You spin the top and wait to see if it continues in kinetic motion or if it falls to the pull of gravitational force. You trust that the road chosen to walk the path of serendipity toward an anticipated culmination of the correct state of scientific innovation – which, in this case, has been forged to deliver a true state of cyber security is correct. The question is, after investing much time, effort and finance in support of the anticipated goal, does the spinning top fall, or does it continue to spin in an unrealistic world of imagery expectation? The above introduction may seem to be very unconventional but I believe that it can be aligned to the real-world of security and successful hacks, associated with some areas or deep-rooted breaches that have manifested into significant and expressive compromises of what were supposed to be secure assets and infrastructures. As an example, take the UK-based organisation who had invested in commissioning an IT security company to support their mission to deliver robust cyber security defences into their operational area. Post ISO/IEC 27001 reviews, consultations and risk assessments, several observations were made and followed up on to deliver the desired level of recommended security. And yet even after the delivery of these expensive long-term professional services, this organisation suffered a breach of their firewall and security infrastructure, compromise of their WiFi network, and an almost complete breach of servers and desktop systems. This must surely pose the question, just how could this be? The second example is the company who sought security support post what they considered to be a run-of-the-mill low-level security compromise by ransomware – which after days of investigation transpired into a case relating to an attack by international actors, who had managed to compromise several key sensitive targets. Again, I pose the question: how can such widespread security incursions and compromises take place post such organisations engaging professional services that were anticipated to deliver security? OK, so I do accept that there is no such thing as 100% – and that most organisations have been, or will be breached. But my point here is, where such widespread security breaches do occur, impacting just about everything from the firewall, down to server and workstations, and the complete compromise of the WiFi network – something drastic has gone wrong with the delivery of the onion rings of security, allowing such wide and seemingly unfettered access to supposedly secured operational assets. In the case of one of the serious incursions, indications of a lacking in professional understanding skills got much, much worse. Upon encountering the widespread breach, the first reaction was, not to conduct a forensically sound investigation to acquire the related information and artifacts to assess the situation in flight. The response was to conduct a post-horse bolting penetration test to locate the manifestation of the incident's root (wherever that root – or roots – may be). Here, such actions of this nature when engaging an cyber security incident as a first responder, not only display a fundamental lacking professional understanding but also serves the potential to further compound the breach in flight. The point I am seeking to make here is that the days of putting complete trust in an ISO/IEC 27001 top-level audit, or risk assessment with the application of soft Information assurance skills have now long gone by their sell date. We are in a time in which we must conjoin such high-level soft-skills with real-time technical prowess, ensuring that what has been recommended at the higher/soft-level are conjoined with lower level back-to-basics old-fashioned skill sets. Assuring that systems are patched, configured in such a way they accommodate a balance of both authorised access, whilst hopefully denying all other potential intrusions. And of course, provisioning penetration testing services before, and not after the fact. Such organisations who are paying premium prices for services need to also start eventuating any real-time shortfalls in security to assess if they are acceptable and justifiable encounters; or if they are the product of lacklustre consultancy, which has missed the technical security point in its entirety. And in the worst-case situation, when an on-mass widespread breach does occur, the procuring organisation should seriously look to swapping out the provider they have, and swap in one which has the required level of skill-set aligned to – not yesterday’s approach to IT security and assurance, but one who understands the real implication of the cyber threat in our current age. So, if on the long serendipity road of attempting to deliver a robust and meaningful security posture, you happen to spin the top and notice that it is in continuous flight, it may be time to bite the bullet and move the mission into a real-world perspective where this can, do and will fall over. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
