It was way back in 2011 when I spoke of the key security challenges on the CISO’s radar in the basic forms of:
- The Insider Threat’s
- Phishing & Spam
Complimented of course by other generic security challenges which appear on a daily basis. Way back in 2011 I did acknowledge that whilst these were nevertheless important in the overall scheme of the Security Mission, wondered if they did consume far too much interactive intervention and security bandwidth with responding to the manifestation of active compromise and security breaches – with much focus on the reactive, rather than the proactive. At that time I was also questioned the value of, what were [are] at times the association of those innate Security Dashboards and Balance Score-Card’s which represent the anticipated snap-shot of real-time and real-life exposure mitigation and ‘management’ to be presented to the executive [tick-box-security], and I wondered if something was being missed at the lower level of the security challenge. However, now four and a bit years on, with the benefit of hindsight, I am realising that the manifestations of the unknown unknowns of insecurity seem to have been allowed to evolve, and to gain ground in the adverse landscape of Cyber Crime, and the all thigs offensive mission strands for.
In my experience since the 2011 observations, I can again fully attest with proof that whilst the aforementioned areas of security management are a common find’s, they have sadly been updated by manifestations of newly-grown insecurities, and the landscape of adversity is now still outstripping the balanced approach of acceptance of compliance/governance which is being driven out of tower like security missions which still seems to be missing the point – which has not evolved the required level of Poacher/Gamekeeper imaginative mind-set – allowing real-time threats to expose the business, clients, and assets alike.
In the wake of the known threats which have been encountered to date, some of the unknown unknowns have now been promoted to the known unknown status. These being complimented by the advent of extreme levels of successful attacks in the form of high-consumption DDoS attacks, multiples of successful Ransomware incursions, Cyber Attacks, and Hacking against high gain, prominent targets who spend what may been considered a fortune on their failing defences – and yet they are still exposed!
The problem may well be created out of the low level of imaginative direction which comes from those who are the incumbent of the organisations security strategy – playing by the rules of engagement behind the shield of Governance/Compliance, and the good old ISO/IEC 27001 as the bible to fight off all Cyber Ill’s – a little like David being given a pencil and clipboard to go fight Goliath!
It is time to start to apply enhanced levels of imaginative hostile and offensive thinking, where imagination represents the most valuable armament in the armoury of the security professional, and hopefully the CISO. Levels of imagination which will manifest in offensive thinking which seeks to understand the unknown unknown areas of subliminal and invisible threats. Such as the exposure presented by the much-tolerated OSINT capabilities, metadata leakage, and other such hidden forms which so often allow the would be attacker to gain a valuable insight into the belly of the organisation.
For example take the high profile bank who are so exfiltration enabled, they knowingly publish, and make available high value objects of intelligence on a daily basis, making the job of any hacker, or other such cyber-miscreant a much easier task to effect. However, sadly this high profile organisation are not alone in this space, with many others following on their cyber-tails, with their logical-ass hanging out of the open window. And on the subject of poor security, let us not forget that even in this day of BWYW [Bring Whatever You Want] to work, where there are still many organisations who simply do not understand, and still support the introduction of the known threat of that little thumb drive. But then when you look to some organisations in the Oil and Gas Industry who have been aware such introduced devices are carrying Hacking Tools, and the occasional form of low-grade [acceptable] Malware which are actually ignored, one may well start to feel the onslaught of professional frustrations creep in! Not a case of ‘Who Dares Wins’, but more a circumstance of ‘Who Care’s who loses’.
The fundamental bottom line is still the bad guys are winning with the tool of evolved imagination – and they are entering battle ground with many security management types are, on occasions completely devoid of what amounts to the ability to demonstrate Cyber Defensive thinking – allowing risks to populate, manifest, and take their bite out of the soft posteriors of the company there are incumbent to protect – and before you start to shout at me with a ‘how dare he’ even suggest such a thing’ – may I pre-empt the fury and state, ‘he dares, because he has seen on an all to regular occasions’.
2016 is the year in which we should recognise that Cyber is starting to look like a dirty word. It is a word which is associated with the world of insecurity, rather than that of security, and it is a word which has entered the vocabulary of the public with an adversarial slant.
It is in the year of 2016 in which we must recognise that it is the responsibility of those in the Profession of Digital Security that we are potentially the group holders of the keys to global stability – and ‘if’ we are going to do it, we ‘must’ assure we do not cut corners and do it ‘right’. If not, there is simply no point to even trying!