Can you start building a security architecture without a foundation?

Ideally constructing a building (e.g. house), you start from 0 to 100, i.e. build a foundation, erect the structure then fit the windows, roof and finish off with the cosmetic tasks like painting, plumbing etc. While this kind of building up is ideally and feasible for physical construction of things like e.g. a house, aeroplane etc, might not be so ideally for building business information security programmes, given that information security for years, have been an afterthought practise e.g. systems were developed and then security folks been asked to add-on security controls or a layer of the security on top of insecure system, and this was not security by design or security by default.

While for the most organisations I have had an honour to visit or assess, they may have a formalised security programme or information security management system (ISMS) where they coordinate the information security activities coherently, or some of them may have not have a formalised security programme at all. The question(s) I have been asking myself, can someone start from the middle or put together whatever you have to have a completed business information security architecture? 

YES – I think is the answer to this question according to me and what I have seen so far. In the next post, I will expand more on how the organisation can start in the middle and complete their business security architecture.

Cybersecurity Resilience, the 3-dimensional approach Technology, People and Processes (TPP)

Sony, Target, Equifax, Facebook, Kaspersky, Iran Nuclear Plant , do these names ring a bell?

You might noticed them from the newspaper headlines (or a blog post somewhere like dark-reading, theregister). What they have in common is that there are big organisations, and all have been breached at one point in their business lifetime. The question is not whether you are going to get breached, it is matter of when? and the question to ask yourself, is do you have enough resilient controls to make your business sustain these attacks and continue serve your customers or the public?

If the reality hasn’t sunk in yet, I think it is the right time to review your Incident Response Plans and your infrastructure and processes resilience (and dont forget your PEOPLE, their resilience matters the most).

In preparation to build the resilience needed to respond to attack, it is better to start at the grassroots level with the following questions:

  • Why most organisations are not prepared to respond to security attacks?
  • What is the reasonable resilience look like from three dimensional of Technology, People and process (TPP)

On the next post, I will expand these two questions, for now let’s leave it here

Mind the Burnout Security Appliance.

Imagine this, as a Qualified Security Assessor, below is close resemblance of typical year scheduler for conducting assessment

  • January – March Service Provider Assessment (25 days)
  • April – May : Data Centre Assessment (15 days)
  • May – October: Retail Supermarket Assessment (60 days)
  • November – December: Service Provider Assessment (25 days)

A typical assessment average between 10 days to 100 days.

For the days that you are on the bench, these are typically compensated with 5 to 10 days short engagement such as conducting one of the below:

  • PCI scoping exercise
  • PCI Gap Analysis
  • Define a PCI Program for a client
  • SAQ assessment
  • ISO 27001 Scoping / Gap Analysis or Internal Audit. .

With this busy schedule, a consultant usual end up meeting or far exceeding the utilisation target, which for most consultancy is set to either 65% or 85%, in plain english it means out of 20 working days, you end up do all the 20 days.

In the security industry or at least from my personal experience, security consultants put in a lot of hours days in and out, which in the long run benefits the company as well as personal career growth, but what we fail to take into consideration, how you manage yourself physically and emotionally, so to minimise the burnout.

In order to minimise the burnout, it is important to make sure you have the right work/life balance. Whilst this is easy said that done, you have to create your own program (dont wait for the company do to this for yourself), where you make sure you have the time to exercise and engage yourself to do something outside of the cyber world.

For myself, I have manage to create a schedule where I can do physical activities during the week e.g. running, swimming, playing basketball and cycling. I also tend to read something outside of the cyber security world, which at least put my mind at easy, and mostly important my weekends are purely reserved for my family, during which I don’t check work emails or work on any report or sale pitch preparation. The trick, is to start small with a few routines, e.g. 10 mins walk/ running during lunch time and build from there. In order to perform higher and stay sharp, remember to take care well of your body and mind, DON’T BE A SECURITY BURNOUT APPLIANCE.

Move me to the cloud, so I don't have to take care of security!

I love the cloud, I guess you do as well if you heard that security in the cloud is automated! That is very bold claim and might be a bit misleading. In the past couple of years, cloud adoption have been a cool trend, and very economical for businesses in saving money when comes to running IT infrastructure (may be we should do another post on the reality of cost saving of cloud vs on-premises). While cost saving is one of the main drivers, it should be noted there are other drivers such as fast way of go to market, testing new ideas, being able to expand or reduce (elasticity) of the resources on a will, and also security being the other big factor.

One thing to be clear here, cloud security is a shared model, which is embraced by all the big Cloud Security Providers (CSP) such as Amazon, Microsoft and Google just to name a few. What this means is, the CSP provide security for the cloud physical infrastructure e.g. data centre, hypervisors, networking tools, and the customer is responsible for the data. This is the simplest view, however it is more complicated to this depends on the deployment model such as IaaS, PaaS, SaaS or other Cloud-As-Service (see diagrams below). Hence the famous phrase “CSP will be providing security of the cloud and the customer will be providing security in the cloud”.

Organisations should understand these differences in terms of their core responsibilities when comes to the managing security in the cloud. The model below from AWS, illustrates this more clearly and the logical step is for organisation to map these responsibilities to the right roles/people within the organisation.

Image result for cloud shared responsibility model
Source: AWS – https://aws.amazon.com/compliance/shared-responsibility-model/
Image result for cloud shared responsibility model
Source: https://www.synopsys.com/blogs/software-security/shared-responsibility-model-cloud-security/

So the next time you hear, let’s move to the cloud, security is automated and taken care for us, remember it is a shared responsibility and you have large part to play as well, at the end the data is yours, YOUR RESPONSIBLE!

Do you have a business security architecture? Yes we do! Here is our network diagram

Over the years, as a security consultant or as an auditor or security assessors, I have assessed or helped more than 50 unique businesses span from Europe, East Africa, to New Zealand, I can certainly say that at least 80% of these organisation do not have a documented business security architecture!!!

You may ask what is the business security archicture? how does it look like? is a Information Security Policy not a business security architecture? what about the Cyber Security Strategy? by simple definition according to (https://www.oxfordlearnersdictionaries.com/definition/english/architecture) architecture can be defined as follows

  1. The art or practice of designing and constructing buildings.
  2. the complex or carefully designed structure of something.
  3. (computing) the design and structure of a computer system and
  4. ISO/IEC 42010:2007 defines “architecture” as: “The fundamental organization of a system, embodied in its components, their relationships to each other and the environment, and the principles governing its design and evolution.” 
  5. In TOGAF, “architecture” has two meanings depending upon the context:
    • A formal description of a system, or a detailed plan of the system at component level to guide its implementation.
    • The structure of components, their inter-relationships, and the principles and guidelines governing their design and evolution over time

(http://www.togaf.info/togaf9/chap02.html)

6. According to SABSA , business security architecture is …

In my view putting all these definitions in context, an organisation will need to have a security architecture so that they have solid foundation of security that is align with business objectives and capability to piece together different components of security programs such as policies, technologies and other security controls. It has to be noted you can not build a house on shaky beach sand foundation as this will lead to unstable house with likelihood to crumple to pieces sometimes in the future. Same stance, should be adopted when build security programs that are based on well-designed business security architecture.

From security point of view, having a well designed and documented security architecture, in future will help to alleviate problems such as have to add on security solutions just for the sake of having a shiny appliance without realising what protection it provides for the business.

Whilst by default most organisations don’t have documented business security architecture, I would say it is not too late to start now, as you will find out you have already doing about 50% to 70% of what is required, why don’t you finishing piecing the pieces together to make that 100%? and don’t forget to document it.

Another 2020 Cybersecurity Prediction.

I think it is that time of the year again when the security experts see the future and predict the present. I guess I should join the bandwagon, so can I have your attention please?

#1 Organisations will continue to be breached

It’s days away from 2020, and the rate of breaches are not likely to go down, organisations will still be breached, as much as I would love to believe that organisations are doing well protecting themselves, you will be surprised with how many organisations that cant even meet the minimum requirements that are set to comply with NCSC top 10 steps to cybersecurity (https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security), simple questions is your patch management program integrated with your vulnerability management process that cover that unpatched windows 2003 server? sorry I meant windows 2008?

#2 Increase spending in cyber security budget otherwise you will be breached

Increase budget in cybersecurity program is a good thing, but spending the money only in buying security appliances without first establishing ‘what assets’ need protecting is not a good move. Organisation should ensure that the security objectives are aligned with the business objectives, and establishing this is should be systematically done through documenting a business security architecture. So security execs (CISO/CSOs) should be able to trace back when they are asked why do we need to invest in ‘dark web monitoring service’ or ‘shiny security appliance’?

#3 Your applications are still vulnerable to OWASP Top 10 (of 2013)

A number of web apps are still vulnerable to the 2013 version of OWASP Top 10, and if you see any of the below during your testing, I guess you need to have a word with your dev team, should we say DevOps or DevSecOps? whatever the name, this means there is something wrong with the development practise and whole lifecycle.

  • A1 Injection
  • A2 Broken Authentication and Session Management
  • A3 Cross-Site Scripting (XSS)
  • A4 Insecure Direct Object References
  • A5 Security Misconfiguration
  • A6 Sensitive Data Exposure
  • A7 Missing Function Level Access Control
  • A8 Cross-Site Request Forgery (CSRF)
  • A9 Using Components with Known Vulnerabilities
  • A10 Unvalidated Redirects and Forwards

#4 Your Incident Response Plan have been table-top tested for the past 3 years, the real storm comes this January.

I have seen organisations end up doing only table top exercises in order to tick compliance tickboxes, while one may argue that invoking the full IRP may be costly, but it may cost you more, if the only test for the past 3 years you have done are just table top exercises.

Real-life test maybe needed to mimic if the actual disaster happen or data breach happen? Maybe a question to ask yourself, how is that public relation department prepared? do you have one? do you have a forensic expert internally or do you need to have external experts comes in? do you have a retainer arrangement in place? they may be busy!

#5 My people are security trained at least once a year

Most organisations now have information security trainings, that happens at least once in a year. As you know, this involve sitting down in front of the computer go through slide decks, or CBT , with an exam to complete at the end or maybe a coupe of policies to read. Whilst these are good practises, organisations should aim to conduct social engineering tests on frequent basis to test how well their human security defense is effective.

To be continued …