During this pandemic, we are seeing more people online. This presents some real concerns for IT and security staff in EVERY organization. If it does not cause concerns, there is likely something wrong with the program. The question, is how do I build a world class cybersecurity program, while keeping costs low? The answer was discussed in the article I presented last week. Any good cybersecurity or executive will tell you that risk management is critical to the success of the business.
In this article, Jeff Elder, presents the idea that all companies are talking about “Zero Trust”, a concept that alludes to the fact that nobody is trusted. While I agree with the concept, I think that the technology is still just a concept. The reality is that people MUST be trusted. We can and should limit their access, we can and should force multifactor authentication, we can and should validate their security controls when accessing the network, and we should employ all of the other security tools, processes, training, controls, etc. The reality though, is that for me to say that I do not trust a high-ranking person like a CEO and have tools to enforce this model/concept is not complete. The first time I allow the CEO access to any system, application, document, etc., I am trusting him/her! I used to present the idea when publicly speaking that I can place a computer into a room with infinitely thick walls, ceilings, and floors, post armed security around it, ensure that the computer is not connected to ANY external source and has no wireless signals; as soon as a person enters the room (trusted or not) we have the potential for a security breach.
So, what does this all mean? It means that we have to find a way in which we can balance the needs of the business through the enablement of the business, keep costs manageable, and build quality security. The ONLY way this is possible is through a formal risk management process.
The Microsoft poll in this article presents the idea that “…while more than half of the business leaders (58%) reported budget increases for security and 65% for compliance, 81% also reported feeling pressure to lower overall security costs.” I believe that these pressures come from security teams making educated guesses, following the advice of salespeople who sell “a magic button” that stops security breaches, and who fail to properly assess and manage risk. If you are spending the right amount of money on your program, your risk assessment should help you to show your executives that your program is fine-tuned and operating efficiently.
Cybersecurity is always a balancing act. Good security personnel find ways in which to implement security controls that enable business users and the business. Good Security leaders make decisions based on quality risk management techniques, ensuring that costs are managed. What happens when we identify risk that cannot be appropriately mitigated?
With COVID-19, our world has changed, and we have been forced to make decisions. I have heard from security professionals who say that they are ready to quit their jobs because COVID-19 has opened up a world of insecurity and that “the execs don’t care”. I submit to you that the executive teams DO care, these professionals simply have not presented the information in a manner that allows for an appropriate decision.
This article is not one that is designed to have people migrate from any specific device or to create stir in the Android community, it is one of finding ways in which to balance risk. The Android platform is a great example.
Before I get into the risk management part, let’s use an example that you are likely facing;
Some years back, we (the company I worked for and myself) implemented a Mobile Device Management (MDM) solution. We then allowed select users (a small test group) to connect their (company owned) devices to segregated parts of the network. My SIEM quickly lit up, telling me that many (almost all) of the Androids were compromised and communicating with nefarious servers. I also began to receive complaints from end users that ranged from data being overwritten, to their phones not ringing, after the MDM encrypted the company data on the phones. Needless to say, we began to investigate and identify problems. We had to conduct a large amount of research and ultimately concluded that we could not use the MDM solution if our users could not receive great service. We also could not allow these devices to connect to our network as the data we were accountable for would be placed at risk.
This morning, I read a Wired article about Qualcomm releasing a fix that will affect around 90% of US user’s Android devices. The article presents the idea that “A BILLION OR more Android devices are vulnerable to hacks that can turn them into spying tools by exploiting more than 400 vulnerabilities in Qualcomm’s Snapdragon chip, researchers reported this week.” The article can be found here; https://www.wired.com/story/over-a-billion-android-devices-are-at-risk-of-data-theft/
In this situation, we have some choices that MUST be made;
We can ignore the issue, citing the fact that users have to be able to perform their jobs.
We can ban the devices.
We can add compensating controls (which must be tested and validated).
We can limit the user experience and lock the devices down.
We can elevate our concerns to management and ask for guidance.
What is the correct answer? Often, we make assumptions about what other people think that are wrong. Those Cybersecurity people who are ready to quit can breathe a sigh of relief; so can your executives!
As we deal with this situation, or any other situation, it is critical that we follow basic risk management techniques because the answer is going to depend upon the company, culture, type of data, and a variety of other factors.
As security professionals, we have an obligation to ensure that the company is successful and that the business is enabled through the use of cybersecurity. With COVID-19, this becomes a widespread concern. I hear this from customers and other decision makers daily. They ask me about how they should build secure home environments as their users are working from home. My answer is ALWAYS, “Consult your risk assessment!” If your risk assessment does not help you with an answer, I would recommend that you conduct a more mature risk assessment.
Proper risk management begins with discussions about the definitions of risk; each company is different. This flows into a process of understanding the risk tolerance of the organization. We then look at the business and determine the risks (this is a lengthy process that should be pages, not lines). We identify the likelihood and criticality of the risk being realized (I like to score the areas of Compliance Risk, Confidentiality Risk, Integrity Risk, Availability Risk, AND Company Image Risk). We then calculate the effectiveness of the controls we have in place that mitigate the risk to determine the residual risk.
Here is where it gets fun. We now must put together a comprehensive plan to address the risks. This should include multiple options for treating the risk, including the acceptance of risk. As security professionals, we are accountable to treat the risks we identify when they are within our ability to treat them. When they fall outside of our reach, we escalate them to management; not with a story of how we will be hacked, but with a discussion about the true concerns surrounding the risk. We then allow them to make an informed decision. We document their decision and move on; readdressing the risk when changes occur or upon agreed upon intervals. This is a cyclical process that must be done anytime something changes and at least annually.
When this process is followed, your risk assessment will guide you. Security practitioners will be relieved to know that they are not accountable with risk outside their control and executives will know that the security program is not just a money pit, it is a tool for the successful enablement of the business.
Cyber Self-Defense is the premiere information security firm enabling businesses to diligently protect against cyber-attacks through education, awareness and risk management. We pride ourselves on helping our customers unravel the mysteries of cybersecurity. Based in the Inland Northwest, and with over three decades of career enterprise security experience, we have the knowledge necessary to help you defend yourself. Cyber Self-Defense is a certified service disabled veteran owned small business (SDVOSB).