CISOs' newest fear? Criminals with a big data strategy
Reg roundtable disses pen testers and security theatre
CIO Manifesto We again gathered an eclectic mix of IT execs including some CISOs, CTOs etc, in a secret bunker to discuss whether we’re winning the security battle. OK, the “bunker” was a meeting room under the Soho Hotel, but not only are we not winning, it is not even clear what winning actually means.
Our IT execs happily admitted (under conditions of strict anonymity) that security theatre is now a vital part of their jobs, meaning that they unleash shock and awe to get the budgets they need to fight the battle that they know they will never actually win.
The Target breach, where 70 million customer records were taken, cost the CEO his job partly because the litigation, as well as loss of customer trust, finished off an already wounded C-suite executive.
This gets their full attention, which is important because so many board members simply don’t get IT. Or as several of our execs shared, they think they understand tech “because they’re young” and think the financial management systems are basically Facebook with fewer selfies. So if you need a bigger security budget, read up on Target and arm yourself with it.
A lot of boards still think that security is a product, like a USB stick - or, worse still, an anti-virus tool like they use at home. Our IT execs were really quite scornful of the way that AV is over-sold to semi-technical management who regard installation as the job done. AV is necessary but the execs bemoaned the long time for updates as well as the hassle, which includes the way every couple of months some AV product decides that a Windows DLL is a virus and bricks the whole machine.
More than one of them questioned the sustainability of the traditional model, yet no new one is readily visible.
As well as being scathing about AV vendors, pen(etration) testers came in for a bit of abuse. They aren’t as valued as they think they are and are often seen as a necessary evil who just produce lists of problems, all of which they claim are critical. They are seen as incapable of classifying any threat as “medium”. Some of the largest outfits even go as far as to run their own pen testers whilst acknowledging that being in-house means they are a bit behind the curve in exposure to the latest issues.
The next theatrical part of being a CISO is being audited, where inevitably we get sucked into doing things merely so that auditors can tick boxes. Of course, when it is a big IT vendor or accountancy firm doing the audit, they are looking to find the sort of hole that they can sell you consultancy to fix, even if the business risk is pretty small. ISO 27001 auditing was seen as less bad because you can justify your decisions, PCI-DSS being less flexible in practice.
Everyone is a Target
I made the mistake of saying to one CISO, “so you’re not an obvious target” and was curtly informed that one well-known guy who works with them has received many death threats and, all by himself, seriously upgrades their threat level. This marked a different angle for some of the execs, whose systems contain highly sensitive data like healthcare and education - and where women seem to be particular targets for religious fanatics. Geopolitics is changing the nature of the threats our IT execs are experiencing, even if you think they might be too small or obscure for anyone to bother.
My big data is bigger than your big data
Classical security management works on the basis of balancing the damage of a breach versus the cost of preventing it and the necessity of proving to the board that you’re getting a good return on your security investment. In the final analysis, crooks are running a business and will seek out the softest targets they can. The problem here is costing up the damage.
The execs who worked in retail saw regular “drip drip” identity frauds, each causing a loss that is only one step up from shoplifting. This is usually only detected after the goods have been delivered and the crooks had done a runner. They saw this as a great candidate for big data analytics, but not in a good way. Yes, fraud detection can get a bit better, but a riser in the hierarchy of fear amongst our IT execs was the feeling that sophisticated analytics can be brought to bear.
Free and cheap BI allows criminals to impersonate customers and carry out better spearphishing attacks. NoSQL is replacing being able to drive away fast as a skill for bank robbers. The execs were clear that taking a narrow ROI model for budget allocation is going to bite you hard, since if you just look at nibbles of shoplifting level attacks and price up your security on that basis, you will get hit by a Black Swan that will bite your whole leg off.
This is hard to calculate for several reasons. Firstly, when something is rare, you don’t have many events to base experience on. Then there are the complexities of risk transfer and insurance, where large risks are often shared between end user firms, banks and insurers. That can mean that a “large” consequence event may occur in your systems but actually impact others, or vice versa.
To make any guesstimate you need to analyse your business from a different perspective, taking into account the web of contracts and relationships it lives in. You may not be the first one to do this because organised crime is getting better at identifying vulnerable systems and business processes and the IT execs are already seeing attacks from black hat business analysts.
Cards are the most frequent wound by which banks bleed money. Chip and pin has made card fraud an almost negligible issue in Europe, as opposed to the USA where their medieval card security has enriched many crooks. This bodes well for the new wave of phone-based payments systems since they cannot help but look better in comparison. 2 factor authentication (2FA) has yet to catch on or even seriously be pushed by the banks because the average customer hates the inconvenience.
This attitude is kept strong because consumers bear little of the cost of card fraud and are generally clueless about security, both for their cards and corporate IT. Millennials are, if anything, worse than us old people, choosing passwords that are the name of their cat - or if they’re real technocrats, sticking a number on the end. Home working means that nearly competent users can accidentally route dodgy or actually criminal traffic across the corporate network.
Although they see it mainly as a police issue, the IT execs are getting a good education in the criminal economy and, although they were rational in cynicism in the speculative numbers we get told, they do know that there is now an ecosystem. They’ve seen evidence of BI and service industries of cleaning and verifying lists simply because that is being carried out through attacks on their systems.
They also gave good advice for anyone hoping to prosper in an InfoSec career, since they are the people hiring and promoting you. They value “tool ninjas”, people who have mastered every detail of bleeding edge tools, but more important is the ability to communicate what you are doing.
Half of being an expert is consultancy, even if it is not part of your job title. You must give good advice in a way that people want to follow for their own good, which means putting it in a business context, rather than obsessing about theoretical vulnerabilities. Be clear that you can’t skip the tech knowhow, but you amplify it by explanation.
Peer to Peer Security
Outside the world of critical national infrastructure, sharing of experiences and data is still too ad-hoc for many reasons, none of them good. The execs shared that their contracts of employment explicitly forbade them from sharing security or other important proprietary information.
Although financial regulators are nudging firms towards sharing, it is still unsatisfactory. As one exec put it, “retail is ruthless” - and it may not shock you to learn that several execs saw security as competitive advantage and if one of the other players in the market falls into a hole, this is a good thing.
This shows two things. Firstly, that you don’t get to the top rung without some steel in your spine and secondly, that outside of financial markets there is no fear of contagion. They work in a zero-sum game, and a breach that capsized Tesco would be a big win for Sainsburys and Morrisons, so why should they share the best information?
The dead hand of history
Like the three wretched prequels to Star Wars, ICL VME, Windows XP and Cobol will never go away. We can’t call in JJ Abrams, Bill Gates or Bjarne Stroustrup to reboot them into something that doesn’t suck out our will to live.
Our execs shared stories of millions squandered in failed attempts to remove systems that are now easily older than the people maintaining them. Many of them contain business logic that wasn’t documented properly: what documentation that existed has been lost or exists "on some tape somewhere."
As the foundations of many firms and government departments, they are seen as a new attack surface. Up until recently there simply was no path from the outside world to them. Indeed, if presented with VME’s command line interface, you will assume that it’s actually a spoof and that no one would have done that on purpose, so there is a useful degree of security by obscurity.
As we upgrade the linkages, unsuspected paths are appearing. So poorly understood are some of these systems, and so neglected as they are by the bright young things in infosec consultancies, they may be pwned without anyone noticing. Trustwave already regularly comes across systems that have been subverted for over six months - and that’s just the ones that get spotted.
But it’s not just systems whose names you don’t even remember. Windows XP is forgotten but not gone and the consensus of the execs is that any firm that says all its systems are patched up to date is either lying or deluding itself. Even the idea that any decent sized firm has a plausible list of all the systems they rely upon was met with a mixture of laughter and scorn.
Servers are routinely built to the prevailing corporate standard, then often forgotten. The consensus is that whatever their misgivings about cloud services, our execs saw them as at least being professional about patches and basic security. However, the way that cloud vendors disclaim any liability and routinely refuse to take part in security audits is an problem that may well be the source of the next round of security horror stories.
Amazon was cited as a good example of this, with highly respectable security but a complete lack of reassuring security blankets.
What did we learn?
A common theme in our Roundtables is that the old IT Director model is splitting up, often into a bringer of change and new revenues, and someone who keeps the lights on. Not being “business” often makes security a facilities management role where you get little kudos for reliability and safety, but get blamed both for the breaches and the business limiting measures you put in place to try and make systems secure.
This is more irritating where the pressure to increase exposure is coming from the “Change” CTO, so risk management is an increasingly important skill at the top level of IT. However several of them moaned that there isn’t a clear line of responsibility for security because it is such a poisoned chalice.
The bottom line is that e-crime is just like crime. It will never go away and the most critical skills for an IT exec is to manage risk and be able to articulate the reasoning behind the risks you take. ®
Our roundtable programme only works if we get readers like you around the table. We'll be announcing our next tranche of roundtables soon. To ensure you're kept fully up to date, signup for a Reg account here. Or if you've already got one, take the time to ensure we have an up-to-date email address for you. ®