Rapid7 Blog

Security Strategy  

Filling big gaps in security programs

Guest author Kevin Beaver talks about helping organizations bridge policy-practice gaps in their security programs.…

Guest author Kevin Beaver talks about helping organizations bridge policy-practice gaps in their security programs.

Addressing the issue of misguided security spending

It's the $64,000 question in security – both figuratively and literally: where do you spend your money? Some people vote, at least initially, for risk assessment. Some for technology acquisition. Others for ongoing operations. Smart security leaders will cover all the above and more.…

It's the $64,000 question in security – both figuratively and literally: where do you spend your money? Some people vote, at least initially, for risk assessment. Some for technology acquisition. Others for ongoing operations. Smart security leaders will cover all the above and more. It's interesting though – according to a recent study titled the 2017 Thales Data Threat Report, security spending is still a bit skewed. For instance, security compliance is the top driver of security spending. One would think that business risk and common sense would be core drivers but we all know how the world works. The Thales study also found that network and endpoint security were their top spending priorities yet 30 percent of respondents say their organizations are 'very vulnerable' or 'extremely vulnerable' to security attacks. So, people are spending money on security solutions that may not be addressing their true challenges. Perhaps more email phishing testing needs to be performed. I'm finding that to be one of the most fruitful exercises anyone can do to improve their security program – as long as it's being done the right way. Maybe more or better security assessments are required. Only you – and the team of people in charge of security – will know what's best.  The mismatch of security priorities and spending is something I see all the time in my work. Security policies are documented, advanced technologies are implemented, and executives are assuming that all is well with security given all the effort and money being spent. Yet, ironically, in so many cases not a single vulnerability scan has been run, much less a formal information risk assessment has been performed. Perhaps testing has been done but maybe it wasn't the right type of testing. Or, the right technologies have been installed but their implementation is sloppy or under-managed. This mismatch is an issue that's especially evident in healthcare (i.e. HIPAA compliance checkbox) but affects businesses large and small across all industries. It's the classic case of putting the cart before the horse. I strongly believe in the concept of “you cannot secure what you don't acknowledge”. But you first have to properly acknowledge the issues – not just buy into them because they're “best practice”. Simply going through the motions and spending money on security will make you look busy and perhaps demonstrate to those outside of IT and security that something is being done to address your information risks. But that's not necessarily the right thing to do. The bottom line, don't spend that hard-fought $64,000 on security just for the sake of security. Step back. Know what you've got, understand how it's truly at risk, and then, and only then, should you do something about it. Look at the bigger picture of security – what it means for your organization and how it can best be addressed based on your specific needs rather than what someone else is eager to sell you.

What's the root cause of your security challenges?

This is a guest post from our frequent contributor Kevin Beaver. You can read all of his previous guest posts here.My favorite lyricist, Neil Peart of Rush, once wrote “Why does it happen? Because it happens.” Some deep lyrics on life that…

This is a guest post from our frequent contributor Kevin Beaver. You can read all of his previous guest posts here.My favorite lyricist, Neil Peart of Rush, once wrote “Why does it happen? Because it happens.” Some deep lyrics on life that many people, unfortunately, apply to their information security programs. These people go through their days, months, and years, letting things “happen”. It could be a user unhappy about the security hoops he must jump through. It could be an executive who repeatedly says “No!” to security budget and initiatives. It could be a denial of service attack. Whatever the situation, it just happens. And life goes on. The motions. The reactiveness. The policies. The assumptions. The breaches.To quote another song, this time from the TV show, Hee-Haw, it seems as if many people in security operate with the mindset of "Gloom, despair, and agony on me...If it weren't for bad luck, I'd have not luck at all". It's as if there's nothing that can be done. Every security problem that these people have is someone else's fault. There's always an excuse. One thing that's glaringly evident in business (and life in general) is that there are followers and there are leaders. Some people just take what comes their way, running themselves ragged constantly putting out fires. They're needed all the time, work long hours, yet they never get anything done. And the security challenges continue. I think these people secretly enjoy just where they're at. But that that's not doing the business any favors and certainly doesn't address the underlying business risks at play.If you want to take control and ensure that bad choices and habits are not hindering your information security program, you might consider doing these things to get at the root the challenges and make improvements where they're needed:Step back and look at the bigger picture of where you currently are and how things can be improved. There's always something that can be resolved or done differently to improve security. Do this away from the office on a business retreat or personal vacation. Bring in an unbiased outside party to highlight the gaps if necessary. After all, it's hard to see the forest through the trees. The important thing is to ask yourself the brutal questions that you may have been avoiding up to this point. The answers to what needs to be done will surface.Get management and users on board with your security initiatives and, just as importantly, do what it takes to keep them interested. Information security is not a one-time deal. It's an ongoing philosophy. If they don't want to get on board or seem to be interested, then look inward. Your approach may be broken. You need to meet them where they're at, not where you want them to be.Building on my point above, focus on your non-technical skills. Information security is way more than bits and bytes.Instead, it's about communication, relationships, and the business as a whole.  You'll likely find that deficiencies in these areas are holding you back as much as any technical security issue. Odds are that most of the technical challenges you face can be resolved with improvements in the non-technical areas of your security program.Set reasonable goals that you can work on every day of every week and hold yourself accountable to see them through. It's the hopes, dreams, and wishes approach that sets everyone up for failure. Unfortunately, that's how many information security programs are run.There's no one root cause of your security challenges. That said, they're often very predictable. If you want to see changes, it's up to you to make things happen. No one else is going to do it for you. Sure, there are others outside of IT and security who are ultimately responsible for security. But if you're in charge of day-to-day security then you need to be the driving force that makes things happen. The path of blaming others for your security shortcomings is tempting to go down – and it's very easy to stay on. But it's not for you. Let the other people who choose that path be the low-hanging fruit that malicious attackers prey on.

Checks and Balances - Asset + Vulnerability Management

Creating a Positive Feedback Loop Recently I've focused on some specific use cases for vulnerability analytics within a security operations program.  Today, we're taking a step back to discuss tying vulnerability management back in to asset management to create a positive feedback loop.  This progressive,…

Creating a Positive Feedback Loop Recently I've focused on some specific use cases for vulnerability analytics within a security operations program.  Today, we're taking a step back to discuss tying vulnerability management back in to asset management to create a positive feedback loop.  This progressive, strategic method can mitigate issues and oversights caused by purely tactical, find-fix vulnerability cycles.  And it can be done using vulnerability scan data, creating additional value from your ongoing security operations. Consider the top four CIS Critical Security Controls from the lens of asset and vulnerability management: CSC 1 - Inventory of Authorized and Unauthorized Devices CSC 2 - Inventory of Authorized and Unauthorized Software CSC 3 - Secure configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4 - Continuous Vulnerability Assessment and Remediation The top three controls can be roughly grouped together as "Do Asset Management."  Number four can be roughly described as "Do Vulnerability Management".  Often times organizations address these as completely separate problems, when in reality they are part of the same lifecycle: Many vulnerability management findings stem from oversights or problems with asset management programs. Many vulnerability scan details can be used to help audit and improve asset management programs. Consider the down-cycle flow here to be point one, and the up-cycle flow to be point two: The down-cycle is a given, based on relationship between asset management and vulnerability management.  The up-cycle requires proactive lifecycle management to properly implement.   The examples below describe creating asset review processes as a practical way to leverage vulnerability management data for improved asset management. Asset & Software Inventory Review Vulnerability management scanning generally begins with preliminary network scanning using tools like nmap.  Before reviewing vulnerability check results, the basic network scan data can provide significant value for a checks-and-balances review.  Consider the following short vignettes, boiled down from actual conversations in the field. Admin: "We just finally replaced the last of our Windows XP machines six months ago, it took forever!  We finally had to put a task-force team together to get it done." < Run a discovery scan, review results > Consultant: "It looks like you still have 12 Windows XP machines in your environment." < Cue: "We're putting the band back together" > Consultant: "You would be surprised how many times I find non-secure FTP, or even TELNET running in an environment." Admin: "We have a strictly locked down network; we know everything that's running out there and we definitely don't have FTP or TELNET." Consultant: "Well, it can't hurt to do a search.  It might just come back empty." < Run a quick search in vulnerability scan data > Consultant: "Yep, looks like there are a handful of each here." Admin: "Oh ****, that one's in our DMZ." < Cue: "Quick, to the Batcave!" > The broad theme here is the vulnerability scan data is good for more than just vulnerability analysis; these vignettes do not represent specific vulnerabilities, but misdeployed or misconfigured assets within the environment.  By creating an inventory review cycle, you can realize additional value from the scan data you are already collecting. Vulnerability Remediation Review While it is important to validate asset management through checks and balances review, it is also important to continue proactively validating vulnerability remediations as a check-and-balance for the vulnerability management program.  Consider the following scenario, again pulled from field conversation. Admin: "We had a massive fire drill a few months ago for [ insert topical buzz-heavy vulnerability ].  It was a lot of long nights, but it's good to have it done." Consultant: "Well, we should set up some searches to make sure that vulnerability doesn't show back up in the environment again." < Run a quick search for a specific vulnerability title or CVE Identifier > Consultant: "Yeah, a few of these assets definitely have that same vulnerability.  They must have fallen through the cracks, or someone re-installed the older software version after your cleanup effort." < Cue: Fire Alarm > That last item specifically describes a vulnerability regression, which I've written about before. The Big Picture The above scenarios outline a few basic risks associated with a tactical, find-fix vulnerability management approach.  With a purely tactical approach: There may be unmanaged, untracked, and unnoticed assets on the network. There may be undesirable, unsecure, and unnoticed network services running on some assets. High criticality vulnerabilities may be reintroduced to the environment and remain unnoticed By building a more strategic vulnerability management program with more thorough, iterative review cycles you can leverage your existing scan data to more effectively lock down your environment. The need for strategic vulnerability management is not only linked to asset management validation; it is also linked to the penetration testing (CSC 20) response and remediation cycle. For more discussion, see my colleague Joe Tegg's talk from DerbyCon: "We're a Shooting Gallery, Now What?" Looking to evaluate a new vulnerability management solution? Download a free trial of our vulnerability scanner here.

The One Aspect of Selling Security That You Don't Want to Miss

This is a guest post from our frequent contributor Kevin Beaver. You can read all of his previous guest posts here.When it comes to being successful in security, you must master the ability to “sell” what you're doing. You must sell new…

This is a guest post from our frequent contributor Kevin Beaver. You can read all of his previous guest posts here.When it comes to being successful in security, you must master the ability to “sell” what you're doing. You must sell new security initiatives to executive management. You must sell security policies and controls to users. You even have to sell your customers and business partners on what you're doing to minimize information risks. This selling is made up of various components including credibility and self-confidence, direct involvement with the business, and demonstrating the ongoing value of what you're doing.There's one aspect of selling, however, that's often unknown or forgotten in the interest of expediency – checking boxes and getting things done yesterday – all bad ways to go about doing things in security. The missing link is patience, or the lack thereof. Sales expert Jeffrey Gitomer said that people don't like to be sold but they love to buy. In other words, they don't want things forced on them, but instead, they want to be in control of the decision-making process. When an idea becomes familiar – in a casual manner – it becomes better understood. It's most certainly less threatening. People will only buy into your ideas when they're convinced that you're on their side. There's a little trick you can use when you present new ideas in the process of selling security to others: do it casually for future consideration.Psychologists say that people need about 72 hours to absorb new ideas. So, regardless of the subject matter or how urgent you think your issue is, an idea that you present casually and indifferently will be considered more and accepted better over the long-term. It seems like a no-brainer but this is something that's rarely put into practice. When it comes to security, everything is urgent: assessments and audits, technical controls, training programs and even policy-related issues. There's always a fire to put out.Your job as the person in charge of security is to start thinking about how you can slowly get the right people on board with what you're trying to accomplish. Start today sharing your thoughts, ideas, and goals with management. Talk to your users about what you're doing to not only improve security but also make their jobs easier. Plant the seeds. Let things simmer. Whatever you do, don't force security on others. Think long-term. U.S. Navy admiral Hyman Rickover once said “Good ideas are not adopted automatically. They must be driven into practice with courageous patience." Let this approach help drive your security program. You'll not only build better relationships but you'll have a much better chance of getting things done. That's the sign of a true information security leader.

Sometimes the simplest security works the best

The FBI this week posted an alert that showed wire transfer scams bled $2.3 Billion from “business email compromise” from October 2013 through February 2016.  A couple of news outlets picked this up, including Brian Krebs. When I was the head of security at…

The FBI this week posted an alert that showed wire transfer scams bled $2.3 Billion from “business email compromise” from October 2013 through February 2016.  A couple of news outlets picked this up, including Brian Krebs. When I was the head of security at a multi-national corporation, this was an issue that came up regularly. There were instances of very aggressive behavior, such as someone calling the call center pretending to be the CEO of one of the countries and demanding a $1 million dollar transfer. That was a very bold and very obvious fraud that the call center was able to handle. However, very often these requests came though email, just like the FBI reported. When this happens, normally the scammer uses either a forged email domain very similar to the corporate one. If your user uses a browser without a fixed width font, they might get tricked into see the domain as legitimate, i.e.  rnicrosoft.com vs microsoft.com (look closely), or a use of a sub domain that looks very similar, i.e. yourcom.panyname.com. Then the header is simply forged. In simple mail clients, like Gmail, you have to take extra steps to see the actual sender domain. The emails are usually pretty short, lacking detail, such as : I need you to immediately produce a wire transfer for $13,000 and sent to the bank listed. I will follow up with you later. Regards, CEO NAME And you might have a pdf attachment with banking details. Oddly enough, the PDFs I encountered were never malicious. They had legitimate account details so the wire transfers could be received. Now you might think this is too simple and shouldn't work. But obviously, it does, to the tune of $2.3 billion. You might ask yourself why, and if you aren't, I'll ask it for you. Self, why does this work? Well consider that you might have a multibillion dollar corporation located in many countries. If you do business in certain countries, wire transfers are the norm. So wire transfers become part of a normal process for that company. And when someone asks for $13,000, or even as much as $75,000, for a company that posts $4.3 billion in revenue, they would not even blink an eye at this. Scammers do a little recon, ask for an amount that is small to the company, and it gets processed. Little risk, high reward. How would you protect against this? The simplest method is verification of the request. The FBI suggests that a telephone call be placed to verify the request, which is a good practice. They also suggest two factor authentication for email, and limit social media activities, as scammers will do reconnaissance and determine if CEOs are traveling. Krebs points out that some experts rely on technological controls such as DKIM and SPF. While these are things we recommend in our consultancy, they are complex for low maturity organizations and do require some effort and support. At the end of the day, they don't actually solve the problem, because we are socially engineering human beings. While all of these technology controls are good, we are dealing with humans. The best way to prevent this fraud from occurring is creating simple business processes that are enforced. In security terms, we would call this segregation of duties. The simplest security Simply put, segregation of duties says that no one person or one role should be allowed to execute a business process from start to finish. In the case of wire transfer fraud, for example, one person/role should not be able to create the wire transfer, approve it and execute it. Dividing these duties between two or more persons/roles means more eyes on the situation, and a potential to catch the fraud. A simple process map might look like: Ensure that Role A and Role B have proper documentation (evidence) for each step of the request and approval, and you now have a specific security control that easily integrates into a business process. The key to enforcement: making sure every single request follows the chain every single time. No exceptions. Now let me tell you about the one that almost made it. There was one instance I dealt with which was one mouse click away from being executed. An email (very similar to the example above) was sent to a director of finance, purportedly from the CEO. The director was busy that day, and filed the email away for processing later. By 4:55 pm or so, they realized they had not acted on the request. As it was almost end of day, and wire transfers are not processed by most banks after banking hours, she hurriedly forwarded the email to the wire transfer processor, marked with urgency, and made a call to ensure it was processed immediately. By the time it was picked up and put into the process, banks were closed. So they agreed it would execute first thing tomorrow morning. That evening, a series of emails went back and forth between the approver, who was a simple finance analyst who held very firm to the process, and the requester. Though it had urgency, and people were shouting that it was a request from the CEO, the process prevailed. All this time no one thought to actually verify the request, and this was not part of the process at that time. But because the approver was uncooperative with the request, it was escalated to the CFO, because the CEO was traveling, and he suspected it was fraudulent, and contacted me. We determined almost immediately it was fake, just by looking at email headers. There were other indicators too. I immediately praised everyone involved, and bought them gifts for sticking to the process. The director might have felt ashamed, but I went to her as well and explained that these scams are successful because they count on stress and distraction to occur. These are normal human behaviors, and they sometimes cause us to act erratically. But because we had a firm process that was adhered to, all we lost was time. There's actually much more to this story, but I'll save that for future posts. Regardless of your organizations size or structure, you too can put this in place. If you are unsure these processes exist, start asking around. Begin with your controllers or comptrollers, or anyone in finance. Ask if you have a process for wire transfers, and if so what the process is. Get involved, understand how your business does business. This will benefit you in many ways. Other things you can do: Join Infragard, the FBI and civilian alliance, which will get you in depth resources and information. You can also report fraud to the IC3, The Internet Crime Complaint Center. Ensure you have a separation of duties policy that is enforced Periodically train / update awareness of these issues with the people involved All these are free, requiring only a time investment, and will go a long way toward avoiding the kind of wire transfer fraud scam the FBI is warning about.

Defense in Depth - Embracing the Attacker Mindset - Followup

As a follow up to our webinar on Defense in Depth – Embracing the Attacker Mindset, I'd like to post my slide notes for the first section after Wade's intro. I apologize again for the audio issues. We did an hour of sound check beforehand,…

As a follow up to our webinar on Defense in Depth – Embracing the Attacker Mindset, I'd like to post my slide notes for the first section after Wade's intro. I apologize again for the audio issues. We did an hour of sound check beforehand, but of course the signal interference gremlins waited until the curtain went up. We've nailed down what caused it and it won't be an issue for any future webinars in this series. Thank you for sticking with us, and as promised here's the full transcript of the first third: Defining Defense and DepthSo if we're going to build a defense in depth architecture we need to get an idea of what we mean by defense, what depth is, and what it isn't. As Wade and I were building this webinar, he brought up a concept that nailed down the crux of what we're trying to do:  Raise the walls high enough that the unmotivated threat finds an easier target, and raise the visibility enough to catch the motivated threat as they attempt to scale the walls. Regarding depth, there are times when we see an organization has purchased all of the security products from a single vendor, and all of those products run on the same underlying architecture. When a vulnerability is exposed for that architecture, it may be possible for an attacker to pierce all of the layers of that defense using the same or very similar techniques. You need to be careful what you buy and from whom; you want variation so that your layers aren't lined up perfectly for an attacker.Defense in depth aims to place varied structures and processes throughout the environment to ensure the Confidentiality, Integrity, and Availability of your assets.It's widely believed that an attacker only needs to be right once, and a defender needs to be right all the time. With a proper defense in depth strategy, we force the attacker to be right a lot more of the time.  The emphasis then is on detection and the speed of our response.Defense Without UnderstandingIf you want to build good depth in your defense, a lot of organizations immediately look to what's on the market. There's a lot of products branded with “Next Generation” that purportedly aim to make your life easier, require less staff, pretty much everything you want to hear. A lot of them are expensive. I've used a few of them and they are great, but only if they fit your organization's needs.We see a lot of organizations that go to purchase solutions that don't have a map of their environment, or have many disparate maps. The departments doing the purchasing haven't had in-depth conversations with each other, and there's only siloed understanding of what's going on. And so partial knowledge builds partial solutions, and partial defense. Then you've got whack-a-mole. You need to look inside first, to get a clearer handle on those needs before you go to market.Depth begins with in-depth conversations that span departments and functions, comprehensive understanding that manifests in shared maps and documents that span teams in IT and IS and outside of it.In the coming months we'll do a webinar to highlight the processes and common pitfalls of these in-depth exercises, and how you can get the most out of them to build your maps.Exceeding ComplianceA lot of people look at defense in depth through the lens of regulatory compliance. Frameworks like PCI, Sarbanes Oxley, ISO, HIPAA can help provide cues to necessary structures and processes. It's important to realize that it's a minimum bar, it's not where security should end. Organizations often buy to fulfil a specific compliance requirement, and the list of products they implement reads in order of the requirements. The policies do too. It ends up being 20 solutions when a more methodical approach would have revealed that 10 better-implemented products would have covered all of the requirements. These frameworks need to inform your decisions but not drive them. Recently there was a great article by Christophe Veltsos on securityintelligence.com that quotes the Federal Trade Commission. Even the FTC admits that PCI isn't the be all and end all of a reasonable security program. You need to plan on exceeding compliance. It may seem ironic that a consultant is telling you this, but no one can do the first steps of this program better than you can. You know all the moving parts of your business better than anyone. And if you don't you should. You need to take a concerted effort to know the who/what/when/where/why/how of all of the information that is stored and transmitted. If you buy and build before you develop that catalog of knowledge and map it out, you'll likely end up with shelfware or at the very least unused features. Organizations that use 10% of the features of the software that they buy are going to be constantly fighting budget battles, administrative staffing burden, and can't be nimble. Find something that fits you in features and functionality.But sometimes you can't. Sometimes the product just isn't there, or the timing doesn't support it. That's life. What you can do is license appropriately and plan to rip and replace as you learn and as the product space matures. Build your processes around it but watch your dependencies so that you can move that solution out without drastically upsetting the others.Your goal should be to understand every data flow from start to finish, and all the network objects that are transited, then buy tools that address the security needs in those flows and those structures.Organizations often give compliance needs their primary focus, but you should make sure to focus on your needs as a business as well. The things that make your value proposition unique should be protected just as much if not more. What are your detection and response goals? What data flows are you prioritizing and why? What structures are you prioritizing and why? While not a technical consideration, a lot of organizations simply don't have budgets that line up to these requirements and priorities. Or if they have the budget today, they don't have budgeting processes that adapt to changes in the security landscape. A case in point: Mobile device management with Bring Your Own Device wasn't a thing just a few years ago and now it's a budget item for many organizations. If it takes a few years to alter your budget structures, you get caught flat footed as far as exposure. Likewise, how are you licensing products in consideration for building a flexible security program? The longer term licensing helps keep costs down, but how do you exit from those without incurring large penalties?Lastly, when risk conversations happen at the upper levels of the organization, they rarely get communicated to the people who feel those risks. This can lead to some dangerous improvisation with budgeting and with solutions. Those on the front lines are seeing risks that aren't acknowledged or addressed and they take a best guess at how to handle them. While that initiative is good, it often comes at the expense of other solutions or priorities.When you evaluate the cost associated with losing a particular structure or data flow because it cannot be budeted or prioritized, who's aware of that decision?  All parties don't necessarily need to be part of the conversation and decision, but they absolutely need to know the approach.Check out the recording of the webinar here for the rest.

4 Tips to Help Model Your Security Program to the Attack Chain

When building out next year's security initiatives, how do you prioritize and choose projects? At Rapid7, we recommend modeling your security program to the Attack Chain, a graphical representation of the steps required to breach a company.For every successful breach, whether it be from…

When building out next year's security initiatives, how do you prioritize and choose projects? At Rapid7, we recommend modeling your security program to the Attack Chain, a graphical representation of the steps required to breach a company.For every successful breach, whether it be from a credential-based attack, malware, or the exploitation of a vulnerability, attackers need to perform at least one or multiple steps in the chain. If you can detect, investigate, and remediate the attack earlier in the chain, this stops data theft, whether it be Credit Card information, Protected Health Information, or your proprietary financials and schematics.Our four tips when expanding your security program:1. Prioritize early attack chain detection.While it's important to identify unauthorized access of valuable assets, this also means that if the activity is malicious, the intruder is already at Mission Target. By identifying earlier traces of the attack, such as Infiltration, Reconnaissance, and Lateral Movement, your security team can respond before data is stolen.2: Focus on the highest-probability attacks first.This year's Verizon's Data Breach Investigations Report (DBIR) continues to tell the same story - compromised credentials, malware, and phishing are the top 3 attack vectors behind breaches.Many organizations have detection in depth for malware, but cannot detect compromised credentials or phishing. Our knowledge of the attacker derived from the Metasploit project and Rapid7 Global Services confirms this finding – our penetration testers have a near 100% success rate by leveraging account takeover techniques and impersonating your users to stay under the radar.3. Identify gaps in your security program.Evaluate your security program to ensure the detection of compromised credentials, phishing, and malware during the first three steps of the chain. By identifying these gaps in coverage, this will provide direction for future initiatives. This is a huge improvement over a scattershot approach or taking action in response to pain or executive visibility.4. Avoid duplications per step to reduce overspending.There are so many security monitoring solutions available today. When bringing in a new tool, it's been a challenge to quantify its value, especially if it has overlap with other solutions. If the tool only monitors a specific part of the network, this can cause alert-fatigue as each siloed solution blasts alerts. For this reason, choose solutions that not only have the least overlap, but also fit into your available security bandwidth. For example, SIEM deployments take significant setup, professional services, training, and tuning. The time investment combined with the required technical expertise to create and manage rules can greatly expand the time investment needed to see value from the solution.At Rapid7, we've combined our Red & Blue team expertise with this Attack Chain methodology into our User Behavior Analytics solution, InsightIDR. By correlating all of the activity across your network and security stack to the people behind them, you can detect stealthy attacks, investigate incidents faster with user context, and expose risky internal behavior from endpoint to cloud. InsightIDR's high accuracy and cloud approach empowers you to watch your entire ecosystem, even if you are fighting the adversary with a small team.Check out a full InsightIDR Demo here !

It takes more than resolve to manage an effective security program

I've never been one for New Year's resolutions. I've seen how they tend to exist only for short-term motivation rather than long-term achievement. Resolutions are just not specific enough and there's no tangible means for accomplishing anything of real value. Just check out your local…

I've never been one for New Year's resolutions. I've seen how they tend to exist only for short-term motivation rather than long-term achievement. Resolutions are just not specific enough and there's no tangible means for accomplishing anything of real value. Just check out your local gym by mid-February. It's all cleared out. The people who energetically vowed to make changes late last year have simply lost their resolve.But it's not just a personal thing. The cycle of resolve-try-forget exists in our professional lives as well. If you manage an information security program or somehow have your hands in the IT risk equation, you have to be careful not to get on that diet-like roller coaster. You need a plan. You need specific steps to take. You have to hold yourself accountable. The very moment you say something high-level that you want to accomplish with your information security program – with no specific details or deadlines – is the very moment you hop on the road of good intentions. We all know where that leads.For example, let's say you resolve to do the following for your security program this year:Do more security assessmentsFollow-up on security assessment results soonerPerform additional security monitoringSend more security awareness emails to usersNot get hackedTalk to management about what's happening on the networkYou write these down on a whiteboard in your conference room so everyone can see them. With your staff being exposed to these resolutions during your team weekly meetings, they'll keep them on the top of their minds and things will take care of themselves, right? Absolutely not! Just ask the guy who vowed to eat less and exercise more. He's not at the gym so you've got a better chance of tracking him down.Take a look at each of the above resolutions. Notice anything missing? They're not specific. There are no documented steps that need to be taken to accomplish them. There are no deadlines. They're mere wishes. Dreams at best. If you want to start accomplishing things in information security, you have to get serious and document actual goals. You then have to “manage” your goals which means that you revisit them on a periodic and consistent basis, i.e. daily, and take steps every week to make each goal become reality. Goals are not all that different from security metrics that you might have. They're specific and tangible. They're also reasonable and attainable.I'm convinced that if we were to look at the root causes of all the publicly-known breaches, we'd certainly see politics, ignorance, and downright bad luck at the root of all of them. But odds are excellent that we'd also see that the people in charge had no goals for managing information security or they were, at least, mismanaging them.Take a look at your security program and determine what you want to accomplish this year. It'll be obvious but it won't be easy. It's up to you to make things happen. It takes more than resolve. It takes the proper philosophy and, most importantly, discipline.

Are You Enabling Corporate Espionage?

While I was flipping through some news stories the other day, a small headline appeared that piqued my interest.The headline reads: Former St. Louis Cardinals Exec Pleads Guilty To Cyber Espionage ChargesCyber espionage… in baseball? That was too intriguing to pass up!It…

While I was flipping through some news stories the other day, a small headline appeared that piqued my interest.The headline reads: Former St. Louis Cardinals Exec Pleads Guilty To Cyber Espionage ChargesCyber espionage… in baseball? That was too intriguing to pass up!It essentially describes this: employees from one club, the St Louis Cardinals, left to join another club, the Houston Astros. During their previous tenure with the Cardinals, they had built databases of scouting and talent reports. When the employees joined the Astros, a very similar database got constructed.The Cardinals are now concerned that their intellectual property has been misappropriated. So they used a list of “master passwords” that were in use at the time their databases were built, and use those, or variants of those, to break into the Astros databases.The Department Of Justice says that's a violation of the Computer Fraud and Abuse Act. The news article also posts an excerpt from the DOJ release:In one instance, Correa was able to obtain an Astros employee's password because that employee has previously been employed by the Cardinals. When he left the Cardinals organization, the employee had to turn over his Cardinals-owned laptop to Correa – along with the laptop's password. Having that information, Correa was able to access the now-Astros employee's Ground Control and e-mail accounts using a variation of the password he used while with the Cardinals.There are a few things are going on as described in the release. Let's examine them.The employee obviously reused passwords, or close variants, and in this case carried them over from one organization to another. This very common practice by humans lends us to believe that security awareness training was not conducted well or not enforced.The databases were presumably web-enabled applications from the descriptions. It does not appear that proper account control was used, such as restricted loginsFrom the DOJ release at least four intrusions occurred before the Astros required all users to change their passwords to something more complex. Was monitoring being done, or was this a lucky break?However … when they reset the passwords, they emailed the default passwords out to the users …which were intercepted because email accounts were in control of the attacker. Very common security gaffe made by operational teams.Several more intrusions happened before the intruder was finally caught & identified.The intruder was finally charged with five counts of unauthorized access of a protected computer. Each conviction carries a maximum possible sentence of five years in federal prison and a possible $250,000 fine. Sentencing is set for April 11.Espionage is not just a cloak and dagger drama played out by three letter agencies. It can happen in the unlikeliest of places, even baseball. It stands to reason that you and your organization are just as exposed.The question then is: are you enabling corporate espionage by not having real, enforceable security controls for your organization?To answer that question, you need to look at how you are managing security in your organization. Let's just look at the points mentioned above.Security AwarenessSecurity awareness training is an important, but often overlooked and underfunded tool that builds good security behaviors into your organization.Security awareness is recognized in several control frameworks as an essential element to your security program. NIST 800-53 (AT, SA & PM), HIPAA 164.308(a)(5), PCI 3.0 (12.6), ISO27000-2013 (A.7.2.2) and CIS Critical Control 17 all refer to security awareness training.NIST 800-53 has security awareness guidance, in control AT-2. The control states the organization provides basic security awareness training to information systems users as part of initial changes, when required by information system changes, and on an organizational defined frequency thereafter.The common mistake with frequency is that organizations choose annual or bi-annual timeframes. If you want a behavior to become habitual, you need to reinforce it as often as possible. Awareness education also needs to be fresh. You don't have to spend a lot of money or resources on this. It can be in the form of reminders newsletters, or stories around the water cooler like this one from current events to help describe desired behaviors.Account Monitoring and ControlProper account monitoring and controls, especially for web-exposed applications are extremely important, as attackers will frequently impersonate legitimate users. NIST 800-53 (AC), HIPAA 164.308 and 164.312, PCI 3.0 (7.1 – 7.3 and 8.7 – 8.8), ISO 27000-2013 (A.9.xx) and CIS Critical Controls number 16 all reference account monitoring and control.The first step is to ensure accounts which cannot be associated to a business process and owner are disabled. Then sweep all old accounts and remove them. Attackers will take advantage of dormant accounts to get into a network. All user accounts should have expirations.Monitoring account activity is also required to spot suspicious activity. A SIEM can spot patterns of use that might trigger an alert (such as logging into a system after business hours), or a login from a restricted IP can be flagged. As Yogi Berra once said, “you can observe a lot by watching.”Default Password HandlingFrom a process perspective, default passwords should never be emailed. All default passwords should require some form of authentication of the user. This could be a call into support, or a visit to the desk. Attackers can gain control of a users email account, and when passwords are set or reset, the attacker will have access to the account. Human to human interaction for default passwords, with a proper authentication step, is the safest way to distribute passwords.The situation that happened to the Astros could have been prevented or discovered early, and the damage might have been reduced. Take a close look at your account control policies and practices, your web-enabled applications security, and your fraudulent activity monitoring. When was the last time these controls were validated? Do they even exist? As for user awareness, when was the last time they were told about bad passwords and the dangers of re-use? This baseball story is one you can use to illustrate why re-use behavior is bad.I don't always agree with the famous quote by Eldrige Cleaver, but in this case it's very appropriate: “You are either part of the solution or part of the problem.”And to quote the famous Yogi Berra, “It ain't over ‘til it's over!”

How to make your security assessments actionable

One of the greatest challenges in security is getting the right information so that educated decisions can be made. It happens across many facets of security such as network monitoring, incident response, and user training. However, there's one (big) exception: security assessments. Assuming you're using…

One of the greatest challenges in security is getting the right information so that educated decisions can be made. It happens across many facets of security such as network monitoring, incident response, and user training. However, there's one (big) exception: security assessments. Assuming you're using the proper tools and reasonable methodologies to uncover your network security weaknesses, you have everything you need at your disposal. You have the vulnerabilities, the attack vectors, the systems affected, and even what's required to resolve the issues. Yet, still, time after time we hear of vulnerabilities that go unresolved. It's discouraging to me, as a consultant, to see this. You know, the vulnerabilities that were in last quarter's – or last year's – assessment that are showing up today. I see this issue all the time. Unless management is willing to defend why known vulnerabilities remain unresolved, you have to have a plan of action after each assessment. Second only to actually mitigating the flaws, developing a specific plan should be a top priority. Everyone's approach and needs are unique, but there are certain aspects to getting things done that apply across the board including:What has been uncovered?How does each finding affect the business?Where do we truly need to focus our efforts? (tip: it should be on the most urgent flaws on your most important systems)Are there certain findings that we can take off the table completely?Who can resolve each issue in the short term?Who – or what – else needs to be involved to help prevent this issue from reoccurring?Once you have this information, ask yourself: What's next? What's after that? And, what do we need to do now? Keep repeating this over and over until you get done what needs to be done. Well-respected business executive, Jack Welch of GE, once said An organization's ability to learn, and translate that learning into action rapidly, is the ultimate competitive business advantage. You can't un-acknowledge security vulnerabilities. They're there. They've called attention to themselves. You know what needs to be done. Don't try to solve the security issues you uncover at a mere technical level, on your own. Go up a few steps and look at security management, business operations, and related issues that are the root causes. Then vow to do what it takes to make changes. Many people will try to wish such security issues away. Others will find every excuse in the book as to why it's not possible to fix them. Don't take those paths. We've seen where they end up. Let discipline and common sense lead the way instead.

When Hunting is the Right Choice for Your Security Team - and when it's not

The concept of hunting for threats is being hyped by media and vendors – creating a marketing smokescreen of confusion around what hunting is, how it works, and what value looks like when hunting is done effectively. Your security team's ability to hunt is primarily…

The concept of hunting for threats is being hyped by media and vendors – creating a marketing smokescreen of confusion around what hunting is, how it works, and what value looks like when hunting is done effectively. Your security team's ability to hunt is primarily affected by the maturity of your security program, your threat profile, and your resources.Hunting is searching for malice on your networkThe security lifecycle can be described in a number of ways, I think a good way of describing the cybersecurity framework might be “PREVENT-DETECT-CORRECT.”Hunting powers all three stages, by digging through mountains of data to detect and identify irregularities, in an effort to inform more effective correction and prevention. If we were to define hunting:“The act of using what you know about the network and what you know about attacker to identify anomalies indicating malice without any specific indicator or signature.”We want to make bad actors work harder to get in (informing prevention), get caught quickly (better instrument detection), and make it expensive for them to find their way back into the organization (correct or instrument the soft spots in the business where attackers now risk getting caught and held accountable.)Detecting known IOCs (indicators of compromise) isn't really huntingMany vendors claim they offer a hunting solution where what they're actually doing is basic signature detection. Here's an example: a vendor adds a newly published indicator of compromise, such as a file hash, from some random threat intelligence feed to a tool that searches for this indicator across the network.The act of identifying when a new IOC hits is not hunting, it is an alert. As alert validation takes place those indicators are tuned, and the signal-to-noise ratio tells the analyst whether the indicator is finding malice, or if they are wasting their time on a bad IOC.Hunting allows an analyst to identify evidence of malicious activity without existing threat intelligence signatures. By gathering large amounts of specific metadata throughout a network, analysts can perform techniques such as frequency analysis to determine the rarity of an artifact. These techniques may equip teams that are ready and able. For those that are not yet ready to hunt, we recommend partnering with experts to make this form of intelligence useful.Stated simply, lots of alerts do not mean lots of value… it often means lots of time (and money) wasted.Hunting is only part of threat prevention and detectionWhile this blog post is not a getting started guide, there is a bit of, “getting ready to do,” before you start hunting.We will assume you have all the minimum data sets ready for hunting to begin from the network (firewall, proxy, VPN and other sources … WITH XFF-headers enabled), server (Windows, Linux/UNIX, big iron, etc – Auth, event, security, configuration, etc), service (DNS, HTTP, SMTP, etc), and security (network and application scanning, malware, file integrity, endpoint configuration, IDS/IDP, honey traps, tarpits, etc) logs flowing somewhere easily queried.We will assume your program has all of the patching, hardening, scanning, vulnerability discovery, network segmentation, access control audits including employee add/remove/changes, strong authentication and other standard control sets.Before pursuing commodity intelligence offerings, there are some strategic conversations to be had:What are your key business challenges and concerns?Where are the soft targets in your organization?How success will be defined in your hunting program?Do you have buy-in from business partners (IT server/endpoint/browser/line of business application/email/chat) teams confirming investigations and corrective guidance will be implemented?For those doing this already, sorry for reinforcing the obvious. If these questions give you pause, we should probably talk.Hiring experienced threat analysts for hunting is harder than you thinkIt's extremely hard to hire quality threat analysts that are good hunters, and they come at a hefty price tag. Threat detection is growing faster than the market can supply specialists because it typically takes years of training and experience for an analyst to develop the experience through threat detection and response activities required to sniff out unknown threats. Even if they can afford the expense, many companies won't be able to offer analysts the environment and career path they are looking for. One way to get hunting expertise for your team without having to build a highly specialized team is to work with a security services provider who offers hunting as part of their threat analysis and incident response packages. Rapid7's Analytic Response Services are a great example of this type of service. You'll also get a cost advantage because the technology and staffing required to stand up a 24/7 SOC will be spread over many clients.Hunting primarily makes sense for high value target organizations and security vendorsBecause having an in-house hunting team is costly, it makes sense in specific situations:High value target organizations seeing attacks that nobody has ever seen before.Mature security organizations who want to augment for immature detection methodsSecurity monitoring vendors who are researching and adding unknown attacks to their detection methodsAt Rapid7, our team of highly skilled incident responders hunts both on our own internal network and those of the customers that hire us. This helps us augment gaps in existing monitoring tools and build new detection methods for Rapid7 UserInsight, our user behavior analytics solution.Invest in security initiatives that fits your capabilities and resourcesWhen you build out your security program, look for technology that is a good fit for your team's resource constraints and skill level. I see a lot of technologies in the market that require highly mature security teams that only exist in the largest enterprises and government agencies. Employing these in your organization will fail if your tools don't match your maturity, resources, and skills. Our Program Assessment and Development Services can help assess where you are, build a road map of the steps that fit your threat profile and resources, and help you sell the plan to the executives and the board.With Rapid7 UserInsight, we've focused on building a tool for companies that don't have large scale teams for incident response but need great detection and investigation to detect and investigate stealthy attacks such as phishing, credential theft, and lateral movement. And once your team's maturity grows, you can also use hunting techniques with UserInsight's investigations feature. If you're interested in learning more, check out the videos on the UserInsight page. Also related: what is user behavior analytics?

Get Off the Hook: Ten Phishing Countermeasures to Protect Your Organization

The Internet is full of articles for how to tell if an email is phishing but there seems to be a lack of concise checklists how to prepare an organization against phishing attacks, so here you go. Because phishing attacks humans and systems alike, the…

The Internet is full of articles for how to tell if an email is phishing but there seems to be a lack of concise checklists how to prepare an organization against phishing attacks, so here you go. Because phishing attacks humans and systems alike, the defense should also cover both aspects. None of the following steps is bullet proof, so layering your defenses is important – and having an incident response plan in case someone does get through. Here are my recommendations on how to defend against phishing attacks: 1. Filter emails for phishing threats It's important that you filter your emails for malicious URLs and attachments to prevent phishing emails making it to your users in the first place. Sandboxing can detect a lot of the malware in emails, but make sure that you have a follow up plan in place if you're deploying this technology in detection rather than blocking mode – otherwise the malware is still live on your systems. Use security analytics to filter out malicious URLs. Rapid7 UserInsight uses threat feeds to detect known malicious URLs and security analytics to alert on unknown ones. It also integrates with sandboxing solutions, such as FireEye NX Series and PaloAlto WildFire, to enable quick and easy incident investigation of malware alerts. 2. Update client-side operating systems, software, and plug-ins Some phishing emails include URLs to exploit vulnerabilities in the browsers and its plug-ins, such as Flash and Java; others send file attachments that try to exploit applications like Adobe Acrobat or Microsoft Office. That's why it's important to patch vulnerabilities on your endpoints as well. Many organizations already have a vulnerability management program in place but only scan servers. Make sure you extend coverage to your endpoints and patch operating systems, software, and plug-ins. This not only protects you from phishing emails but also drive-by attacks. Rapid7 Nexpose can help you manage vulnerabilities on your endpoints, and much more. 3. Harden Your Clients Lock down your clients as much as possible. This includes things like not making your users local administrators and deploying mitigation tools like Microsoft EMET (check out this Whiteboard Wednesday on EMET on how to deploy this free tool). Rapid7 Nexpose Ultimate includes Controls Effectiveness Testing, which helps you scan your clients and guides you through the steps to harden them against phishing and other attacks. 4. Block Internet-bound SMB and Kerberos traffic One of our penetration testing team's favorites is to use an SMB authentication attack. In this scenario, the attacker sets up an SMB service on the Internet and sends a phishing email with a URL or Word document that references an image through file:// rather than http://. This tricks the computer to authenticate with the domain credentials to the SMB service, providing the attacker with a user name and password hash. The hash can then be cracked or used in pass the hash attacks. To defend against SMB and Kerberos attacks, you should block TCP ports 88, 135, 139, 445 and UDP ports 88, 137, 138 for non-RFC 1918 IP addresses, both on the perimeter and the host-based firewalls. You'll want to have a process in place to detect compromised credentials, for example Rapid7 UserInsight, which leads us to the next item on our checklist. 5. Detect malware on endpoints Many phishing attacks involve malware that steal your data or passwords. You should have technology in place to detect malware on the endpoint. Regular anti-virus is great for catching commodity malware, which is likely the bulk of what you will see used against you. There are also many new endpoint detection vendors out there that have great alternative technologies. Rapid7 UserInsight uses its agentless endpoint monitor to collect process hashes from all machines on your network to highlight known malicious processes based on the output of 57 anti-virus scanners; it also looks for rare/unique unsigned processes that may indicate malware. 6. Detect compromised credentials and lateral movement Even with all of these protections in place, your users may still fall prey to credential harvesting attacks. A common phishing attack is leading users to a fake Outlook Web Access page and asking them to enter their domain credentials to log on, but there are many variations. Once the attackers have the passwords, they can impersonate users. Rapid7 UserInsight can detect compromised credentials, both on your network and in cloud services, such as Office 365, Salesforce.com and Box.com. It detects lateral movement to other users, assets, or to the cloud, so you'll be able to trace intruders even if they break out of the context of the originally compromised user. 7. Implement 2-factor authentication Add 2-factor authentication (2FA) to any externally-facing system to stop attackers from using stolen passwords. While Rapid7 doesn't offer a solution in this space, check out our partners Okta and Duo Security. All systems protected with Okta (Rapid7/Okto Integration Brief) or Duo Security can be monitored with Rapid7 UserInsight to help detect any attempts to use compromised credentials. 8. Enable SPF and DKIM There are two standards that help determine if an email actually came from the sender domain it claims to detect email spoofing. The first one is the Sender Policy Framework (SPF), which adds an list to your DNS records that includes all servers that are authorized to send mail on your behalf. The second standard is DomainKeys Identified Mail (DKIM), which is a way for an email server to digitally sign all outgoing mail, proving that an email came from a specific domain and was not altered during transportation. Together, they raise the confidence in the authenticity of the sender and email content by the recipient. To help improve security hygiene, check that your systems have both SPF and DKIM enabled on your outgoing email. For incoming email, you should check if a the sender domain has SPF set up and the email came from an authorized server, and that DKIM signed emails have not been tampered with. While these protections are not bullet proof against targeted attacks that register look-alike domains, they can help filter out a lot of mass phishing. 9. Train your employees on security awareness While even educated users won't catch everything, they are worth investing in. Train your users about how to detect phishing emails and send them simulated phishing campaigns to test their knowledge. Use the carrot, not the stick: Offer prizes for those that detect phishing emails to create a positive security-aware culture – and extend the bounty from simulated to real phishing emails. Whenever you see new phishing emails targeting your company, alert your employees about them using sample screenshots of the emails with phishy features highlighted. Encourage your users to use secure browsers – I put Google Chrome (64-bit version) on the top of my list for security and usability. Here at Rapid7, we offer Security Awareness Trainings; you can also send phishing simulations with Rapid7 Metasploit Pro that track click-throughs so you can report on user awareness. 10. Have an incident response plan Even if you put all of these protections in place, some phishing emails will get through, especially if they are targeted against your organization and tailored to the individual. It's not whether these emails will get through but how well you are prepared to respond to intruders on the network. Rapid7 UserInsight enables you to detect compromised users and investigate intruders that entered the network through a phishing attack. This helps you shorten your time-to-detection and time-to-contain, reducing the impact of a phishing attack on your organization. In addition, Rapid7 offers incident response services and can help you develop an incident response program. While these areas cover the most important counter-phishing measures, I'd love to hear if you've implemented anything else that you found to be effective - just post your experience in the comments section. If you're looking at defending against phishing attacks, you may also enjoy my related webcast "You've Been Phished: Detecting and Investigating Phishing Attacks” – register now to save a seat to ask questions during the live session.

CISOs: Do you have enough locks on your doors?

In a previous blog post, I referenced some research on how people plan for, or rather how they fail to plan for, natural disasters like floods. At the end of the blog post I mentioned that people who have poor mental models about disasters fail…

In a previous blog post, I referenced some research on how people plan for, or rather how they fail to plan for, natural disasters like floods. At the end of the blog post I mentioned that people who have poor mental models about disasters fail to prepare fully. I keep coming back to the idea of mental models because it starts to explain why we have such a gap between security practitioners and senior executives. I asked one CISO how he talks to other executives and the company's board about a recent breach in the news. He told me that the CEO doesn't have much time for security, so he uses a shorthand. He talks to the CEO in analogies. He explains that they've already put metaphorical locks on the front door, but to be sure that they don't make the same mistakes as the latest company in the news, they'll need to put locks on the back door. This approach isn't uncommon, but it has a few flaws. First, it doesn't take much time to show that this analogy doesn't work well. The way attacks work today, the attackers will not be prevented from breaking into this metaphorical house. Instead, they'll get a ladder from the garage and climb in the upstairs bedroom window. Of course, you can put more locks on those windows, but again, the attackers are going to find a way in if your security strategy is based solely on locks (prevention). In this analogy, where are other defender activities like identification, detection, response, and recovery? The second reason the lock analogy fails is because it tends to create a problem/solution dynamic. If it's a bug, go fix it. But again, that's not how the attackers work. In other spaces this approach can work. For example, if your web site is experiencing performance problems, you can assign an appropriate engineer to fix the problem. After some analysis, she'll come back with recommendations. Maybe she'll propose buying more machines/instances, or maybe there's a bottleneck in the code that can be refactored given the new website load patterns. But in general, she'll be able to fix the problem and it will stay fixed. That's not how security works. When the defenders make a change that improves security, the attackers get to decide if the cost of the attack is worth continuing or not. Or perhaps they're already in the network so far that the improved security doesn't affect them. In many cases, they'll modify their approach or tools to get past these changes. In many cases, the security improvements will be little more than a short lived setback. If you are an executive who views security decisions through the “problem/solution” lens, you'll be tempted to offer the security team budget or headcount to “fix” the problem. Someone presented you with a problem, and you gave them a solution. Implicit in this transaction is a shift of the responsibility and accountability back to the security team. They asked for money for more locks, and you gave it to them. If there is a breach, the security team will be accountable, not you. The metaphor of locks on doors isn't the only one you've heard. Others include outrunning the next guy rather than the bear, hard crunchy exterior/soft chewy interior, seat belts, guard rails, airbags, and so on. Bruce Schneier also talked about the problems of metaphors: It's an old song by now, one we heard after the 9/11 attacks in 2001 and after the Underwear Bomber's failed attack in 2009. The problem is that connecting the dots is a bad metaphor, and focusing on it makes us more likely to implement useless reforms. Trying to communicate using the wrong mental models leads to real problems for security practitioners and the data they are trying to protect. So what are the right mental models? The single biggest improvement in your mental models you can make is to understand that you are up against dedicated, human adversaries. Until defenders, executives, and stakeholders in an organization internalize this fact, we will continue to see them miscommunicate and then plan and execute poorly. And the results will be security by tool rather than security by strategy. And that will lead to more breaches in the news (and many not!). The key words to ponder are “dedicated” and “human”. In some cases, the attackers have a job, and they are being paid to attack you. Or maybe they feel a moral purpose in attacking you. Some work alone, some in teams with different specializations. But they are dedicated. And of course we know that they are human. But that has implications that most executives (and many security teams) haven't pondered. It means they read about your latest acquisition and begin to probe the target company as a way into yours. They can correlate previous breach data with your employees to find a likely candidate for a spear phishing attack. They look for your technical debt. They find systems orphaned by a recent reorg or layoff. Humans can be creative, patient, and insightful. As an aside, all of this makes security unlike any other part of your organization. No other part of your organization has the sort of dedicated, human adversaries that seek to benefit from the value of your data in the way security attackers will. What about the legal team, you may ask? Don't they have dedicated and human adversaries? Yup. But let's walk through the steps in a legal “attack”. First, the adversary notifies you that you are under attack. While there have been some high-profile announcements that a company's networks and systems were under attack, it's not common. As a reminder, the average time between intrusion and detection is measured in months and quarters. During that time, attack takes place without anyone knowing. Next, both the attacker and defender play by roughly the same rules, and those rules are enforced by a neutral referee who decides if both sides are abiding by these rules. You get the idea. The legal analogy isn't even close to what infosec defenders deal with. There's a common saying in the CISO world that ”security practitioners need to learn to speak the language of the business”. That's absolutely true. There's no doubt in my mind. We need to continue to learn how the business works, and we need to get better at saying “yes” while at the same time reducing risk. That fact is necessary but not sufficient for us to close the gap between security people and senior decision makers. The other major factor will be those senior decision makers breaking free of simplistic metaphors and faulty mental models. It's never really been a communication gap. It's been a mental model gap. Without shared mental models, communication will always be faulty. Getting all levels of an organization aligned on the right mental models is clearly not an easy task. What will work in one organization isn't what will work for another. Not all stakeholders understand the importance of spending time to learn how attacks work. However, I would propose a few things. If you are a security practitioner, don't shy away from teaching others how attacks work. You should be looking at your security program through the lens of a kill-chain or attacker lifecycle model. When you present, teach people how you think. Explain why this next budget request will address a specific concern, but that others remain. Explain what you think your adversaries will do next. Resist the temptation to reduce those complex dynamics down to locks on doors. Focus your conversations on models, not metaphors. That's true for all your communications, reports, quarterly plans, and elevator chats. If you are a senior decision maker and don't come from a security or intelligence background, you may find it challenging and time consuming to learn to think more like an attacker. Resist the urge to say “I don't need to be a subject matter expert in security; that's why I have a security team”. While that statement is true, just by saying it you prevent yourself from learning just enough to make smart decisions. You are already expert-enough in numerous other domains. Security and privacy awareness will be critical skills for your success in the coming years. Think ahead to the inevitable (yes, inevitable!) breach where outsiders will hold you accountable in potentially unexpected ways.  Assess your organization's culture of security objectively rather than the way you hope it is. And make sure your actions match your words. Have a story for me about about mental models gone wrong? Drop me a line on Twitter at @boblord. If you want to tell me confidentially, send me a DM! My Twitter settings allow you to DM me even if I don't follow you.

FTC can charge public companies with unfair trade practices for failure to protect customers data

The Third Court of Appeals upheld the Federal Trade Commission's decision to sue Wyndham Worldwide for at least three data breach incidents that occurred between 2008 and 2010. The incident exposed more than 600,000 consumer payment card account numbers and led to more than…

The Third Court of Appeals upheld the Federal Trade Commission's decision to sue Wyndham Worldwide for at least three data breach incidents that occurred between 2008 and 2010. The incident exposed more than 600,000 consumer payment card account numbers and led to more than $10 million dollars in fraud loss, according to the FTC complaint. Wyndham Worldwide had challenged the FTC complaint in an appellate court, saying the FTC was over-reaching its authority, however lost the appeal in a 3-0 vote. The unanimous ruling is important, because it shows the government is taking bold steps toward holding data custodians accountable for the data in their care, and the courts are agreeing with them. The Wall Street Journal blogged about this, and put a call out to CIOs to be careful about how they handle data security. “CIO[s] should act defensively to mitigate the company's exposure to claims by the FTC and other government regulators” states the authors. The article mentions several important points: Compliance with NIST Cyber Security Framework. The National Institute of Standards and Technology Cyber Security Framework is guidance, based on existing standards and good security practices, to better mange and reduce organizational risk. This is becoming an implied de facto standard for cyber security. The challenge for organizations is determining the relevance and how to implement the more than 350 recommendations in the NIST CSF. Updating of data and privacy policies. Even if your company has data security polices, when were they last reviewed and revised to include defense against the most recent threats? Any organization that handles HIPAA data or PCI data is required to do ongoing reviews to ensure their security measures are current and compliant, and may be required to demonstrate this to auditors. Report by respected third-party consultant. A security assessment is a key step in understanding your organization's level of readiness and maturity. It reveals security gaps, the associated risks, and can help organizations factor high-impact investments into their future business plans. Annual security assessments from respected security consultants can help your organization adapt to new threats, increase employee awareness, and assist in the formulation of a strong security strategy. The government is getting serious about the seriousness of data breaches. The gap between what is required for protecting data and the knowledge of organizations to implement this is widening. As data continues to grow, and more rules are passed on how it is to be governed, this gap, and the accompanying fines, will become tantamount issues for enterprises to manage. Rapid7's Global Services organization has experience in all of these areas, and partners with clients to assess organizational security maturity, provide recommendations and advice on how to address gaps in security processes and procedures, and can assist in the development of security programs and policy. These engagements help clients reduce their security risk though the delivery of robust, repeatable and easily governed processes. I am happy to answer any questions you might have regarding security maturity, cybersecurity frameworks, or a host of other information security services. Please feel free to contact me @JoelConverses on Twitter or Skype. I look forward to chatting with you! - Joel Cardella

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More


Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now


Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now