Skip to main content

Top 10 InfoSec Mistakes


This is my Top 10 list based on what common mistakes I am seeing, which may be completely different from what others are observing. Please share your experiences to see where there is overlap or uniqueness.



1) No CISO Left Behind
Having a low performing CISO is in almost all cases a program killer. Not only is it bad for morale, it typically derails efforts to reduce risk and puts budget dollars on projects with very low ROI. One thing I have noticed is that C-levels and most BoDs are unable to adequately assess CISO performance. Its often only measured on personality and the pure luck of avoiding a public security breach. Conversely, many high performing CISOs get a raw deal when they experience a breach, yet have advanced the program further than any of their predecessors.

Recommend: Hold quarterly KPI reviews, including discussion of new KPIs at least annually. Maintain accountability of a CISO's time, specifically around time spent building their personal brand or with vendors, versus directly advancing the goals of the organization. 
2) Chasing Corns
It is all too common for organizations to flat out ignore doing essentials like prioritizing assets by risk, getting their employees properly trained, or auditing service accounts. Instead people tend to chase unicorns like deception technology, cyber pathogens, cyber camouflage, artificial machine intelligence, or becoming a producer of threat intelligence.
Recommend: Must have addressed or shown significant traction in the SANS Top 20 controls, before pursuing whatever hotness is being pedaled at RSAC. 
3) Tooltopia
Many of the Fortune 200s have never met a tool they didn't like. This seems to be very typical in organizations that have experienced a breach and bring in a new CISO that was failing, but came from big name company. They then proceed to spend all that money and still get hacked. Joe McCray was right.
Recommend: Do not allow CISOs to talk about tools by name, only capabilities and ensure that any solution purchase is fully operationalized before new projects can be initiated. Effectively force the CISO to strategize around people and process and don't let them use the tool crutch.
4) Wounded Knee
Guess what time it is? Its Monday morning and your management just read the latests news. Its time for the old knee jerk reaction and a bunch of stuff rolling downhill. This commences a colossal waste of resources, including a bunch of reply to all emails and meetings about meetings.
Recommend: Establish ground rules regarding this type of behavior. Limit the spinning up of massive conference calls or data calls, until an official severity or risk determination by a technical resource has been made. Also, I highly advise creation of a threat portal where such information can be proactively published to stakeholders.
5) Rockstar Recruiting
It's not news that if you throw big money at talent, some will take the bait. Where the chronic failure seems to be in actually retaining that talent. There is also a reason why most people feel the exit interview is a complete joke. How much more cost effective is it to ensure your existing people are happy versus continually have to rebuild your team? Also, ignoring people with passion but no experience is detrimental to your staffing. I don't see a lot of excuses for not always at least having one intern or noob that your are building up. And its important to take note of your staff who hoard knowledge and refuse to mentor.
Recommend: Document and escalate the underlying issues that are causing people to leave the organization early. I recommend reading this story for a classic case of HR failing to do their job. I also highly advise rewarding mentorship financially within your organization.
6) Failing to MFA All The Things
To me this is one of the best allocation of resources you can make with a very high ROI. Moving as many applications and servers behind two factor authentication as possible. This is the exact opposite of long term money pits like DLP or NAC. Also, hiding behind user convenience is no longer a defensible position.
Recommend: Start planing and executing today, not after a breach. Both Duo and Microsoft have affordable options.
7) Strategic Firewall
This isn't the firewall as you know it. If you are familiar with the Big4, there was a concept of keeping a firewall between the audit and advisory practice. Similarly for big banks, it was keeping the retail and investment banking business separate. This was there for a very critical reason. To avoid conflicts of interest and limit risky practices. Knowing this, you should not accept strategic advisory services from the company selling you solutions. They will only try to sell you products that give them the highest percentage of sale or allow them to wrap extra service dollars around. Unfortunately its never about advising on the best product because of repeatable tests and real world PoCs that haven been documented.
Recommend: Internal audit and the BoD compliance committee should be tasked with uncovering and addressing this serious conflict of interest.
8) Following the 20/80 Rule
Stop pursuing controls for niche security threats. Yes that threat may even be in the news (fake and real), but are you sure it applies to your organization or vertical? There seems to be an unhealthy obsession over zero days as well. I agree with others, you may not be important enough to get a zero used on you. 
Recommend: Use templates for creating your organizational threat models to avoid security theater. This will properly align your strategy to the threats you are facing. And if a threat actor decides to burn a zero day on your org, kudos to you because your actually winning. Also, please capture it and responsibly disclose it to the vendor.
9) Premature Nuke From Orbit
This is definitely one of my pet peeves. A SOC manager has mentally checked out and is just firing off reimage requests and never determining root cause. That AV alert may have just been nation state, but you will never know now. If your ticket says alert X fired, computer rebuild completed and nothing else you should be excommunicado from InfoSec club.
Recommend: Quarterly review of all SOC ticket closures to determine where no RCA was determined. In addition, establish documented process for harvesting indicators and context from internal incidents.
10) Logging/Tapping All The Things
This isn't all that horrible, but its still counter productive and very common none the less. Logging everything, including events of no security or audit value makes little sense. Then people turn around and store that same data for 5 or more years. Someone best described this as useless pools of liability. The same goes for overloading your network sensors with encrypted traffic or traffic from your core. There is not much ROI here and it creates a tremendous amount of noise for you security analysts.
Recommend: Implement a tiered logging strategy for retention and filter out log events or log types with no practical use. This has the added benefit of potentially reducing your SIEM licensing costs. If you plan on tapping everything, do not feed it into your analyst console until you have proven they are staffed well enough to monitor all internet gateways and DMZs.

Comments

Popular posts from this blog

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your ...

2020 SANS CTI Summit Notes

Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland , @PDXbek , and @likethecoins , another great year of great content! Day 1 Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1579535253.pdf @CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.” "What we call common in #threatinel sharing is what a l...

European DFIR Summit 2018 Review

On Monday October 1st, I attended the European edition of the SANS DFIR Summit in Prague. Normally I try to attend this in Austin, however this year I couldn't make it so attended this one later in the year instead. I took a couple days PTO just to spend some time seeing the sights and it was cool getting to take time visiting the historical sights, instead of my typical shut in routine. If you have time, I would highly recommend this and definitely book a night time river cruise. Also worth noting, the new Spiderman movie was filming last week which was kinda cool. A few other recommendations I would make, would be to stay closer to the city center and take the subway daily. This has the added benefit of staying at a nicer, more western hotel (eg Marriott, Hilton), but also being near the old town square. I'm staying at the Angelo Hotel, but the training is actually split between two hotels and I don't get the benefit of being able to quickly jet up th...