Skip to main content

Top 10 InfoSec Mistakes

This is my Top 10 list based on what common mistakes I am seeing, which may be completely different from what others are observing. Please share your experiences to see where there is overlap or uniqueness.

1) No CISO Left Behind
Having a low performing CISO is in almost all cases a program killer. Not only is it bad for morale, it typically derails efforts to reduce risk and puts budget dollars on projects with very low ROI. One thing I have noticed is that C-levels and most BoDs are unable to adequately assess CISO performance. Its often only measured on personality and the pure luck of avoiding a public security breach. Conversely, many high performing CISOs get a raw deal when they experience a breach, yet have advanced the program further than any of their predecessors.

Recommend: Hold quarterly KPI reviews, including discussion of new KPIs at least annually. Maintain accountability of a CISO's time, specifically around time spent building their personal brand or with vendors, versus directly advancing the goals of the organization. 
2) Chasing Corns
It is all too common for organizations to flat out ignore doing essentials like prioritizing assets by risk, getting their employees properly trained, or auditing service accounts. Instead people tend to chase unicorns like deception technology, cyber pathogens, cyber camouflage, artificial machine intelligence, or becoming a producer of threat intelligence.
Recommend: Must have addressed or shown significant traction in the SANS Top 20 controls, before pursuing whatever hotness is being pedaled at RSAC. 
3) Tooltopia
Many of the Fortune 200s have never met a tool they didn't like. This seems to be very typical in organizations that have experienced a breach and bring in a new CISO that was failing, but came from big name company. They then proceed to spend all that money and still get hacked. Joe McCray was right.
Recommend: Do not allow CISOs to talk about tools by name, only capabilities and ensure that any solution purchase is fully operationalized before new projects can be initiated. Effectively force the CISO to strategize around people and process and don't let them use the tool crutch.
4) Wounded Knee
Guess what time it is? Its Monday morning and your management just read the latests news. Its time for the old knee jerk reaction and a bunch of stuff rolling downhill. This commences a colossal waste of resources, including a bunch of reply to all emails and meetings about meetings.
Recommend: Establish ground rules regarding this type of behavior. Limit the spinning up of massive conference calls or data calls, until an official severity or risk determination by a technical resource has been made. Also, I highly advise creation of a threat portal where such information can be proactively published to stakeholders.
5) Rockstar Recruiting
It's not news that if you throw big money at talent, some will take the bait. Where the chronic failure seems to be in actually retaining that talent. There is also a reason why most people feel the exit interview is a complete joke. How much more cost effective is it to ensure your existing people are happy versus continually have to rebuild your team? Also, ignoring people with passion but no experience is detrimental to your staffing. I don't see a lot of excuses for not always at least having one intern or noob that your are building up. And its important to take note of your staff who hoard knowledge and refuse to mentor.
Recommend: Document and escalate the underlying issues that are causing people to leave the organization early. I recommend reading this story for a classic case of HR failing to do their job. I also highly advise rewarding mentorship financially within your organization.
6) Failing to MFA All The Things
To me this is one of the best allocation of resources you can make with a very high ROI. Moving as many applications and servers behind two factor authentication as possible. This is the exact opposite of long term money pits like DLP or NAC. Also, hiding behind user convenience is no longer a defensible position.
Recommend: Start planing and executing today, not after a breach. Both Duo and Microsoft have affordable options.
7) Strategic Firewall
This isn't the firewall as you know it. If you are familiar with the Big4, there was a concept of keeping a firewall between the audit and advisory practice. Similarly for big banks, it was keeping the retail and investment banking business separate. This was there for a very critical reason. To avoid conflicts of interest and limit risky practices. Knowing this, you should not accept strategic advisory services from the company selling you solutions. They will only try to sell you products that give them the highest percentage of sale or allow them to wrap extra service dollars around. Unfortunately its never about advising on the best product because of repeatable tests and real world PoCs that haven been documented.
Recommend: Internal audit and the BoD compliance committee should be tasked with uncovering and addressing this serious conflict of interest.
8) Following the 20/80 Rule
Stop pursuing controls for niche security threats. Yes that threat may even be in the news (fake and real), but are you sure it applies to your organization or vertical? There seems to be an unhealthy obsession over zero days as well. I agree with others, you may not be important enough to get a zero used on you. 
Recommend: Use templates for creating your organizational threat models to avoid security theater. This will properly align your strategy to the threats you are facing. And if a threat actor decides to burn a zero day on your org, kudos to you because your actually winning. Also, please capture it and responsibly disclose it to the vendor.
9) Premature Nuke From Orbit
This is definitely one of my pet peeves. A SOC manager has mentally checked out and is just firing off reimage requests and never determining root cause. That AV alert may have just been nation state, but you will never know now. If your ticket says alert X fired, computer rebuild completed and nothing else you should be excommunicado from InfoSec club.
Recommend: Quarterly review of all SOC ticket closures to determine where no RCA was determined. In addition, establish documented process for harvesting indicators and context from internal incidents.
10) Logging/Tapping All The Things
This isn't all that horrible, but its still counter productive and very common none the less. Logging everything, including events of no security or audit value makes little sense. Then people turn around and store that same data for 5 or more years. Someone best described this as useless pools of liability. The same goes for overloading your network sensors with encrypted traffic or traffic from your core. There is not much ROI here and it creates a tremendous amount of noise for you security analysts.
Recommend: Implement a tiered logging strategy for retention and filter out log events or log types with no practical use. This has the added benefit of potentially reducing your SIEM licensing costs. If you plan on tapping everything, do not feed it into your analyst console until you have proven they are staffed well enough to monitor all internet gateways and DMZs.


Popular posts from this blog

FIRST Conference 2018 - Review (Kuala Lumpur Edition)

As apart of my new job, my employer is seeking to gain FIRST membership later this year. To support that goal, I was asked to attend the 30th FIRST Conference in Kuala Lumpur. For the travel weary, this is not a trip to take lightly. For me it was 3 flights and 28 hours total of travel just to arrive. I do have to say, the conference venue, the Shangri-La hotel is absolutely fabulous. Very nice, clean, and ultra courteous staff. The swag bag I was given at registration was also very nice, including 3 shirts, challenge coin, notebook, mini first aid kit, and a pretty decent backpack. I also have to say the lunch options for the conference are vastly superior to anything I have ever experienced. SANS and Blackhat could learn a few things. For a 5 day conference, you get a much greater value here.

If you are interested in jumping straight the slides you can visit here.
OpeningThe conference was kicked off on Day 1 by Thomas Schreck (@shrekts) who gave out some interesting attendance statis…

European DFIR Summit 2018 Review

On Monday October 1st, I attended the European edition of the SANS DFIR Summit in Prague. Normally I try to attend this in Austin, however this year I couldn't make it so attended this one later in the year instead. I took a couple days PTO just to spend some time seeing the sights and it was cool getting to take time visiting the historical sights, instead of my typical shut in routine. If you have time, I would highly recommend this and definitely book a night time river cruise. Also worth noting, the new Spiderman movie was filming last week which was kinda cool.

A few other recommendations I would make, would be to stay closer to the city center and take the subway daily. This has the added benefit of staying at a nicer, more western hotel (eg Marriott, Hilton), but also being near the old town square. I'm staying at the Angelo Hotel, but the training is actually split between two hotels and I don't get the benefit of being able to quickly jet up the elevator to my ro…

Hacking Exposed Notes

Hacking Exposed Notes

Footprinting – profiling an organization Internet, Intranet, Remote Access, and Extranet presence to determine security posture and netblocks

Website Pilfering – grabbing source code to analyze offline

Unix – Wget

Win – Teleport Pro

Search Engines – tools for searching multiple engines, IRC, email, etc at once

Win – FerretPRO($)

Web – DogPile

Registered Networks – internet whois searches

Current Registrars

Unix – Whois, Xwhois

Unix - $ whois “acme.” (list possible domains)

Unix - $ whois “HANDLE JS1234” (list POC info)

Unix - $ whois “” (list email info)

Web – US

Web – International

Web – US Military

Web – US Gov

DNS Interogati…