The need to look beyond cyber

elevenM Principal Pete Quigley explores whether a siloed mindset is constraining the value digital risk professionals can bring to organisations and their clients.

I was lucky in the early 2010s to be consulting into Australia’s financial services industry when AWS came to town. I saw first-hand the internal struggles between business and technology teams who wanted to adopt a cloud-first strategy and risk, privacy and security teams who felt they were giving away the keys to the castle.  

Based on my position at the time with PwC, I had a number of fireside chats with the technology risk team from APRA, Australia’s financial services regulator. APRA foreshadowed an impending situation in which institutions would become reliant on digital channels to service their customers, but would lack visibility into what individual services and vendors made up those channels.  

Fast forward a decade and most revenue producing digital channels leverage a multitude of vendors to provide critical online services. One such widely-used vendor who has been hitting the headlines recently is Akamai. 

Akamai provides a number of services to optimise and protect digital channels. The nature of these services requires that you allow Akamai to manage critical digital services like Domain Name System (DNS). For those unfamiliar with DNS, it acts as the phonebook of the internet and allows users to connect to websites using domain names such as elevenM.com, instead of IP addresses.  

DNS is commonly considered to be a fragile system. When there are errors in the use or updating of this phonebook, users can’t find websites. This was the case with Akamai recently, whose DNS failure led to a massive internet outage

When I am asked what elevenM does, I usually revert to our tagline of ‘specialist cyber, privacy and data governance professionals’. I say that because it is what people understand and can draw a line to specific services and, indeed, specific outcomes. Within elevenM, however, we talk in terms of digital risk – the risk our clients face when operating in a digital economy.  

The outage caused by a bug in Akamai’s DNS service was not cyber, privacy or data governance related. In fact Akamai was at pains to say the issue “was not a result of a cyberattack”, even though it had very little else to say about the root cause. 

But the issue still had a significant impact on the availability of the digital channels of a large portion of the internet, and thus on the trust and confidence of users of those services – which is arguably ultimately what our industry is about. 

So, is it time we stop talking about specific delivery-focused silos and start thinking in terms of the customer’s digital experience? To more holistically assess risks to those digital experiences and how we are effectively measuring and managing those risks?  

Rotting fish: The need to improve cyber culture

elevenM’s newest recruit Jasmine Logaraj shares her thoughts on improving the culture within the cyber security industry, and how that will help to defend cyber threats.

This week, I had the opportunity to attend The CyberShift Alliance’s discussion “Addressing workplace culture in the cyber security sector.” The CyberShift Alliance is a collaboration between several associations including ISACA SheLeadsTech, FITT, CISO Lens, AWSN, the Australian Signal Directorate, AustCyber, ISC2 and AISA, DOTM, EY and Forrester Researcher, with the goal of addressing culture change within security. This alliance formed from an earlier International Women’s Day event run by AWSN and ISACA.

The purpose of the discussion this week was to raise awareness of toxicity in the cyber security industry. Speaker Jinan Budge, Principal Analyst at Forrester, described the main reasons for toxicity in the industry as being lack of organisational support, ego, and low leadership maturity.

Poor workplace culture is preventing good talent from joining the industry and making it harder to retain it. It is hindering the quality of work and preventing us as a nation from tackling cyber threats in the most inclusive, collaborative and, therefore, the most optimum way.

I asked Jinan and the panelists during the Q&A session to elaborate on the idea of toxicity being a barrier to young talent. Panelist Jacqui Kernot, Partner in Cyber Security at EY, said the reason it was hard to hire good talent was not because of a shortage of professionals with STEM skills, but because the industry needs to become a better place to work.

As cyber security professionals, we need to make this industry a more exciting and happier place. When recruiting, employers need to consider not only whether the employees are properly skilled, but whether they are the right fit for a good workplace culture, and in turn, whether their company is worthy of such wholesome candidates. Knowledge can be taught. Personality cannot.

Another interesting point raised during the discussion was the inability to speak out about bad behaviour in the cyber security industry. Jinan surveyed her professional network and found that 65% of respondents voted it to be “career suicide” to speak up about workplace problems, highlighting a fear of potential punishment for doing so. 

Changing this consensus relies on us as cyber security professionals leading the way. As Jacqui pointed out: “the fish rots from the head.” It is not a HR problem, but something to be fixed at the leadership level and not denied or swept under the rug. If companies do not address these problems, they will continue to lose good talent, and in turn waste money, time, and effort, leaving them with fewer employees and a lessened reputation. Akin to our efforts to create a security-focused culture in our clients, at elevenM we believe good workplace culture similarly requires an effort to foster shared values through leadership and role-modeling.

I am grateful that there are individuals such as Jinan, Jacqui and James working in my industry who realise the importance of fostering a good workplace culture. With leaders like these, I remain hopeful for the future.

Patch me if you can: key challenges and considerations

In this third and final post of our series on vulnerability management, elevenM’s Theo Schreuder explores some of the common challenges faced by those running vulnerability management programs.

In our experience working with clients, there are some recurring questions that present themselves once vulnerability management programs are up and running. We outline the main ones here, and propose a way forward.

Challenge 1: Choosing between a centralised or decentralised model

Depending on the size of your organisation, a good vulnerability management program may be harder or easier to implement. In a smaller organisation it usually falls to a single security function within the IT team to provide management of vulnerabilities. This makes it easy to coordinate and prioritise remediation work and perform evaluation for exemptions.

However, in larger organisations, having individual systems teams all trying to manage and report on their vulnerabilities makes it difficult to manage vulnerabilities in a holistic way. In these scenarios, a dedicated and centralised vulnerability management team is necessary to provide governance over the entire end-to-end cycle. This team should be responsible for running scans and providing expertise on assessment of vulnerabilities as well as providing holistic reporting to management and executives.

The benefit of a dedicated vulnerability management team is that there is a single point of contact for information about all the vulnerabilities in the organisation.

Challenge 2: Ensuring risk ownership

To avoid cries of “not my responsibility” or “I have other things to do” it is important to establish who owns the risk relating to different assets and domains in the organisation, and therefore who is responsible for driving the remediation of vulnerabilities. Without a clear definition of responsibilities and procedures it is easy to get bogged down in debates over responsibilities for carrying out remediation work, rather than proceeding with the actual doing of the remediation work and securing of the network.

Furthermore, in our experience there are often different responsibilities with regards to who patches what in an organisation. As mentioned in our previous post, often there is a distinction between who is responsible for patching of below base (system level) vulnerabilities and for above base (application level) vulnerabilities. If these distinctions, and the ownership of risk across these distinctions, are not clearly defined then the patching of some vulnerabilities can fall through the cracks.

Challenge 3: Driving risk-based remediation

The importance of having an organisation-wide critical asset register cannot be overstated. From the point of view of individual asset owners, their own application is the most critical….to them. It is important to take an approach that measures the risk  of an asset being exploited or becoming unavailable in terms of the business as a whole, and not just in terms of the team that uses the device.

In the same way, security risks, mitigating controls and network exposure must be taken into account. From a risk perspective, an air gapped payroll system behind ten thousand firewalls would not be as critical as an internet-facing router that has no controls in place and a default password that allows a hacker access into your network. Hackers don’t care so much about the function of a device if it allows them access to everything else on your network.

To recap …
We hope you enjoyed the series on vulnerability management. For a refresher, you can find links to all the posts in the series at the bottom of the article. In the meantime, here are our 5 top steps for a good vulnerability management program:

  1. Get visibility quickly – scan everything and tailor reports to different audiences.
  2. Centralise your vulnerability management function – provides a holistic picture of risk to your entire network and supports prioritisation.
  3. Know your critical assets – understand their exposure and prioritise their remediation.
  4. Get your house in order – have well defined and understood asset inventories, processes and risk ownership.
  5. Automate as much as possible – leverage technology to reduce the costs of lowering risk and allow you to do do more with less resources.

Read all posts in the series:
Patch me if you can: the importance of vulnerability management
Patch me if you can: the six steps of vulnerability management
Patch me if you can: key challenges and considerations

News round-up March 2021 — That horrible Exchange compromise, IOT security threats made real and digital platforms’ latest privacy challenges

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

“But has the horse has already bolted?” That’s the question senior US officials want companies who’ve applied patches for the highly publicised Microsoft Exchange security breach to ask themselves. The ugly Exchange Server compromise headlines our round-up, which also features an IoT breach that snared businesses across a range of industries, and the latest ransomware tactics.

Key articles

Thousands of Exchange servers breached prior to patching, CISA boss says

Summary: Four previously unidentified vulnerabilities in the Microsoft Exchange Server have been exploited by state-sponsored actors operating out of China, with some reports citing as many as 60,000 organisations affected.

Key risk takeaway: Being patched against these vulnerabilities might be giving system administrators a false sense of confidence. Having observed numerous concerted attempts to exploit the flaws, US officials are urging companies to take aggressive action to investigate and remediate compromises that may already have occurred (before patching). Accordingly, in addition to moving fast to release patches, Microsoft has published detailed guidance on its website on how to investigate and remediate the vulnerabilities, and even developed a “one-click mitigation tool” for organisations with smaller or less-resourced security teams. To learn more about how to develop a comprehensive vulnerability management program to drive timely remediation of dangerous security flaws (noting once again that patching alone may be insufficient in Exchange incident), check out our recent blog series here.

#vulnerabilitymanagement #statesponsoredattack


Directors must face cyber risks

Summary: Directors of public firms are expected to soon face greater accountability from cyber risks under the Government’s cyber strategy.

Key risk takeaway: Lack of preparation for cyber risks by boards may soon be punishable, as the Government seeks to make changes to directors’ duties in the second half of 2021. The Government is light on details but has cited preventing customer credentials from ending up on the dark web as a potential example of these new obligations. The introduction of these obligations follows the imposition of director duties on directors of financial institutions by APRA’s Prudential Standard 234. The moves are also part of a broader push for the Defence Department to take more forceful steps to “step in and protect” critical infrastructure companies, even if they are in the private sector.

#cyber #APRA #regulations


Hackers say they’ve gained access to surveillance cameras in Australian childcare centres, schools and aged care

Summary: Hacktivists gained access to approximately 150,000 Verkada surveillance cameras around the world after finding the username and password for an administrator account publicly exposed on the internet.

Key risk takeaway: This incident is not only a concrete example of oft-described potential security risks of IOT (not to mention the implications of poor password management). It also highlights that risks and impacts from these devices may be felt differently across a variety of sectors. For example, uncomfortable regulatory conversations could arise for some of Verkada’s clients (which include childcare centres and aged-care facilities), given the cameras have built-in facial recognition technology and can be placed in sensitive locations. This incident also highlights ongoing challenges for organisations in achieving effective security assurance over their supply chains, especially cloud-based suppliers.

#cybersecurity #IOT #suppliersecurity


Universal Health Services reports $67 million in losses after apparent ransomware attack

Summary: Universal Health Services (UHS) has reported losing US$67 million from the September ransomware attack that affected a large range of systems.

Key risk summary: The serious financial implications of ransomware continue to be apparent, with UHS’ heavy losses comprising both lost revenue and increased labour costs. Meanwhile Finnish psychology service Vastaamo, whose ransomware challenges we described in October, has now filed for bankruptcy. In a mark of how lucrative ransomware has become,  ransomware operators reportedly pulled in $370 million in profits last year. Still, techniques continue to evolve. Researchers recently observed attackers breaching ‘hypervisor servers’ (which organisations use to manage virtual machines). Doing this allows attackers to encrypt all virtual machines on a system, increasing pressure on victim organisations to pay a ransom. In the face of the continued evolution of ransomware, Australia’s Federal Labor Opposition has now called for a national ransomware strategy comprising a variety of measures including regulations, law enforcement, sanctions, diplomacy, and offensive cyber operations. Some of the thinking in the strategy – e.g. around enforcement and sanctions – also aligns with recent expert calls for a global effort to create a new international collaboration model to tackle ransomware.

#ransomware #cybersecurity #costofdatabreach


WhatsApp tries again to explain what data it shares with Facebook and why

Summary: WhatsApp deferred the introduction of new privacy terms in order to buy time to better explain the change.

Key risk takeaway: This is one of many recent examples that show us it is no longer sufficient for online services to have a “take it or leave it” attitude in their privacy terms. Having first taken such an approach with its revised privacy terms, WhatsApp had to scramble to explain the changes after “tens of millions of WhatsApp users started exploring alternatives, such as Signal and Telegram”. More broadly, a recent New York Times editorial also argued that current consent models and the default practice requiring consumers to opt-out of data collection practices undermines privacy and must change. In our recent blog post we explore in detail the adequacy of current approaches to consent, which is being examined under the current review of the Australian Privacy Act.

#privacy #consent


TikTok reaches $92 million settlement over nationwide privacy lawsuit

Summary: TikTok agreed to settle 21 combined class-action lawsuits over invasion of privacy for US $92million.

Key risk takeaway: Disregarding appropriate privacy measures will have financial consequences – whether that’s through regulatory fines, legal settlements (as is the case here) or the long-term erosion of user trust. Complaints from the lawsuits against TikTok alleged a range of issues, from using facial analysis to determine users’ ethnicity, gender, and age to illegal transmissions of private data. And just as TikTok said it didn’t want to take the time to litigate the complaints, it was also rated one of the least trusted digital platforms. Privacy responsiveness and social responsibility from digital platforms are fast becoming market differentiators, with 62% of Americans saying search and social media companies need more regulation.

#privacy #transparency #trust

Patch me if you can: the six steps of vulnerability management

This is the second post in a three-part series on vulnerability management. In this post, elevenM’s Theo Schreuder describes the six steps of a vulnerability management program.

In the first post of this series, we explored why vulnerability management is important and looked at key considerations for setting up a vulnerability management program for success. In this post, we’ll step you through the six steps of vulnerability management.


The six steps of vulnerability management

The six steps of vulnerability management [Source: CDC]

Let’s explore each step in more detail.

  1. Discover vulnerabilities

The most efficient way to discover vulnerabilities is to use a centralised and dedicated tool (for example, Rapid7 InsightVM, Tenable, Qualys) that regularly scans assets (devices, servers, internet connected things) for published vulnerabilities. Information about published vulnerabilities can be obtained from official sources such as the US-based National Vulnerability Database (NVD), via alerts from your Security Operations Centre (SOC) or from external advisories.

Running scans on a regular basis ensures you have continuous visibility of vulnerabilities in your network.

 

2. Prioritise assets

Prioritising assets allows you to determine which remediation actions to focus on first to reduce the greatest amount of risk within the shortest time and with least budget.

Prioritisation of assets relies on having a well-maintained asset inventory (e.g. a Central Management Database or CMDB) and a list of the critical “crown jewel” assets and applications from a business point of view (for example, payroll systems are typically considered critical assets). Another factor to consider in determining prioritisation is the exposure of an asset to the perimeter of the network, and how many “hops” the asset is from an internet-facing device.

 

3. Assess vulnerability severity

After devices are scanned, discovered vulnerabilities are usually be assigned a severity score based on industry standards such as the Common Vulnerability Scoring System (CVSS) as well as custom calculations that — depending on the scanning tool — take into account factors including the ease of exploitability and the number of known exploit kits and plug-and-play malware kits available to exploit that vulnerability. This step can also involve verifying that the discovered vulnerability is not a false positive, and does in fact exist on the asset.

 

4. Reporting

When creating reports on vulnerability risk, it’s important to consider different levels of reporting to suit the needs of different audiences. Your reporting levels could include:

  1. Executive level reporting
    This level of reporting focuses on grand totals of discovered vulnerabilities and vulnerable assets, total critical vulnerabilities, and historical trends over time. The aim is to provide senior executives with a straightforward view of vulnerabilities in the network and trends.
  2. Management level reporting
    For individual managers and teams to manage their remediation work, it helps to provide them with a lower-level summary of only the assets they are responsible for. This report will have more detail than an executive level report, and should provide the ability to drill down and identify the most vulnerable assets and critical vulnerabilities where remediation work should begin.
  3. Support team level reporting
    This is the highest resolution report, providing detail for each vulnerability finding on each asset that a support team is responsible for. Depending on the organisation and the way patching responsibilities are divided, splitting out reporting between operating systems (below base) and application level (above base) can also be advantageous as remediation processes for these levels can differ.
A sample management-level vulnerability report generated using Tableau

 

5. Remediate vulnerabilities

“The easiest way to get rid of all of your vulnerabilities is to simply turn off all of your devices!”

– origin unknown

Remediation can take a variety of forms including but not limited to changing configuration files, applying a suggested patch from the scanning tool or even uninstalling the vulnerable program entirely.

There may be also be legitimate cases where a vulnerability may be exempted from remediation. Factors could include:

  • Is the asset soon to be decommissioned or nearing end-of-life?
  • Is it prohibitively expensive to upgrade to the newest secure version of the software?
  • Are there other mitigating controls in place (e.g. air-gapping, firewall rules)
  • Will the required work impact revenue by reducing service availability?

 

6. Verify remediation

Are we done yet? Not quite.

It doesn’t help if — after your support teams have done all this wonderful work — your vulnerability scanning tool is still reporting that the asset is vulnerable. Therefore, it is very important that once remediation work is complete you verify that the vulnerability is no longer being detected.

Stay tuned for the third and final post in the series, in which we discuss common challenges and considerations for a well-functioning vulnerability management program.


Read all posts in the series:
Patch me if you can: the importance of vulnerability management
Patch me if you can: the six steps of vulnerability management
Patch me if you can: key challenges and considerations