Nuix’s chief information security officer Chris Pogue says security legislation runs the risk of creating a culture of bureaucrats ticking checkboxes to claim compliance, while not meeting real-world security requirements.
iTWire interviewed Pogue, who apart from Nuix, was in the United States Army and studied combat tactics for 15 years.
“Security has become somewhat of a Frankenstein. There's this disparity of tools that you buy so what you have is a sort of Mad Max car that has stuff bolted on everywhere. What we (Nuix) want to do is take you from detection to litigation [the whole nine yards]. We want you to be able to detect, investigate, remediate and litigate all with one streamlined set of tools,” he said.
So begins an hour of a no-holds-barred, tell it as it is, security sermon from a combination of cyber crimes investigator, ethical hacker, former military officer, and law enforcement and military instructor. The hour-long conversation has been paraphrased under focused headings.
{loadposition ray}
Nuix - The Black Report
There are a lot of security reports out there so before Nuix published its own titled “The Black Report” we naturally read as many of the others as possible. We found two major limitations. First, the “data” was limited to the author’s customer base, and second, the issues were invariably presented from the victim’s perspective.
Sun Tzu was a Chinese general, military strategist, and philosopher who in the Art of War said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles….”
As an industry, we do a good job of knowing ourselves – we know what our vulnerabilities and weaknesses are. We don't really know the enemy.
The genesis of the Black Report is to show the industry, the enemy. When we talk to them, they don't think they're the enemy, right? They see themselves as the only source of true intelligence for the industry, because who better to tell you how effective your security controls are than folks who spend all day everyday circumventing those security controls?
The Black Report has privileged information from pen testers and hackers attending DEFCON and Black Hat in Las Vegas, NV, USA, the world's largest security conferences. iTWire covered the report here.
Q. What countermeasures proved most effective?
Firewalls and Anti-Virus (AV) software did not modify hackers approaches in any way. That is interesting since most organisations focus on firewalls and AV and these were not statistically significant.
Employee education – 79% believed that it was either extremely important or important to train their employees and train them repeatedly to have them establish “muscle” memory.
Goal-oriented pen [penetration] testing was at 76% - obviously, a bunch of pen testers think that that's important.
Q. You said most audit standards are not up to the reality?
Audit standards were written by auditors, not by hackers. They establish a baseline for security, but they don't necessarily capture the multitude of scenarios that an attacker can use to circumvent it. They should be seen as a floor – never a ceiling.
The biggest frustration is that 64% of IT people still don't fix what they know is broken. So, the pen tester gets frustrated if they come back a do the pen test the following year and find the same stuff they found last year, with the common excuse being competing priorities, different projects or ‘bigger things’ getting in the way.
General Data Protection Regulation (GDPR) goes into effect next year. The phenomenon we saw in the US with the evolution of breach disclosure is there is now breach litigation, which means “thou shalt report”.
Australia has its mandatory breach reporting legislation and once it becomes public, lawyers are going to get involved and say “that's what lawyers do best – litigate and make money.”
Once we get into post-breach litigation, then the finger-pointing starts, because that's how lawyers get paid and the defence starts, and you'll see this mature, robust, post-breach litigation area spilling out.
In the US is we've seen a new pattern of pen testers — including Nuix — being hired by outside counsel. I give my report to the lawyers under privilege so the opposing counsel, during litigation, says I want to see the report, I say I don't have a report, it is protected under privilege – go ask counsel.
Q. Is the statement “This was the most high-level hack that we could not have protected against” remotely correct?
I will fly the “BS” flag on that one. In fact, it is so textbook that it is in the book that I wrote two years ago. The propensity to overstate complexity of a breach is an understatement adding “But at the same time, we're confident that no customer data was impacted.”
Despite what you are told by the organisations that are breached, these are normally not complex. They are not zero-day exploits by ninja hackers. It is things like bad passwords, open remote access and SQL injection. For crying out loud, 20 years later, SQL injection is still a real thing. We're just not doing the blocking and tackling that we should be doing.
It is all about trying to establish a reasonable defence against the cyber security malpractice. I think there is still a “reasonable defence” argument but it is very, very small and it is going to depend on the credibility and ability to convince a jury.
Q. When is enough money thrown at the problem enough to solve it?
Yahoo! is the gift that keeps on giving. Last week it was revealed that the Yahoo! executives knew about the data breach in 2014 and they hid it and then they misfiled their SEC filings and didn't report it until two years later. So, they violated every one of the 47-different state breach disclosure laws. The general counsel was let go for failure to provide adequate counsel.
It is not a matter of how much you spent to become compliant with the legislation – it is about protecting people’s data. It is a holistic approach to security, people, and hardware.
On the latter point, we are likely to see hardware suppliers (like IBM, HP, and Dell) put up the same defence that the gun makers do - I don't tell you who to point it at, I just sell you the firearm. In fact, any supplier is going to claim configuration of firewalls, routers etc., are the responsibility of the purchaser. RTFM.
Q. No system is unhackable. Care to comment more?
Did you ever read the “The Art of Deception” by Kevin Mitnick? Mitnick hacked into the IBM systems that were on the showroom floor for at one of the conferences. He didn't hack the system itself, he used the people at the booth – nothing is unhackable. It could be technically locked down but there's always some way to get around something somewhere.
I was doing a forensics investigation on a hack that had two ports open; 80 and 53. It allowed Web traffic and it allowed DNS traffic. And it only allowed DNS traffic outbound, not inbound – so it was pretty solid. The attackers had to get data out and they only had two ports open to do it, so how would they do that? The creative part was appending encrypted data on the back of RFC compliant DNS packets. There are always ways around. Even if they must invent them on the fly, they'll do it.
Q. You have had many discussions with Australian business – on a security scale of one to ten, how are they doing?
If I had to pick a number; maybe 10% are doing a good job with security based on US figures and my experience there. But the difference is most Australian businesses are small and have a core competency that's outside of technology – they sell pies or they sell shoes or whatever.
Thinking they're going to understand the nuances of cyber security and employ a highly skilled CISO is just unrealistic. And so hopefully you would get firms that stand up and specialise in the SMB market and can advise them. But then they must take action.
Small business needs to look closely at MSSP (managed security service providers) and move to an OPEX model to pay as they go. It is a growth industry.
Most organisations, at least in the US, have a hard time recovering from a data breach, especially small businesses in competitive markets. If there is brand damage to an organisation and you have a competitor down the street, why am I going to shop with you anymore?
Q: What are some key messages you tell Boards?
You'll never be secure – it is a journey, not a destination, and is a cost of doing business.
Training your staff will have the biggest impact on your overall security posture, 26%. You need a very robust training program with weekly newsletters, videos, mock exercises, security presentations - everyone in the company must be an extension of the security team
In the army, we used to say everybody's in the infantry. Doesn't matter if you're a nurse, it doesn't matter if you're a helicopter pilot, doesn't matter if you're a five-star general or the newest private, everybody's in the infantry. Everybody needs to know how to shoot, move, and communicate.
The key message for the board
- Trust your security professionals, you hired them for a reason
- There is a quantifiable ROI for security because we can talk about protractive litigation, costs in terms of what it means to pay your lawyers, what it means to pay the salaries of your security professionals. Then there some intangibles like loss of customer confidence, loss of market share, and loss a brand reputation.
- Boards say “Who would hack us? The answer is more questions. Do you have competitors? Do you have data that can be monetised? Do your executives always say the right things in the news and the media?
- Nothing is worse than a CISO with no ability to affect change. Don’t hire a CISO to tick a box that says you have a CISO.