2015 is nearly three weeks young and I am afraid we are going to see more of the same exposures as we did in 2014. Not much has changed in organizations. They are fundamentally following the same tactics and techniques to ‘defend’ against adversaries as they have for the past several years. There are 12 areas that continue to cause problems for the CISO and information security as a whole. Here they are:
1. The CISO still reports to the CIO in most organizations seeing security still as a technical issue. CISOs battle the CIO quietly trying to move security to the forefront only to be pushed to the back of the pack in the name of features and functionality.
2. CISOs continue to beg for financial table scraps and the scraps they do get are used to double down on existing technology.
The same technology that is failing them now but with a new twist or new buzzwords describing really what they cannot do. And since organizations still see the issue as a technology problem, the CISO gets a budget that is a single digit percentage of the overall IT budget.
3. There are also CISOs in positions at major firms who do not have the credentials necessary to be in those positions. Whether through outright lying, gift for gab, opportunistic timing, cronyism, nepotism, verbal berating techniques, companies who have dumped them quietly or just plain foolishness, these CISOs are false prophets leading their organizations down the path of data loss doom. Their resumes rife with false statements, LinkedIn full of modifications, and embellishments of the most minor infraction.
4. Many organizations continue to give information security lip service but avoid embedding information security at the beginning and throughout each and every corporate project. Not just IT but each project. Information security vulnerabilities discovered during the SDLC of a project are not treated as defects but separately identified as vulnerabilities that require a waiver to remediate (this while code defects slide through the process without issue). In fact, most vulnerabilities identified during the SDLC and even thereafter with vulnerability scanners are configuration errors made by IT staff since they follow no build guide, configuration standard, have root access to change configurations (and do so) outside the change / release cycle.
5. What amazes me still is the limited access by CISOs to corporate leadership or boards. Treated as the corporate scapegoat, CISOs in most organizations are not included as part of the corporate brain trust. They are still seen as the messenger deserving of disdain and bullet wounds for issues ‘packaged’ as security problems.
6. This leads us to the age old problem of IT administrators of any platform, infrastructure or software not securing what they own. They do not believe security is their responsibility. While at the same time they do not believe security is theirs, they do not allow information security into the process to examine information security. CISOs are still the red-headed step child of the organization.
7. Law enforcement staff have their place but the continued see-detect-arrest paradigm is auto-fail. Anyone who argues just need look at the last 15 years of information security fully built on that foundation. A foundation of after-the-fact information security with huge investments in process, procedure and technology that supports the failed paradigm.
8. We need defensive technologies and we need incident response but a double down financially and organizationally on failed structures supported by the majority of the IT and Information Security vendors in the industry just does not make sense. If you have law enforcement as your leadership, be prepared for tactical programs focused on immediate short-term gains. Liken it to entering a room with the goal of getting to the other side. Go half way, and the half way continually. You will never get to your goal.
The theme of advanced persistent threats, kill chains, and incident response as the main focus of the organization is another auto-fail. There is no such thing as an APT. That is made up to sell product. Even though the USAF coined it, it is a falsity. If you can’t define it, you certainly don’t know how to deal with it.
The kill chain that so many vendors and organizations tout is just a method to detect and stop activities after they have penetrated your perimeter. Meaning you have already given up and it is too late. It may prevent the ship from sinking but not until massive data leakage has occurred. Oh and my favorite that still amazes me is the mentality of the cyber janitor. Backed by the APT myth and the kill chain model, today’s incident response groups are the cyber janitors of the industry with a whole supporting industry built to back fill the janitors who by day are IT admins.