The need to look beyond cyber

elevenM Principal Pete Quigley explores whether a siloed mindset is constraining the value digital risk professionals can bring to organisations and their clients.

I was lucky in the early 2010s to be consulting into Australia’s financial services industry when AWS came to town. I saw first-hand the internal struggles between business and technology teams who wanted to adopt a cloud-first strategy and risk, privacy and security teams who felt they were giving away the keys to the castle.  

Based on my position at the time with PwC, I had a number of fireside chats with the technology risk team from APRA, Australia’s financial services regulator. APRA foreshadowed an impending situation in which institutions would become reliant on digital channels to service their customers, but would lack visibility into what individual services and vendors made up those channels.  

Fast forward a decade and most revenue producing digital channels leverage a multitude of vendors to provide critical online services. One such widely-used vendor who has been hitting the headlines recently is Akamai. 

Akamai provides a number of services to optimise and protect digital channels. The nature of these services requires that you allow Akamai to manage critical digital services like Domain Name System (DNS). For those unfamiliar with DNS, it acts as the phonebook of the internet and allows users to connect to websites using domain names such as elevenM.com, instead of IP addresses.  

DNS is commonly considered to be a fragile system. When there are errors in the use or updating of this phonebook, users can’t find websites. This was the case with Akamai recently, whose DNS failure led to a massive internet outage

When I am asked what elevenM does, I usually revert to our tagline of ‘specialist cyber, privacy and data governance professionals’. I say that because it is what people understand and can draw a line to specific services and, indeed, specific outcomes. Within elevenM, however, we talk in terms of digital risk – the risk our clients face when operating in a digital economy.  

The outage caused by a bug in Akamai’s DNS service was not cyber, privacy or data governance related. In fact Akamai was at pains to say the issue “was not a result of a cyberattack”, even though it had very little else to say about the root cause. 

But the issue still had a significant impact on the availability of the digital channels of a large portion of the internet, and thus on the trust and confidence of users of those services – which is arguably ultimately what our industry is about. 

So, is it time we stop talking about specific delivery-focused silos and start thinking in terms of the customer’s digital experience? To more holistically assess risks to those digital experiences and how we are effectively measuring and managing those risks?  

Rotting fish: The need to improve cyber culture

elevenM’s newest recruit Jasmine Logaraj shares her thoughts on improving the culture within the cyber security industry, and how that will help to defend cyber threats.

This week, I had the opportunity to attend The CyberShift Alliance’s discussion “Addressing workplace culture in the cyber security sector.” The CyberShift Alliance is a collaboration between several associations including ISACA SheLeadsTech, FITT, CISO Lens, AWSN, the Australian Signal Directorate, AustCyber, ISC2 and AISA, DOTM, EY and Forrester Researcher, with the goal of addressing culture change within security. This alliance formed from an earlier International Women’s Day event run by AWSN and ISACA.

The purpose of the discussion this week was to raise awareness of toxicity in the cyber security industry. Speaker Jinan Budge, Principal Analyst at Forrester, described the main reasons for toxicity in the industry as being lack of organisational support, ego, and low leadership maturity.

Poor workplace culture is preventing good talent from joining the industry and making it harder to retain it. It is hindering the quality of work and preventing us as a nation from tackling cyber threats in the most inclusive, collaborative and, therefore, the most optimum way.

I asked Jinan and the panelists during the Q&A session to elaborate on the idea of toxicity being a barrier to young talent. Panelist Jacqui Kernot, Partner in Cyber Security at EY, said the reason it was hard to hire good talent was not because of a shortage of professionals with STEM skills, but because the industry needs to become a better place to work.

As cyber security professionals, we need to make this industry a more exciting and happier place. When recruiting, employers need to consider not only whether the employees are properly skilled, but whether they are the right fit for a good workplace culture, and in turn, whether their company is worthy of such wholesome candidates. Knowledge can be taught. Personality cannot.

Another interesting point raised during the discussion was the inability to speak out about bad behaviour in the cyber security industry. Jinan surveyed her professional network and found that 65% of respondents voted it to be “career suicide” to speak up about workplace problems, highlighting a fear of potential punishment for doing so. 

Changing this consensus relies on us as cyber security professionals leading the way. As Jacqui pointed out: “the fish rots from the head.” It is not a HR problem, but something to be fixed at the leadership level and not denied or swept under the rug. If companies do not address these problems, they will continue to lose good talent, and in turn waste money, time, and effort, leaving them with fewer employees and a lessened reputation. Akin to our efforts to create a security-focused culture in our clients, at elevenM we believe good workplace culture similarly requires an effort to foster shared values through leadership and role-modeling.

I am grateful that there are individuals such as Jinan, Jacqui and James working in my industry who realise the importance of fostering a good workplace culture. With leaders like these, I remain hopeful for the future.

Pete was right (but just this time)

By Arjun Ramachandran

Pete’s a hardened security professional. He’s been in this game for over 20 years and has the battle scars of many cyber uplift and remediation programs. He feels the pain of CISOs fighting the good fight.

I’m a former journo. Even though I’m no longer actively reporting, the craft matters to me and I get defensive and outraged in equal measures about the quality of print news.

Pete and I butted heads in recent days over the reporting of the NSW Auditor-General’s (AG) report into Transport for NSW and Sydney Trains.

The AG report, and much of the media coverage, was overtly critical. A “litany of cyber security weaknesses [identified in] a scathing review” was how the SMH described it.

Pete wasn’t overly happy about the coverage, feeling both the media reporting and the AG report to be unfair, particularly in the context of how organisations actually go about improving their cyber posture (more on this later).

While I defended the reporting as – for the most part – being a fair and straight write-up of the AG report, I have to concede that on the bigger point Pete was dead right.

There’s a problem in our industry, and in broader society, with how we often talk about and respond to reviews of organisations’ security programs. It’s not that we’re quick to talk about deficiencies that don’t exist or that aren’t serious, but that the way these reviews are presented drives a response and conversation that is counterproductive to good security outcomes.

There are no perfect security programs, or organisations with perfect security. The threat landscape changes daily and security uplifts require complex whole-of-organisation changes that necessarily take a long time. Even in the most mature organisations, “good security” is a work in progress, with gaps continuously identified and addressed. Any detailed review will find holes and inadequacies.

To be clear, this is not an argument to take lightly the adverse findings of a review. Arguably, these findings are a large part of why we do reviews, so that a measured and constructive response to them can lead to improved security.

But too often in our journeys at elevenM we see instances where the supercharged or out-of-proportion delivery of adverse findings leads to an equally supercharged response (sometimes in the form of its own large remediation program) that sees a sizeable redirection of resources, and ultimately the deferral or interruption of well-considered strategies or critical uplift projects.

We found it particularly uncomfortable that the AG report was based on a red team exercise. A red team exercise – where “authorised attackers” (in the words of the AG report) are given permission to try and break into systems – will always find security flaws. These exercises are typically conducted expressly to provide insights to security teams that they can learn from. To broadly publish those findings in the tone and manner that the AG report has done didn’t strike us as constructive.

Of Mice and Coin

elevenM’s Peter Quigley takes a closer look at what Australia can do in the face of a modern scourge – ransomware – as governments up the ante against the threat.

Plummeting winter temperatures in Australia have led to an unexpected threat for car and home owners: rats and mice. Like most of us, these rodents are trying to find a place to take refuge from the cold and the resulting damage has been significant.

The scale of this threat has led major insurers to reject many claims made, stating that their insurance only protects against vermin infestation as a flow-on effect from a fire or flood.

As a risk person, I have always found the insurance industry interesting. At its core, it is a system which derives profit from the analysis of risk data. This is why I keep an eye on what the industry is saying about cyber security.

Like homeowners in Australia, companies around the world are now having insurance claims rejected – not for vermin but for infestation of a different kind: ransomware.

As you will have undoubtably read, ransomware incidents have significantly increased over the past year. The reasons for this have been well reported and we won’t delve into them here. What I want to talk about is what happens to a cyber risk when, like vermin infestation, it becomes uninsurable?

If companies are not able to insure against a potential risk event, then they have two options: (i) accept the risk and wear the cost of that event should it happen or (ii) not engage in the practices which may lead to that risk event. In the case of ransomware (and most cyber threats), given the digital nature of every business today, the latter is not a viable option. So, we are left with the former – that is, taking the position of, as we say in Australia: “She’ll be right”.

If, however, businesses begin to fold and the broader economy is impacted, there’s a case to be made that the government needs to step in. In Australia, we are seeing building momentum as ransomware is yielded as a political stick – most recently by Tim Watts, Australia’s Shadow Minister for Cyber Security, calling for A National Ransomware Strategy. Ransomware was also on agenda at the G7 summit in London last weekend, with various commitments made to fight the threat collaboratively.

What governments can do to combat this technical and geopolitical threat in real terms is unknown. Mr Watt’s strategy contemplates a variety of measures including increased law enforcement, crackdowns on rogue bitcoin exchanges and various sanctions.  

The strategy also advocates for Australian organisations to develop a reputation for being less likely to pay ransoms (through imposing controls on ransomware payments), so that attackers’ return on investment for targeting Australian organisations might fall in comparison to those in other countries. While making yourself a less attractive target is a common and legitimate strategy in cyber security, I tend not to agree with this approach to ransom payments. Due to the random nature of ransomware attacks (often enabled by automated services scanning and prodding IP’s across the internet) it seems likely to me that Australian organisations will continue to be heavily impacted by ransomware – regardless of policies that limit or regulate their ability to pay ransoms.

As noted earlier, ransomware is both a technical and geopolitical problem. Looking at both these aspects in detail and asking what can be done, I always arrive at the following:

  • Technical – Ultimately, cyber criminals are most likely to move on if they encounter mature cyber defences. As done in Singapore, Australia should mandate a minimum set of cyber security controls for all critical infrastructure as part of current changes being considered to security legislation. Outline what those controls are and encourage private businesses to adopt those controls. The Australian Government should publish threat data on recent ransomware events to support those charged with the operation of cyber controls to update as required.
  • Geopolitical – Not to appear too cynical, but I maintain low expectations on the current and immediate impact of geopolitical efforts on the ransomware landscape. It’s widely believed that ransomware gangs operate with impunity in some jurisdictions, despite those jurisdictions agreeing to international norms. As these geopolitical efforts slowly gather pace, it’s all the more reason to enhance the defensive maturity of organisations in the meantime.

This is just my view. In the words of John Steinbeck, “Guy don’t need no sense to be a nice fella.”

Patch me if you can: key challenges and considerations

In this third and final post of our series on vulnerability management, elevenM’s Theo Schreuder explores some of the common challenges faced by those running vulnerability management programs.

In our experience working with clients, there are some recurring questions that present themselves once vulnerability management programs are up and running. We outline the main ones here, and propose a way forward.

Challenge 1: Choosing between a centralised or decentralised model

Depending on the size of your organisation, a good vulnerability management program may be harder or easier to implement. In a smaller organisation it usually falls to a single security function within the IT team to provide management of vulnerabilities. This makes it easy to coordinate and prioritise remediation work and perform evaluation for exemptions.

However, in larger organisations, having individual systems teams all trying to manage and report on their vulnerabilities makes it difficult to manage vulnerabilities in a holistic way. In these scenarios, a dedicated and centralised vulnerability management team is necessary to provide governance over the entire end-to-end cycle. This team should be responsible for running scans and providing expertise on assessment of vulnerabilities as well as providing holistic reporting to management and executives.

The benefit of a dedicated vulnerability management team is that there is a single point of contact for information about all the vulnerabilities in the organisation.

Challenge 2: Ensuring risk ownership

To avoid cries of “not my responsibility” or “I have other things to do” it is important to establish who owns the risk relating to different assets and domains in the organisation, and therefore who is responsible for driving the remediation of vulnerabilities. Without a clear definition of responsibilities and procedures it is easy to get bogged down in debates over responsibilities for carrying out remediation work, rather than proceeding with the actual doing of the remediation work and securing of the network.

Furthermore, in our experience there are often different responsibilities with regards to who patches what in an organisation. As mentioned in our previous post, often there is a distinction between who is responsible for patching of below base (system level) vulnerabilities and for above base (application level) vulnerabilities. If these distinctions, and the ownership of risk across these distinctions, are not clearly defined then the patching of some vulnerabilities can fall through the cracks.

Challenge 3: Driving risk-based remediation

The importance of having an organisation-wide critical asset register cannot be overstated. From the point of view of individual asset owners, their own application is the most critical….to them. It is important to take an approach that measures the risk  of an asset being exploited or becoming unavailable in terms of the business as a whole, and not just in terms of the team that uses the device.

In the same way, security risks, mitigating controls and network exposure must be taken into account. From a risk perspective, an air gapped payroll system behind ten thousand firewalls would not be as critical as an internet-facing router that has no controls in place and a default password that allows a hacker access into your network. Hackers don’t care so much about the function of a device if it allows them access to everything else on your network.

To recap …
We hope you enjoyed the series on vulnerability management. For a refresher, you can find links to all the posts in the series at the bottom of the article. In the meantime, here are our 5 top steps for a good vulnerability management program:

  1. Get visibility quickly – scan everything and tailor reports to different audiences.
  2. Centralise your vulnerability management function – provides a holistic picture of risk to your entire network and supports prioritisation.
  3. Know your critical assets – understand their exposure and prioritise their remediation.
  4. Get your house in order – have well defined and understood asset inventories, processes and risk ownership.
  5. Automate as much as possible – leverage technology to reduce the costs of lowering risk and allow you to do do more with less resources.

Read all posts in the series:
Patch me if you can: the importance of vulnerability management
Patch me if you can: the six steps of vulnerability management
Patch me if you can: key challenges and considerations