What This CISO Did To Protect His Company’s Data Will SHOCK You!

Good, my click bait title worked and you’re here.   I have my cranky pants on, so lets go.

On last week’s podcast episode, Andy and I talked about Rob Graham’s recent blog post “Dumb, Dumber and cybersecurity” where Rob railed on a buzjournal.com post titled “10 Steps to Protect Your Business From Cybersecurity Threats“.

Rob rightly points out that none of the 10 recommended steps really address the top issues that companies are getting breached by:

  • SQLi
  • Phishing
  • Password reuse

Perhaps I have some Baader-Meinhof going on, but I am seeing these damn “Top X lists to thwart the evil advanced cyber APT nation-state hacker armies of 15 year olds” EVERY WHERE.

Like here, here, here, and here.  I’M QUICKLY REALIZING THAT CREATING THESE LISTS IS AN EPIDEMIC THAT HAS INFECTED THE BRAINS OF MARKETING PEOPLE ALL OVER THE WORLD, CAUSING DIARRHEA OF THE FINGERS.

These stupid lists are nothing more than infosec marketing platitudes…

“Keep your AV up to date!”.  Yeah, that’s going to save you.

“Keep your systems patched!”.  Yep.  Show me an organization that is able to do this, and I’ll send you a link to click on.

“Know where your data is!”.  Sure.  It’s every-fucking-where.  OKAY?  Everywhere.

“Abandon the castle wall philosophy and build protection around the data!”.  What?  I guess Google did this, right?

“Restrict employee access to only that which they need!”.   Least privilege and all that, right?

“Restrict network access to only that which is needed!”

and on and on.

These are all, of course, good ideas.  However, they’re not actionable ideas.  And, as Rob pointed out, most aren’t even the way in which businesses are getting compromised.

Let’s pick on one, just as an example of not being actionable: “Restrict employee access to only that which they need!”

Who could argue with that sage advice?  Well, I will.  The issue is that it doesn’t actually solve much in the real world.  Here’s what I mean: If I’m an accountant and need access to the financial database to run queries, restricting access might mean I get a read only account to run my queries with.  This rarely translates into a consideration of the remaining risks associated with the access I was given.  Is there a better way?  The table I am querying has credit card numbers in it, but our database doesn’t let us restrict my access down to a field level, so in order to do my job, I am given the least access possible, which is still way too much.

And so I click on funnycats.exe, because damn, who doesn’t like funny cats?  And the following Sunday, Brian Krebs is on the phone with my company’s PR person asking for an interview about our data that is for sale on a forum somewhere.  BUT BUT BUT… least privilege was followed.

And so it goes.  Cybersecurity is hard.  It takes thought, analysis and consideration of risks; not a bunch of dumb platitudes.

#getoffmylawn