Over a thirty-year career I have seen my fair share of spectacular breaches first hand and been engaged in the subsequent investigations. The consequence of these breaches has resulted in lost billions and reputational damage. Incidents forced enterprises out-of-business and departments out-of-service.
Thinking back to some of the most egregious cases and security incidents, I noticed a number of common threads:
§ Risk aversion. An attitude that you can’t get in trouble if you don’t do anything.
§ Policy, mandate, law or privacy were deliberately interpreted as a reason not act in the best interests of the organization or the public good. Thinking that since there is nothing explicitly in your mandate that describes cyber defence, therefore defending yourself is not permitted. These folks see the world in terms that everything is forbidden unless explicitly prescribed, while ignoring standards, best-practices and common sense. For example, turning off all sensors to be wilful blind to a breach, failure to fully investigate and prosecute a breach through forensics or attribution, avoiding looking for early infiltration by not threat hunting, or burying evidence after the fact. Note: failure to prevent attack with active cyber defences is tantamount to allowing it to occur in the first place and accepting culpability for the breach.
§ We have a firewall. We are ok.
§ Nearly all breaches involve blended attacks, which compounded physical, personnel and cyber vectors. Social engineering was almost always present in cyber attacks, the compromise of personnel was a stepping point to assisting technical access and physical barriers were eroded in the Internet-of-Things
§ Divergent or stove-piped security practices often failed to communicate or coordinate with themselves or other business units.
§ The CSO/CISO held a lesser position at executive table and their concerns were often trivialized at the board.
§ Security was not marketed as business enabler and failed to get the attention of business leaders.
§ Either the security policy was inadequate or there was failure to follow security policies and translate them into effective practices.
§ Often there was a failure to establish meaningful objective performance measurements for security. An inability to understand what is important, that often lead to the organization measuring what was easy – but irrelevant to security. You can’t manage what you don’t measure.
§ Few organizations had an integrated risk management plan.
§ The ingenuity of threat agent was underestimated.
§ There was a lack of situational awareness and no real competitive or threat intelligence outside anecdotes and beliefs.
§ Systemic organizational vulnerabilities were known for a long time, but ignored.
§ The long-term strategy of exploitation by adversary prevailed over short-term vision of organization chasing quarterly profits or FY objectives.
§ Complacency and wilful blindness in speaking truth to power. Executives that actively avoiding briefings or communications from security staff. I have had C-Level walk out of security briefings and investigative findings so they could claim that they did not know.
§ Mistaking policy for practices and failure to audit the compliance and efficacy of those practices. Many organizations that had written policy never followed it.
§ Breaches were often first detected by partners and clients.
§ Threat Risk Assessments have no threat data, while compliance audits are just paper exercises with no real verification, validation and vulnerability testing.
§ Rationalization of a bad situation. The behaviour of an individual or computer systems were often dismissed as just quirky.
§ The worse the breach the greater the cover-up, until it spun out-of-control.
§ There was a naïvely or lack of street smarts (threat awareness)
§ Traditional defences were completely are outclassed by sophisticated offensive capabilities. The adversaries tactics tools and procedures where completely unknown to defenders.
§ The organization failed to evolve with that threat. There was a reliance on antiquated tactics and technology.
§ There was an emphasis on disaster continuity and incident response thus choosing failure as the starting point for a security plan, rather than active defence which could include: attack surface analysis, upstream security, global threat intelligence, hunt and adversary pursuit.
§ Many organizations are not just innocent victims but are party to the beach through wilful negligence or ignorance.
§ There was a lack of capacity or vision to look into the future or beyond walls of the business at competitive pressures and threats.
§ Security was not considered in business SWOT analysis or strategic planning.
§ The executive responsible for cyber security and defence has no background or interest in the subject.
§ A closed network and fortress fallacy mentality persisted for security. This equated to an over-confidence in perimeter security measures at the expense of vigilance inside the enterprise, threat intelligence outside and active defence from the adversary to the organizational perimeter.
§ Hubertus and pride. Unfounded confidence in the strength of the organizational security controls.
§ Not on my watch. Delaying the recognition of a breach or response to a security incident until it could be passed on to a successor.
§ Seeing compliance to minimum standards as representing end-goal rather then a starting point towards best practices.
§ Complexity, systems-of-systems and extended supply chain meant that noone in the organization had full view of the organization information infrastructure and data
§ Failure to recognize that a significant amount of the business was operating outside of the corporate information infrastructure (Shadow IT) between personal mobile devices, laptops, cloud, e-mail, text messaging, etc.
§ The organization did not take control, monitor or protect social media presence.
§ Compromised parties or agencies failed to notify partners, clients of affected partners. Or let the contagion grow, to protect an investigation to the point where more harm was done then good.