line is that I have never seen a policy set done well, and it’s not a coincidence that I’ve never seen security done well either. These two things go hand-in-hand and you absolutely cannot have one without the other.

Yes a decent policy set is ‘paperwork’, yes it’s bloody difficult and time consuming, and no, it’s not even remotely sexy, but don’t bother trying to get a security program in place without them. Seriously, don’t even bother, because it will fail.

Lego don’t send out a 4,000+ piece Death Star set without detailed build instructions, and that’s exactly what your policies, standards and procedures are; instructions on how to do security appropriately within your organisation.

So why don’t all security folks take this more seriously? Two main reasons; 1) they are so focused on technology that the processes fall to the wayside, and 2) they have tried over and over and finally gave up, electing to do what they can, knowing full well it will never be enough.

Sad, huh?

Security is about People, Process and Technology, in that order, because without a policy set you will have:

  • no understanding of the technology[ies] you will need – risk assessment;
  • no processes to run the technology properly – procedures;
  • no way to sustain the technologies moving forward – vulnerability management;
  • no understanding of what to do with technology output – incident response;
  • no-one who could perform the incident response even if you did – security awareness training.

A decent set of information security policies ties all of this together into a sustainable program, and if you still don’t think they are that important, you are simply not paying attention.

[If you liked this article, please share! Want more like it, subscribe!]

Technical and Organisational Measures

GDPR: Reporting Your “Technical and Organisational Security Measures”

You could almost be forgiven in thinking that words/phrases like; ‘pseudonymised’, ‘anonymised’, ‘access control’ or ‘encrypted’ are all that is required when reporting your technical and organisational security measures for Article 30 – Records of Processing Activities.

Almost.

Continue reading

OWASP Top 10 2017: Logging & Monitoring Makes the Hall of Shame


Fact #1: There is no effective incident response without logging and monitoring;

Fact #2: There is no effective disaster recovery without incident response; and

Fact #3: There is no effective business continuity without disaster recovery.

Therefore logging and monitoring should be a fundamental aspect of every security program, regardless of organisation size. So why is it performed so universally poorly? Don’t organisations want to stay in business?!

It’s not like EVERY STANDARD ON THE PLANET has it as a prerequisite! Well, except for these obscure ones:

  • ISO 27001 – A.12.4 Logging and monitoring
  • COBIT – F.10 Monitoring and Alert Services for Security-related Events
  • NIST – Anomalies and Events (DE.AE)
  • PCI DSS – Requirement 10: Track and monitor all access to network resources and cardholder data
  • …and so on

So you can imagine my surprise and delight when OWASP – more commonly known for coding vulnerabilities – singled this out as one of their Top 10 for 2017. Yes, it barely snuck in at number 10, but there it is, finally in the light of day.

Unfortunately, OWASP isn’t exactly up there with the NISTs of the world, so the importance of this is probably lost on most. I mean, the DSS uses [loosely] the OWASP Top 10 as one of its “industry accepted best practice” providers, which is actually why a lot of people have even heard of OWASP in the first place.

So now what? What difference is this going to make?

Well, very little probably, if you don’t understand now just how important centralised logging and monitoring is, you probably never will. If you’re in a position where this makes a difference (you’re in technology or cybersecurity) then the only time your organisation will care is when your business suffers a loss. Then I’m sure you’ll start to care as you’re updating your CV/resume.

Honestly, I really don’t know where I’m going with blog. It was either write about this or the bloody GDPR again. But it’s really the privacy regulations that are beginning to drive things like this forward. Record keeping, data breach notifications, accountability and so on all have an enormous impact in how we will be running our businesses and logging is intrinsic to them all.

In my consulting practice I very rarely use the word ‘recommend’, and I try never to mention the names of security control vendors except as examples. So while the due diligence is yours in terms of finding the right logging solution for your organisation’s needs, I HIGHLY recommend that you start looking.

I’m sure there’s some out there, but I’ve yet to see one argument for not performing logging and monitoring, and I’m willing to bet there are no valid ones. The problem, like most things in security these days is that the name is just not sexy enough. Perhaps if we include in a brand new acronym like ‘Episode Reply & Adversity Restoration (ERAR)’ as I did in Froud on Fraud’s Top 10 Cybersecurity Technologies to Implement in 2017 it would get more attention?

Whatever it takes…

[If you liked this article, please share! Want more like it, subscribe!]

Security Good Practices

When Security Good Practices Aren’t Good Enough


For the better part of 20 years I have fought with – and sometime against – my clients to help them achieve a particular standards of security. Whether it was PCI, ISO 27001 or any other standard, all I have ever done my whole career is beg my clients to take security a little more seriously. I’d say that I have failed more than I have succeeded, security is just not a priority to most organisations. Kinda like insurance.

Recently however, I have had the distinct pleasure to be told that neither the ISO 2700X standards or NIST Cybersecurity Frameworks are enough, they wanted more. A lot more. In fact, they wanted security so good that they could actually use it as a selling point for their services. For security itself to be a distinct and measurable competitive advantage.

Once the shock wore off, we had to work out how we would actually deliver this. Not only have I never been asked for more than ‘good enough’, I’ve never actually thought about what truly great security looked like. For individual components, yes, but not for a soup-to-nuts security program. And I have certainly not given much thought as to how I would begin the implementation of one. What was the point?

So where did we start? First, we had to address:

  1. What standard(s) to use for alignment – like it or not, unless you align yourself to industry accepted good practices, it is far more difficult to demonstrate the ‘appropriateness’ of your security program. Any client with regulatory compliance obligations must bear this in mind;
    o
  2. How to determine what ‘great’ looks like – regardless of the request to go above and beyond, the final result has to be achievable. In an industry plagued with pointless technology and buzz-words, the final result has to be both achievable, and justifiable. If you cannot demonstrate a meaningful ROI you have wasted their money;
    o
  3. What’s is foundational, and what is a separate project – In security, there are a number of basics you cannot do without. What I call core concepts. Management buy-in, governance, policy set etc. Then there are things that can begin as a project before consolidating the output with the whole (logging and monitoring, access control etc.);
    o
  4. What are the client’s business goals / principles – as I’ve said too many times; security is only here to enable the business. If a security solution does not map to a goal it’s wrong; and
    o
  5. How long do we have? – The implementation of any security program takes time, and the more you want the longer it takes. The desire for great security has enormous ramifications on resources and capital expenditure, and absolutely cannot be rushed. The resulting program must not only be sustainable, but it has to be embedded in the culture. We’re talking years, not months, and this must be understood at all levels.

You will notice however that at no point were we concerned with technology. Yes, technology will be enormously important – there can be no great without automation – but technology choices are driven by the processes they are meant to enhance, not a solution by themselves. Besides, it’s always the functional requirements you define first as you have no idea who’s going to be managing it yet.

So we ended up going with a combination of ISO 27001 and the NIST Cybersecurity Framework (v1.1), but we mapped these to what we considered to be the most logical groupings encompassing a full security program. Governance, Policy Set, Risk Management, Asset Management and so on. There are 18 of them.

But even this combination could only ever represent average, as ‘compliance’ with either standard is achievable long before you could be considered secure. So then we had to define a scale where average was where it should be, in the middle, and ‘great’ went up from there. We went with the ages old Capability Maturity Model (CMM), then mapped all of things we believe represent each level. ‘Defined’ = average.

For example, this is what Governance looked like:

The are simply no standards or documents for what happens next. The client has to understand what each of the groupings means, then they have to choose how far up the scale they wish to go. This is a long conversation, and if the results of this conversation aren’t understood at the Board level, we’re already derailed.

There are also many dependencies to consider. You can’t have great vulnerability management without very mature asset management, or business continuity without top notch incident response for example.

And above all, if the implementation of the program is not simple, with clear direction and guidance, the people who have to do the work will never get on board. Nor will they ever be able to manage it after we’re gone.

Honestly, I have no idea how this is going to end up, I’m in new territory for the first time in many years. This is also the first blog I think I’ve written where I’m not either trying to help, or bitching about someone/something.

I just thought I’d share something positive for a change, and I look forward to sharing my numerous mistakes and lessons learned! 🙂

[If you liked this article, please share! Want more like it, subscribe!]