How old-school scams still work and why I'm fed up with FUD: One CISO's take on security
Life isn't getting any easier for chief information security officers (CISOs). Adversaries now range from teenage scammers to nation states, and techniques from crude to off-the-scale sophistication. On top of all that, it's not even always clear what the bad guys are attacking.
Along with the shifting threats, David Cripps, CISO at banking and asset management group Investec, is witnessing changes to the job itself.
"Historically, it's been viewed as a technology role and I think the majority of information security professionals still report into IT. That's going to change," he said.
Cripps has been at Investec for 12 years, starting with two years as network manager, two more as an IT security manager before being appointed to his present role.
"My reporting line is now into risk — a year ago we moved out of IT. This isn't a technology thing anymore because it involves things like the supply chain and awareness of staff [about security issues]. There's no technology that's going to sort that out," Cripps said.
"It's not a tool you're going to buy anymore. Quite often it's a business decision. So it's got to be viewed as a business risk and the board has got to take it on board as another risk that they've got to manage as an organisation."
Secure your business processes
Security has long since been more than antivirus and firewalls and is a consequence of doing business, says Cripps.
"Whatever industry you're in, your information is paramount. It's not just the technology that stores that information. There are threats beyond that you need to look at and take into account, and it's not done in an IT and technology sphere."
Cripps believes this point about the non-IT nature of information security applies to all industries and sectors. But he inevitably cites an example specific to his own industry — rogue traders.
"There's a term in the industry called toxic pairs, where you've got access to a front-office system and a back-office system. Someone should have picked up straightaway that [rogue traders] had access to systems that were incompatible," he said.
"It's not a technology that's going to stop that. It's someone at a management level stepping back and saying, 'Actually those people have got access to two systems they shouldn't have access to'. It's a business process. It's a management decision that's got to be made."
The rogue trading example illustrates one of the four areas on which Cripps has to focus to manage exposure to security risks: staff, criminals, the supply chain and legislation.
"From a bad guy perspective, you don't know who you're going to deal with from one day to the next. It could be a member of staff writing something inappropriate on Facebook, to organised criminals trying to get access to our payments systems," Cripps said.
However, to be able to identify possible attackers, you need to understand who will benefit from the information you're trying to protect. The motives are wide and varied.
"From people trying to do it for financial gain, to people who are doing it for negotiating gain — if they're working on a deal against you or negotiating with you — to mischief makers who just want to take you off the air because they don't like what you stand for politically," Cripps said.
Even with that knowledge of possible motivations, it is not always clear why certain information is being targeted by an attacker.
"You're an investing company — an investment bank — talking to a mining company but then you come on the radar of a nation state that's consuming copper. So the reason you're being targeted can sometimes appear completely tangential to the business you're actually doing," Cripps said.
"That's the environment we're working in now. You could appear on someone else's radar as something coincidental to what you're actually doing and you don't know you've suddenly become a target."
"Even if we're 100 percent secure, someone in our supply chain might not be...we need oversight of those third parties, as well as the whole supply chain."
— David Cripps, CISO of Investec
Alternatively, the real target might be information for insider trading, or for a rival negotiating position.
"It could be a competitor who is bidding against us, so if they can understand our financial model, then they can undercut it. Or it could be that someone is going to be the ultimate end consumer of something you've invested in."
Old-school approaches still viable
Although the techniques involved can be advanced, Cripps says it's unwise to underestimate the effectiveness of primitive approaches.
"They have unlimited time and opportunity to try and access companies, so they're trying all sorts of techniques from social engineering to technical exploits to brute-forcing passwords. To be a defender against a wide variety of attackers or bad guys is a constant challenge," Cripps said.
"Interestingly, old-school stuff still works. We still get members of the public getting in contact with us on a daily basis saying, 'Have I really got an Uncle Tony who has just died and left me $15m?'," he said.
"I hate the term APT [advanced persistent threat]. APT has just been lumped in as a convenient tool to try and scare people. If members of the public still fall for 'Uncle Tony has left you $15m', why bother being sophisticated? Why bother using zero-day exploits when you can send them an email and they're prepared to send you money as a consequence?"
In fact Cripps thinks there is still too much fear, uncertainty and doubt (FUD) spread by security vendors to increase take-up of software and services.
"Stop using this fear to try and sell your products. The people you're trying to sell to are more aware than the people trying to do the selling. Don't try to scare me into doing something, because you've lost me straightaway," he said.
Turning to education for staff, Cripps points out it's not just about phishing but extends to people developing systems and websites.
"There's a level of naivety in some developers because they're not thinking, 'If someone was malicious, could they actually get in?'. A lot of people sit back and say, 'But why would someone do that?' It doesn't matter. If someone can do it, they will," Cripps said.
"A lot of the stuff we do inhouse is if we find a system vulnerability, it's not just to fix it. It's to go back and make the developers aware of where that vulnerability came in and how people would have taken advantage of that."
Addressing external threats is one thing but all the measures put in place internally through technology and staff education have to be extended to Investec's suppliers.
"Even if we're 100 percent secure, someone in our supply chain might not be. They have to do awareness training, they do vetting of their staff. They have to do all the technical controls we would expect of them and then we need oversight of those third parties, as well as the whole supply chain," said Cripps.
The fourth area after staff, crooks and the supply chain that Cripps has to worry about is legislation and regulation.
"Legislation is having a significant impact on how organisations operate. If you look at legislation coming down the line, the data protection act that's coming out of Europe has a 24-hour period to notify a data breach," he said.
"So how an organisation is going to detect and respond to a data breach to have enough information to be able to go back to the regulator within 24 hours is a significant driver on how regulated industries and people processing personal information are going to have to operate."
Cripps believes all those forces bearing down on security are inevitably broadening the CISO role.
"It touches on every aspect of how an organisation operates. When you're talking to vendors, when you're talking to regulators — they're starting to ask about information security. Customers want to know how you're going to protect their information. It hasn't become a business advantage yet but I think it's going to start to become one."
David Cripps was interviewed at a briefing on EMC's IT Trust Curve 2013 global infrastructure and security study.