Menu

Skip to content
Infosec Engineering

Infosec Engineering

What This CISO Did To Protect His Company’s Data Will SHOCK You!

Posted on October 28, 2015 by jerry

Good, my click bait title worked and you’re here.   I have my cranky pants on, so lets go.

On last week’s podcast episode, Andy and I talked about Rob Graham’s recent blog post “Dumb, Dumber and cybersecurity” where Rob railed on a buzjournal.com post titled “10 Steps to Protect Your Business From Cybersecurity Threats“.

Rob rightly points out that none of the 10 recommended steps really address the top issues that companies are getting breached by:

  • SQLi
  • Phishing
  • Password reuse

Perhaps I have some Baader-Meinhof going on, but I am seeing these damn “Top X lists to thwart the evil advanced cyber APT nation-state hacker armies of 15 year olds” EVERY WHERE.

Like here, here, here, and here.  I’M QUICKLY REALIZING THAT CREATING THESE LISTS IS AN EPIDEMIC THAT HAS INFECTED THE BRAINS OF MARKETING PEOPLE ALL OVER THE WORLD, CAUSING DIARRHEA OF THE FINGERS.

These stupid lists are nothing more than infosec marketing platitudes…

“Keep your AV up to date!”.  Yeah, that’s going to save you.

“Keep your systems patched!”.  Yep.  Show me an organization that is able to do this, and I’ll send you a link to click on.

“Know where your data is!”.  Sure.  It’s every-fucking-where.  OKAY?  Everywhere.

“Abandon the castle wall philosophy and build protection around the data!”.  What?  I guess Google did this, right?

“Restrict employee access to only that which they need!”.   Least privilege and all that, right?

“Restrict network access to only that which is needed!”

and on and on.

These are all, of course, good ideas.  However, they’re not actionable ideas.  And, as Rob pointed out, most aren’t even the way in which businesses are getting compromised.

Let’s pick on one, just as an example of not being actionable: “Restrict employee access to only that which they need!”

Who could argue with that sage advice?  Well, I will.  The issue is that it doesn’t actually solve much in the real world.  Here’s what I mean: If I’m an accountant and need access to the financial database to run queries, restricting access might mean I get a read only account to run my queries with.  This rarely translates into a consideration of the remaining risks associated with the access I was given.  Is there a better way?  The table I am querying has credit card numbers in it, but our database doesn’t let us restrict my access down to a field level, so in order to do my job, I am given the least access possible, which is still way too much.

And so I click on funnycats.exe, because damn, who doesn’t like funny cats?  And the following Sunday, Brian Krebs is on the phone with my company’s PR person asking for an interview about our data that is for sale on a forum somewhere.  BUT BUT BUT… least privilege was followed.

And so it goes.  Cybersecurity is hard.  It takes thought, analysis and consideration of risks; not a bunch of dumb platitudes.

#getoffmylawn

 

 

 

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on Google+ (Opens in new window)
Posted in Advice

Recent Posts

  • Treating The Disease of Bad IT Design, Rather Than The Symptoms
  • Differentiating IT Risk From Other Business Risk
  • Thoughts on Incentives Driving Bad Security Behavior
  • More Effective Security Policies
  • Thoughts on Autosploit

Categories

  • Advice
  • Behavioral Economics
  • Best Practice
  • Breach statistics
  • Economics
  • Hacking
  • Ideas
  • Malware
  • Management
  • Metrics
  • Resiliency
  • Risk
  • Security Awareness
  • Uncategorized
  • Uncertainty

Recent Comments

  • Fernando on Treating The Disease of Bad IT Design, Rather Than The Symptoms
  • Alex Humphrey on Thoughts on Incentives Driving Bad Security Behavior
  • Concentration of Risk and Internally Inconsistent Regulations – Infosec Engineering on Thoughts On Cyber Insurance and Ponemon Surveys
  • Alex Humphrey on Thoughts on Cloud Computing In The Wake of Meltdown
  • Christian Folini on Random Thoughts From The OReilly Security Conference 2017

Meta

  • Register
  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org
Proudly powered by WordPress
Theme: Flint by Star Verte LLC