23
July 2015
CISO Message to the Board about Breaches
Andy Harris
It’s very clear to us how hard CISOs work to prevent breaches and how their influence is often limited in the face of perceived business requirements. This has given rise to CISOs re-branding themselves. They now call themselves as ‘business enablers’ or ‘corporate risk assessment specialists’.
This gives rise to the ‘prevention versus detection’ debate. The nature of the problem means the debate gets very technical very fast and therefore, are beyond the board’s appetite to digest. We’ve put this article together to help Infosec professionals find the right messages to delivery at board level.
All the arguments follow a similar form. “The hackers use this complex attack or Social engineering technique to find a chink in the armour”.
At this point the board have switched off. They don’t understand the low-level technology and why the millions spent on firewalls are failing.
But they have already tuned out before the most important part that comes next. “After finding the chink the hackers search for a privileged account to hijack”.
That’s it, right there, an attack has no teeth until it has control of a privileged account! The 2014 statistics show that 98.8% of all breaches used a privileged account. 86% of the passwords to those accounts were stolen from desktop systems or network drives. 10% obtained through social engineering (Phishing) and 4% guessed using a brute force process.
The curious board member would ask why is this happening now? What’s changed? Well it has its roots gradual shift towards the cloud and outsourcing. There are some cost advantages gained but also many security opportunities lost.
Hardware and OS management costs reduced
Day to day Malware management reduced
No need for secure facilities to house servers
No need for expensive IT generalists
Lack of clarity on who has access to system and root accounts
Likely to become outsourced by the outsourcer. Now you have third and fourth parties with system level access to your applications
Lack of clarity about who has console access to your servers
The lowest paid people now have the highest privileges to your servers and data
Because of this, you don’t get to keep all the savings of outsourcing, some of it needs to redirect into increased security.
We’ve established that any attacker, internal or external needs to get access to a privileged account. Therefore, it makes complete sense to protect these accounts. We’ve further established that if we allow people to manage their passwords they’ll store them on their desktop. They may choose simple passwords or give them away to a phishing attack. Our approach: separate the people from the passwords – It’s that simple. No passwords to store, choose or give away to phishing site.
We can break these down into functional areas:
All sensible security policies will have a blend of all these. Osirium PAM does Privileged Account and Privileged User Management very well.