Blueprint for Security in 2013

I’ve worked with a number of organisations this year that have been refreshing or redesigning part or all of their security function. It’s brought into focus for me the tension between new security practices and organisational inertia. These have all been organisations that cared greatly about security and were in no way dysfunctional. However, they have all been fighting the battle of five to ten years ago and were only now were undergoing the discovery and self-analysis to understand how to deliver on the aspirations they have in the new context of cyber security and the changed threat landscape.

It has brought home to me the need to focus on continual improvement activities, not limited to finding greater efficiency and effectiveness in what we are doing now but regularly challenging the scope of our activities to see if we need to do more or less or do different things.

Read the rest of this entry »

Business Partner and Supply Chain Cyber Security

I’ve recently been involved in some strategic cyber security work in the UK financial services sector. The financial services sector is a complex and coupled system. While some components are clearly more important there are few components that are inconsequential if they cannot be relied upon. No financial services organisation is independent in what is a highly cooperative sector.

Currently the Information Assurance aspects of reliance on partners and supply chain throughout the sector is handled through third party assurance. Every organisation assesses and is assessed by every other organisation breeding an expensive and distracting industry of rolling security controls assessments.

Read the rest of this entry »

Cyber’s Dirty Secret?

In 2011 the U.S. Securities and Exchange Commission (SEC) issued guidance on the disclosure of Cyber risks and Cyber incidents where they may significantly affect the risk of investing in the company reporting to the SEC.

This was controversial at the time and has led to an interesting revelation recently; many of the biggest US companies reporting Cyber incidents to the SEC have stated they suffered no major financial losses as a result. The context should be remembered in that on one hand these companies would like to reduce their reporting requirements and would love not to have to show their dirty laundry to the world but on the other hand these financial reports are personally signed off by the C-level executives in these companies and errors, inaccuracies, omissions and lies can all lead to fines and jail time for the individuals involved.

Read the rest of this entry »

Alignment vs Compliance vs Certification

I have had a series of conversations recently where the concepts of alignment, compliance and certification of ISO 27001 were very confused. Certification was seen as horribly costly and alignment was held out as a good enough goal that was entirely achievable.

In this particular environment they were already ‘aligned’ and had achieved most of what they needed to do to be ‘compliant’ but were still scared of the impact of certification. I ended up having to come to a common set of definitions of alignment, compliance and certification to explain to a variety of security specialists and business stakeholders what they were discussing to try and defuse the fear that was starting to set in. Here are the definitions I ended up with.

Read the rest of this entry »

Making sense of pen testing, part two

This is the second in a series of posts looking at the current state of pen testing as I see it and presenting some ideas for the future. Part one is available here.

In this post I will explore some of the issues I see in pen testing, it’s something of a rant that I have regaled a number of pen testing friends with over the last couple of years. If you disagree violently with this let me know, if I’ve missed something let me know, we need to open up this conversation in the industry.

In the next post I start exploring why these problems exist and how they might be improved.

What is wrong with pentesting?

As an informed customer, and an ex-pentester, I see a number of problems with pentesting as delivered today;

  • Too much focus on 0day as a measure of success
  • Too much variation in quality and coverage between testers and between tests
  • Too much unexplained and undefined ‘black magic’

Read the rest of this entry »

Twitter RSS