Ransomware, Stop Focusing on the Symptoms!

Once again, a ransomware outbreak (WannaCry) has dominated the media headlines, and cybersecurity vendors are scrambling to capitalise. At the time of this writing, the top 3 (non-paid advertising) spots on Google to the search phrase ‘ransomware’ are 2 vendor ads, and one ad for cyber insurance. All but one thereafter on page 1 results are doom and gloom / blamestorming ‘news’ stories. The one exception? Good old Wikipedia.

This is the exact same thing that happened the last time there was a ransomware attack, and the time before, and is the exact same thing that will happen the next time. Because there will be a next time.

From the Press’s perspective, this is just what they do, and you’re never going to see headlines like; “NHS Goes 6 Months Without a Breach!”, or “Acme Co. Blocks Their 1,000,000th Attempted Hack!”. Only bad stuff sells, and frankly no-one gives a damn about cybersecurity unless they’re a victim, or they can make money off it.

I have dedicated many blogs to the criticism of cybersecurity vendors for being little better than ambulance chasers. This blog is no different. So let’s be very clear;

Ransomware is NOT a TECHNOLOGY problem!!

If your organisation is the victim of an attack, 99 times out of 100 it’s entirely your fault. Either your people, your process, or a combination of both were inadequate. And I’m not talking about your security program not being cutting-edge/best of breed, I’m talking about it being wholly inappropriate for YOUR business. It does not matter what business you’re in, you have a duty of care to know enough about security to address the issues.

Yes, the bad guys are a$$holes, but we’ve had bad guys for millennia and they will always be part of the equation. Security is, and has always been, a cost of doing business, so suck-up and take responsibility. And if you aren’t even doing the security basics, not only will technology be unable to help, but you deserve what you get.

Harsh? Yes, absolutely, because the basics don’t bloody well cost anything! Not in capital terms anyway. It takes what I, and every other like-minded consultant out there have been preaching for decades;

Common sense!

  1. Don’t keep your important files on your computer –  Keep your data on external encrypted hard drives and/or cloud drives. If it’s not ON your system, you can’t lose it. In a perfect world you can Forget the Systems, Only the Data Matters;
  2. Patching – Your systems would have been immune from WannaCry if you had installed a patch made available by Microsoft in MARCH! I could rant for hours about this one, but there’s no point. You know you should be patching your systems, and if you don’t know that, you are clearly not from this planet. Your laptop or your PC is just a means to manipulate the data. Ideally you should completely reinstall your PC/laptop every 6 months to ensure that you have only 1) the latest and greatest versions of everything, 2) no extraneous crap you no longer use/need, and 2) no hidden malware;
  3. Back-Ups – I don’t care how little you know about computers, if you have one and are online, you damned well know you should be backing up your data. And not just to one location, several locations. Everyone from your operating system, to your bank, to your grandkids have told you about back-ups, so there’s no excuse.  External hard drives are cheap, and the online Cloud drives are numerous. Use them all. Yes, I know this is different for a business, but not much;
  4. Don’t open every attachment you get – I feel stupid even writing this one, and it’s not just me talking from a position as a security professional. This is me talking from the position of someone who can read.

So from an organisation’s security program perspective, if you’d had 4 basics in place, WannaCry would not have been an issue:

  1. Policies, Standards and Procedures – The dos, don’ts, how-tos, and what-withs of an organisation;
  2. Vulnerability Management – where patching sits;
  3. Incident response – where back-ups sit; and
  4. Security Awareness Training – self-explanatory

SOME technologies can make this stuff easier / more efficient, but fix the underlying processes and people issues first. That or get yourself a huge chunk of cyber insurance.

[If you liked this article, please share! Want more like it, subscribe!]

In Security, Technology is Always the LAST Resort

The temptation to spend money to make something annoying just go away is almost irresistible. I’m not just talking about security now, this is a human condition. From get-rich-quick schemes, to diet pills, to online ‘dating’, we want instant gratification and / or results. Sadly we also expect the underlying cause of our issues to be miraculously fixed as part of the fee.

What do you mean “Get your fat arse off the couch and go for a walk!”, I paid you to make me thin!? There are no shortcuts to fitness, and there are no shortcuts in security.


But with phrases like; ‘panacea’, ‘silver bullet’ and my personal favourite; ‘guaranteed hack-proof’, the cybersecurity industry is becoming one of the worst offenders. Money is clearly more important than good service to many security vendors, and to those expounding on their virtues.

And we’re letting them get away with it! Whether it’s because we’re lazy, don’t know the right questions to ask, or just don’t care, it’s immaterial. Vendors will keep making useless products and we’ll keep buying them if things don’t change. Vendors have sold F.U.D. for years and we’re bringing only a few of them to task (FireEye for example).

The more complicated vendors can make security appear, the easier it is to sell their technology. At least that’s how it seems. There’s really no escaping that security must be simple to be effective; forget big data, use baselines; forget microsegmentation, just segment properly, forget user and entity behavioural analytics, fix your access control. In fact, ignore every acronym in the Gartner ‘Top 10 Technologies for Information Security in 2016‘ and focus on the basics, I’ll almost guarantee they aren’t addressed appropriately.

From policies and procedures, to change control, to vulnerability management, to incident response, worry about the base processes. They are not only more effective than any new technology, they are a damned sight more sustainable, more scalable, and cheaper!

One of the universal truths in security is that you cannot fix a broken process with technology, you can only make a good process even better. Better in terms of accuracy, speed, effectiveness, efficiency, long-term cost, you name it, the underlying process had to have worked beforehand.

Take incident response (IR) for example. If you have top-notch plans, a well trained team, and robust vulnerability management, a technology that gives you earlier event warnings is of distinct value. As would technologies that; reduces false-positives; automatically quarantine infected machines; supplies greater forensic information up-front, and so on.

However, if your IR plans are crap, your team has no idea what to do, and your systems have not kept up with the threat landscape, no technology in the world will stop an event from becoming a business crippling disaster.

Be honest,  how many of you have:

  1. Firewalls but poor segmentation?
  2. Routers but no mapping of your business processes?
  3. Anti-Virus and no OS hardening?
  4. HSMs and no idea where all your data is?
  5. Centralised logging with no idea what ‘normal’ looks like?
  6. …and the list goes on.

How can you expect a new technology to help when you’ve haven’t optimised what you already have?

There are of course exceptions to every rule, and in this case the exception is to buy an Asset Management System. Everything else you do in security has your assets at the core. Do this well and everything else becomes much easier.

[If you liked this article, please share! Want more like it, subscribe!]

[For a little more information on technology purchases, this may help; Security Core Concept 2: Security Control Choice & Implementation]

Stop Wasting Your Security Budget on Technology

Don’t get me wrong, I love toys. I’ve had every version of the iPhone since its inception and have, quite literally, a drawer full of the old ones. I also cannot even tell you how many electronic gadgets I have sitting in boxes that I had wanted badly, used once or twice, and eventually packed away after watching them gather dust for months / years on end.

I could start my own eBay with this stuff. Or a museum.

In this context, technology is harmless. Every toy I have is offline, provides no access to sensitive data of any sort, and simply demonstrates that I have more money than sense. Though in truth, I have very little of both.

This becomes a far riskier proposition when organisations throw technology at broken processes, especially when those processes are directly related to some compliance / regulation requirement of some sort. PCI for example, has driven technology purchases (both infrastructure and outsourced managed services) like no other regulation before it.

This is because the DSS called for technologies by name; firewalls, anti-virus, intrusion detection/protection systems, file integrity monitoring and so on, and instead of performing a risk assessment FIRST, most organisations went straight out and spent money on things that likely provide no security benefits whatsoever. It takes significant expertise to extract value from technology.

And no technology related to information security can ever provide benefit unless:

  1. It was purchased to fulfil a properly defined business need (via risk assessment, business impact analysis, and Governance)
  2. It is appropriate for the current needs, but can scale for future growth, or reduce in the case of managed services (speaks to controls selection and vendor due diligence processes)
  3. It was purchased with full understanding of who is responsible for the following, and how they are to be accomplished:
    i.   Installation and integration with established processes
    ii.  Ongoing maintenance and updates
    iii. Monitoring and incident response
  4. It has properly defined metrics to measure its production capability against the originally defined requirements, and those resulting from a changing threat landscape (via vulnerability management and ISMS)
  5. It is constantly baselined against an established ‘known-good’ state. If it’s not simple, it’s not secure. Period / Full Stop.

Think about this another way; every appliance you buy is just a server, with an operating system, running an application, and regardless of how much effort went into hardening this system against an attack, the bad-guys get smarter every day. Secure today is no indication of security tomorrow (just ask Juniper about their backdoor challenges).

The purchase of any new technology is always the last of these three options:

  1. Examine your business processes to determine whether or not you really need to process / keep the sensitive data in the way you currently do. i.e. can you tokenise, truncate, delete entirely, or outsource etc?
  2. Examine your current infrastructure and procedures to see if adjustments here can fill the gaps exposed by the risk assessment and gap analysis
  3. Buy an appropriate technology in-line with the above 5 pre-requisites above.

Equal effort needs to go into maintaining current capability using existing technology and decommissioning obsolete technology as buying new capability, and not one of these decisions falls outside of a properly run security program in-line with business goals.

You really must ask the right questions, or you’ll get what you asked for, not what you need. Security vendors will not help you here, it will be up to you.

[If you liked this article, please share! Want more like it, subscribe!]

Insecurity Through Technology

Insecurity Through Technology

Some time ago I gave a presentation on BrightTalk titled ‘Insecurity Through Technology: Back to Basics‘ with the premise that the uncontrolled purchase of security technology to satisfy a perceived need may actually INCREASE your risk (go to Downloads if you just want the presentation).

Despite the crayon-esque diagrams, and the majority focus on PCI, I wanted to expand upon this concept in light of my current focus on simplifying security into “core concepts”, “appropriate / proportional security”, and “business-first”.

PCI lends itself as the perfect example of how a perceived need for technology can result in some very poor purchasing decisions.  Just look through the 12 sections of the PCI DSS and you may, in some form – and if you’re very unlucky – need ALL of the following; firewalls / routers, encryption, anti-virus, web application firewall, access control mechanisms, physical security measures, logging mechanism, vulnerability scanning, penetration testing, wireless scanning, file integrity monitoring, and a ton of ‘paperwork’.

All too often budgets are spent on items such as these at the beginning of a compliance project instead of when, and IF it’s really necessary. A lot goes into a compliance before you should be buying anything other than expert guidance or an education series.

The problem is on both sides of the sales process. The salesperson only knows how to sell either what they are being asked for, or more usually, as much as they possibly can. The purchaser has probably not done their proper due diligence and is asking the wrong questions. The best way to resolve this is if at least one side of the equation is aware of the The 6 Security Core Concepts, and follows the established good practice for the institution of a security program.

Analogy; If your doctor tells you you’re going to require an operation, you will of course learn all you can about the procedure. You may even become something of an authority in your condition (to laymen anyway). What you will NOT do is try to perform the operation yourself. Why would you treat cybersecurity any differently if you’re not an expert?

Know enough to ask the right questions, then let the experts take over. How do I…

  • choose the right technology?
  • ensure it can be integrated with current processes?
  • manage and monitor it?
  • measure it?
  • show the benefit to senior leadership?
  • …and so on…

If new technology is not properly configured, baselined, monitored, and maintained, you have added another potential vulnerability to your infrastructure. Any appliance is just another hardened server running an application of some sort, and should be treated the same way as the ones you build yourself.

Also, the more data you receive the more important baselining and tuning becomes, as you don’t want the important stuff to be obscured under layers of false positives. I do not believe there is room for Big Data analysis in security (per Don’t Get Me Started on ‘Big Data’), so integration of new technology with less-is-more security processes is paramount.

This has been, and will continue to be a theme throughout my blogs; 1) don’t buy anything until you know why you need it, 2) install nothing in production until you have figured out how to use and manage it, and 3) integrate all processes around it with a single overarching operations centre.

The threat landscape is intimidating enough without making things easier for the bad guys.

[If you liked this article, please share! Want more like it, subscribe!]