Anatomy of a Cyber Attack

Anatomy of a Cyber Attack

During the past few weeks, I have been researching how to attackers, whether they be lone-wolf hackers, crime syndicate based, or State sponsored attackers, I discovered that there are similarities between all the attacks.

Certainly, the less experienced usually short cut some of the steps: but the serious attackers? Well, they know what they are doing, what they want, and how to get it undetected (mostly).

But this always has been a game of catchup: security professionals design and implement a new technology, and the bad guys look for either holes in the armor, or weak spots, or ways to avoid it entirely.

Regardless, this presentation (in PDF format) is available for you to review and consider. Feel free to share it with your organization, your board, or your executives. Also feel free to contact me if you would like an executive briefing.

How ready is your organization to deal with a cyber attack? Or have they already compromised your organization and you don’t know it yet?

Is organizational culture rendering your InfoSec program ineffective?

Have you ever thought you’ve got a great security program, only to discover that you have a gaping operational hole? A hole from which your organization is hemorrhaging sensitive information?

Often, executives don’t understand what has gone wrong. They think they have a great information security program: they have appointed their CISO/CSO, they have a policy framework, they have firewalls in place, and everyone understands information security is about risk management. Even the hard disk on their laptop has been encrypted. So what went wrong?

In my experience, one of the critical factors in an effective information security program is having an appropriate culture. What do I mean by appropriate culture? It’s one in which employees (and business partners and customers) understand that information security is a way of doing business: it’s a fundamental organizational outlook on what is required to protect important information and systems and is embedded in everything that an organization does. Information security consultant James Arlen provides great insight to this issue in this article.

When I read the article, I had a sense of déjà vu: sadly it wasn’t the first time that I have heard of a technical implementation of a comprehensive firewall rule set that is fundamentally bypassed by a any-any rule. (An any-any rule is a simple mechanism that allows any type of traffic through the firewall… pretty much defeats the purpose of firewalls.) Put in to the broader context, it’s not the first time I have heard of elements of a comprehensive risk-based security program being circumvented (and consequently made irrelevant and ineffective), often for the sake of operational efficiency.

As I see it, this is one of the biggest issues management faces: while various executives may have stated clearly and unambiguously “We will protect our people, systems and information through a comprehensive security program” or some other variation, if this statement is not truly culturally accepted in the organization, then you can end up with employees making changes to a whole range of security programs and appliances that fundamentally bypass the controls, rendering the organization’s carefully crafted policy statements obsolete and useless.

The solution: make information security part of your organizational culture, embed information security processes into the fabric of your organizational processes; and embed controls (preventive, detective, and corrective) within your workflow. Organizations, their executives and the management team need to walk the talk. I’m not talking about excessive “rah-rah” sessions, but rather the quiet determination to protect sensitive information and their systems, evidenced by ongoing and regular conversations about controls and whether appropriate risk mitigations have been put in place.

Does your culture support the InfoSec program, or make it irrelevant?