The Troublemaker CISO: Getting Hacked

Before we delve deeper into getting hacked, I guess you will need my bonafide’s.

I’ve been in the trenches of cybersecurity for over three decades, and I’ve seen it all. From the early days of dial-up internet to the rise of cloud computing, I’ve been there, done that, and got the t-shirt (and the scars).

I’ve worked with everyone from tiny startups to massive corporations, and I’ve got the certifications to prove it. I’ve been a consultant, a CISO, and even a Group CISO, so I know what it takes to keep an organization safe.

These days, I’m focused on helping telecom operators navigate the treacherous waters of cyber security. It’s a tough gig, but someone has to do it. And that someone is me.

During my time on the front lines, before security became sexy, I defended companies against all the good attacks, NIMDA, Code Red, SQL Slammer, Hart Bleed, and the list goes on and none of the companies I defended got hacked…. Yes I might have been lucky but also I know what should be in place, because all of the stuff being relied on now we pioneered…..and it all start here.

So…. On with my rant for today

Are we getting hacked because we now work remotely in the new normal? No, we’re being hacked because we’re not managing our risks and being lazy – and because the CISO is not being heard.

Why do we say we manage risks when the evidence shows we don’t? It is more than fair to say that the CISO, CIO and CTO are accountable to ensure that the information and technology risks are properly defined, managed and reported. That means that standards, processes and procedures that are geared toward reducing risk must be approved and followed. These include controls to stop shadow IT, which is most likely the biggest risk to business today. Then there is the missing or not applies default systems hardening or minimum secure baselines build per system class, role-based access control, centralised asset management, application and systems management controls – and the list goes on.

Think this through: To be hacked, you to have skipped a step somewhere. Yes. there are acts of God but those are few and far between. You installed hardware and software without following the approved secure configuration. Or worse – there is none, leaving the system with services running that are not needed and default user IDs and passwords. Perhaps you commissioned a server onto the network without following proper deployment processes, i.e., plan, build, test, deploy – yes, with all the security gates in there. Or worse still – the proof-of concept became production.

Systems maintenance, such as patching, is only done after the hack. Software and systems are not put through a stringent DEV/SIT/UAT process before going into production. Identity management is not being done, role management even less so, and the principles of least access are haphazardly applied.  “Position does not equal access” has fallen by the wayside. I could go on and on with the list of things that we are just too lazy to do or that we allow to be circumvented.   

Have you ever wondered why the first questions asked by an auditor are: Where are your processes, policies and procedures documented? Who approved them? When were they last reviewed? They ask those questions because they know the biggest risk is people, or as we put it” the “insider threat.” They also know that in 99% of the cases they will find that those processes, policies and procedures are not being followed.

Again: We are getting hacked because we are lazy and because we don’t manage the risks.

In the next post from The Troublemaker CISO, I will be on a rant about how the CISO role is misunderstood in business and what a CISO should be.