CISOs must “plan for stupid” when evolving security plans: former US govt CISO

Technological obsolescence, misplaced budget and inadequate risk conversations are leading businesses “to disaster”

Credit: Picture taken by David Braue at the scene

Businesses are “insanely following the path to disaster” by ignoring the role of people and process in minimising cybersecurity risk and overinvesting in technology instead, a former United States CISO and cybersecurity executive has warned.

Technology has a role in providing security defences but the involvement of human factors in most breaches meant that security executives “have to plan for stupid,” brigadier general Gregory Touhill told attendees at the AISA National Cybersecurity Conference in Melbourne this week.

“I would argue that 95 percent of the downtime you will have is going to be because of your careless, negligent, and indifferent employees,” he said. “We have to rely heavily on trust, but trust is presumed and it’s misplaced.”

Touhill – a certified CISSP and CISM whose military career led him to direct the US government’s National Cybersecurity and Communications Integration Center (NCCIC) and eventually serve as the country’s first CISO under president Barack Obama – now serves as president of Cyxtera Technologies’ Cyxtera Federal Group.

He has worked across a spectrum of investigations including the cleanup of the massive 2015 Office of Personnel Management (OPM) data breach – which he called “a billion dollar error” due to direct and indirect costs from providing millions of affected people with identity-theft protection.

Technology as a weakness

Such events have highlighted the futility of security strategists trying to block every possible attack using technology – particularly because, Touhill noted, TCP/IP “is a weak security foundation: we connect and authenticate, and then you can see anything.”

Military hackers have long leveraged that architecture to do reconnaissance on networks without even having to enter access credentials: “you can almost go up and put your hand on somebody’s shoulder,” he said. “You can look at look at their network and every device on there, how it’s configured, what patches are on there – and then you just go through your toolbox to see what you can do.”

Despite the knowledge that existing systems were often insecure, many companies had clung to insecure systems for much longer than they should have due to concerns about business continuity.

This had been particularly common within government agencies such as NASA – which had long maintained 1960s and 1970s-era computers designed to communicate with distant space probes – and the US Department of Energy, which is still controlling nuclear stockpiles using systems running 8-inch floppy disks.

The security exposure of such systems constitutes a massive risk, Touhill said while noting that even ubiquitous technologies like firewalls and virtual private networks (VPNs) were over 20 years old and due for a fresh approach.

The risks of such technologies must, he said, be moderated by not only modernising technology, but modernising people and partner relationships to support the reduced risk profile.

“You have to make a decision to get risk to a level that you can accept,” he said. “It’s time to take a look at what problems we are bringing in by continuing to use the old stuff. And I would contend that we need to look at the recapitalisation of your IT as a strategic part of your defence strategy.”

Touhill offered seven key strategies for companies to make meaningful improvements to their cybersecurity risk exposure. These include authenticating everything as part of a zero-trust model; software-defined perimeter technology that mandates role-based access controls and only connects users to resources they are authorised to see; the use of a proportional defence; use of DMARC to reduce exposure to phishing attacks; planning for regular depreciation and recapitalisation of equipment; caution in adopting cloud-based infrastructure; and investing in training.

Adjusting the risk conversation

Ultimately, these and other strategic changes would contribute to the evolving discussion about risk within businesses.

“Risk is part of a consensus,” Touhill said. “It’s part of a process that leads to a decision – and it’s very dynamic, and changes with time. Just because you made a decision in January about a certain risk, a new threat vector can come in. You should be constantly adapting.”

Increasing efforts by hackers to disrupt the integrity of core business data and systems would turn data integrity into the “next wave” of cyber attacks.

“Imagine the day that you come in and find that your data has been tampered with,” he said, “and you get a note saying ‘I’ve been lurking here on your network for several iterations of your backups – and you’ll need to pay if you want to preserve the integrity of your data, or clinical records. And if you want the records cleaned up I’ll tell you where else I’ve been messing with you’. That’s where we’re going if we don’t break the cycle.”

This kind of behaviour was likely to become more common because the widespread availability of hacker tools had deemphasised the need for criminals to develop new breaches; novelty in today’s cybercriminal world revolves more around attackers’ ability to find new ways to target those tools.

Ultimately, changing perspectives on risk will map to real-world initiatives as companies review their security budgets and change their approach.

“We are insanely following the path to disaster if we keep doing what we’re doing now,” Touhill said. “Some folks try to buy down risk to zero – but you’ll never get risk to zero. You’ll just bankrupt your wallet.”

“Don’t spend the same amount of money defending everything equally; it’s a losing strategy, like pouring money into the ocean. I’d rather spend the right amount of money protecting my high-value assets.”

Tags CISOsdefence#AISACyberCon18

Show Comments