In my opinion there are several reasons as to the state of affairs regarding the seamlessly endless list of companies getting hacked. If you look at all those compromises, a number of things become abundantly clear
1. It wasn’t the lag of money
. They all spend handsomely on cyber security. They had all bought and implemented the latest “Next Generation, blue LED, advanced, malware, APT” boxes
2. It wasn’t the lag of staffing
. They all had ample staffing of university educated auditors and types like that, with an impressive list of certifications to their name, CISSP, CISA, CISM, ECSA to name a few
3. It wasn’t the lag of compliance
. They were all ISO 27000 series, PCI, SOX, some even HIPPA compliant.
4. They all talked the talk regarding risk
. They all had impressive documentation on risk. Risk assessment, Risk management, Risk……. Risk is big.
The truth is that the vast majority of these companies really don’t want to deal with cyber. They don’t understand it, they don’t want to spend the time on it. They just want to pay some money and continue doing what they want to do. You know!!! Have all their stuff readily available online all the time, communicating hard core sensitive business information over the same devices that they use for porn surfing and not be bothered with actually having to do something vaguely time consuming to secure their stuff. It’s for geeks. Nothing real business men deal with.
And we the geeks haven’t helped then. Let’s be honest, we haven’t got a lot of respect for the suits and for good reason if you ask me. They are so obviously incapable in the fields that have our interest that we frankly don’t give a dam. If they want to look like idiots, let them.
And then the CEO of target.com.
got fired!!!! For letting the company getting compromised!!!!
Loooong awkward silence. Suits looking at geeks saying “WHAT!!!”. Geeks looking back saying “DON*T LOOK AT US”
The solution in my opinion lies in looking at real, relevant and practical Capabilities instead of talking about risks in general terms. This sounds good to most people, but my experience is that I have to do a lot of explaining before people actually understand what I mean. Let me try to outline a few things.
1. A capability is an action thing. The fact that you have a password policy is NOT a capability. Your ability to detect when the settings on a server is changed in a way that doesn’t fit the policy IS a capability
2. A capability HAS to make imitate sense to a CEO without a lot of explaining. If he doesn’t immediately gets why it makes sense for his company to possess this capability, It probably shouldn’t have it
3. A capability has to be immediately and practically auditable and the CEO almost has to be able to do the test himself. If you want your company to have the capability to detect rogue devices in their infrastructure within maximum 2 days, lets place a rogue device and see how long they take to detect it. Easy, understandable, practical, doable
I am in the process of identifying all the relevant capabilities and it’s a lot of work. People comes up with capabilities that sounds logical, but are not practical and don’t follow the above mentioned principles. Let me give you an example on how the analysis works.
Somebody suggests “we should have the capability to detect APT’s in out environment”. This sounds logical and makes sense to the CEO. But where is the action? And how do you audit it in practical terms? You can’t, it doesn’t work, we have to be much more precise and detailed. This suggestion actually ends up in literally hundreds of small and detailed capabilities. The capability to detect when a known phishing site is reported and block mails from them. The capability to detect when a lot of people are receiving mails with the same body test……
Lots of work and I am only started. I expect to end up with several thousands of formulated capabilities and I would love some help form you guys
Please read this question I have posted in this regard. Especially read the comments to the only answer I have gottenWhat capabilities should a Security function possess?See question on Quora