CISO Message to the Board about Breaches

CISO’s and Breaches

It’s very clear to us how hard CISOs work to prevent breaches and how their influence is often limited in the face of perceived business requirements. This has given rise to CISOs re-branding themselves. They now call themselves as ‘business enablers’ or ‘corporate risk assessment specialists’.

This gives rise to the ‘prevention versus detection’ debate. The nature of the problem means the debate gets very technical very fast and therefore, are beyond the board’s appetite to digest. We’ve put this article together to help Infosec professionals find the right messages to delivery at board level.

It’s simple really

All the arguments follow a similar form. “The hackers use this complex attack or Social engineering technique to find a chink in the armour”.

At this point the board have switched off. They don’t understand the low-level technology and why the millions spent on firewalls are failing.

But they have already tuned out before the most important part that comes next. “After finding the chink the hackers search for a privileged account to hijack”.

That’s it, right there, an attack has no teeth until it has control of a privileged account! The 2014 statistics show that 98.8% of all breaches used a privileged account. 86% of the passwords to those accounts were stolen from desktop systems or network drives. 10% obtained through social engineering (Phishing) and 4% guessed using a brute force process.

The curious board member would ask why is this happening now? What’s changed? Well it has its roots gradual shift towards the cloud and outsourcing. There are some cost advantages gained but also many security opportunities lost.

Cloud and Outsource

Hardware and OS management costs reduced

Day to day Malware management reduced

No need for secure facilities to house servers

No need for expensive IT generalists

On Premise Data Centre and own IT Team

Lack of clarity on who has access to system and root accounts

Likely to become outsourced by the outsourcer. Now you have third and fourth parties with system level access to your applications

Lack of clarity about who has console access to your servers

The lowest paid people now have the highest privileges to your servers and data

Because of this, you don’t get to keep all the savings of outsourcing, some of it needs to redirect into increased security.

The Obvious

We’ve established that any attacker, internal or external needs to get access to a privileged account. Therefore, it makes complete sense to protect these accounts. We’ve further established that if we allow people to manage their passwords they’ll store them on their desktop. They may choose simple passwords or give them away to a phishing attack. Our approach: separate the people from the passwords – It’s that simple. No passwords to store, choose or give away to phishing site.

Messages to the Board

We can break these down into functional areas:

Firewalls control traffic across network boundaries. They also hide systems from direct sight of the Internet

Content security blocks the flow of known and likely malware from traversing the network.
Intrusion Detection lets you know the probability of a breach in a system or application.
Privileged Account Management controls who can do what, where and when on your systems and applications.

All sensible security policies will have a blend of all these. Osirium PAM does Privileged Account and Privileged User Management very well.

‍