IT bosses: Get budgets for better security by rating threats on a scale of zero to Yahoo!

BSides SF What do you reckon US government regulations on computer security look like? If you selected outdated, contradictory and avoidable, congrats, you're an industry veteran – or you were paying attention to a talk this morning at the BSidesSF 2017 infosec conference.

In a presentation titled "Swimming upstream: regulation vs security," Robert Wood, head of security and compliance teams at healthcare IT firm Nuna, laid out the state of red tape in heavily regulated industries, and how it affects building secure networks and systems.

For instance, he said his company has to operate within eight different government frameworks for data handling and information security, and they can be more harm than good.

“Most regulations were brought into being with the best of intentions,” he told his audience in San Francisco. "They were there to make things better and give us some instructions. But they do mean you end up handling crazy things.”

For example, not one of the eight frameworks Numa operates under even mentions social engineering or phishing, although a few workplaces tell staff to sit through a 15-minute PowerPoint presentation on the issue once a year. That’s not enough to stop one of the biggest security threats out there, he said.

Regulations are also easy to bend and set quite a low bar, he said. One customer had a requirement that all data traffic within the firewall was to be unencrypted to allow for inspection by network monitoring tools, while the government framework it operated under required encrypted internal traffic “where possible.”

“They had ended up dumbing down controls to satisfy the unencrypted network traffic requirement, which we know is not cool,” he said. “But it’s like shaving a yak" – or, for our UK readers, like painting the Forth Bridge – "the excuses never ended. It was excuse after excuse, exception after exception and it never ended.”

Some regulations include surprise audits and inspections, on top of quarterly or annual checks. The sheer amount of reporting and paperwork involved can be crushing, he said.

The fundamental issue is that companies tend to do just enough to make sure they are compliant, and put not a penny more into IT security. Getting stuff done that isn’t officially required, such as providing social engineering training, can be left by the wayside unless IT managers game the system to get necessary resources.

In other words, the requirements are often so low, complying with them and nothing more leaves networks at risk, and yet there's often no money allocated to improve the situation.

Sun Tzu’s guide to IT management

Probably the most important thing IT managers can do is to identify and cultivate their allies. In any organization, there will be a few people who see the need for effective security and they need to be wooed, Wood said.

“Learn their language and use their jargon with them to make a business case for a security tool,” he urged. “Then show them how the sausage is made. There’s a tendency in IT to hide stuff like that, but once people see the amount of work involved, they appreciate what you’re up against.”

He gave the example of winning over a business development manager by suggesting sales staff show customers how their information is kept secure. To do this, beancounters have to cough up funding for tools that are outside the regulatory requirements, security processes are put in place, clients are happy, sales deals are won, and so on, he said.

IT managers hoping to secure budgets for security measures should also take a leaf out of the CIA’s playbook, Wood suggested. In 2007, the agency studied the effects of describing a threat risk as high, medium, or low probability. It found that people’s understanding of the risk involved is wildly subjective, depending on who was uttering the risk warning.

Instead, Wood suggested, present company accountants with a numerical probability risk, tied to a dollar amount of damages – say there’s a 90 per cent chance of, say, a database breach happening between five and 15 times a year costing $X per intrusion. It doesn’t have to be perfect, he said, but it’s the language accountants speak. We suggest you use real-world security breaches to guide your estimates – perhaps from an average of $4m per successful attack to the billions Yahoo! put at risk.

“It’s much better to argue with numbers,” Wood said. “It's much more convincing than using high, medium and low threat descriptions.”

Speaking of numbers, the tech boss said while automated network security analysis is not a silver bullet to kill all vulnerabilities, it generates the kind of metrics that impresses government auditors and company accountants. Things like, number of software packages scanned, version numbers identified, bugs patched, and so on.

Finally, make sure your suppliers are on your side and smart in their business practices. He recounted the time he asked a vendor if a particular threat was covered as per the regulations, so he could pass on the reassurance to auditors. The response from the supplier was: “LOL.”

“The auditor’s response would have been WTF if they’d seen that; it wasn’t helpful,” he said. ®