Critical Manufacturing Cyber Security Defense Program – A Starting Look

Cyber security professionals  are often tasked with trying to defend more than they have the resources to defend. This is especially true in the area of Critical Manufacturing as there tends to be a strong desire to protect everything.  In many cases when we try to protect everything we end up protecting nothing.  A Cyber Security Defense Program (CSDP) needs to be very focused and strategically deployed to protect the systems and areas which need protected.

Critical Manufacturing as defined by the Department of Homeland Security(DHS) is primary metal, machinery, medical, electrical and transportation.   Primary metal is Iron, Steel, Aluminum non-Feros metals;  medical includes facilities and devices, machinery is engines, turbines and power transmission, within electrical is electrical equipment manufacturing, transportation is :  vehicle, aviation and aerospace parts and vehicle manufacturing and railroad rolling stock.   Products made by these are essential to critical infrastructure sectors. The Critical Manufacturing sector focuses identification, assessment, prioritization and protection of nationally significant manufacturing industries within the given sector that may be susceptible to manmade or natural disasters.  This area is one that is critically in need of a strong CSDP.   The discipline for CSDP must not be twisted to taint what should be a strategic approach to the industrial base (“Critical Capabilities At Risk,” 2009).

One critical component to the protection of a Critical Manufacturing environment is that of using next generation, aka smart, firewalls with intrusion prevention and with some form  of malware  prevention and detection, updated via global feeds, enabled. This firewall environment should be set up in such a way as to segment the Critical Manufacturing infrastructure. Each individual plant or factory within the Critical Manufacturing environment should be on their own local area network (LAN) segment. A very basic way of thinking about this is captured in Figure 1 below.

Manufacturing Network Segmentation

Figure 1

Because of the method in which business decisions are made for factory systems it is critical that organizations involved in Critical Manufacturing use strongly firewalled network segmentation methods to ensure that each of their factory sites sit behind their own firewalls and on their own network segment (DHS, 2009).  This allows better control of the environment and enables the isolation of one factory without impacting the rest of the factories owned by the organization.  In this way if one factory is compromised by a hacker or group of hackers it can be removed and isolated from the organization’s global IT infrastructure.  Network segmentation, also called Network Control (NC) is a primary bastion for a defense in depth strategy and it can also be used to help prevent a blackhat from pivoting from a relatively unsecure factory system to a core business system.  Combining an Intrusion Prevention Appliance (IPS) or functionality with the firewall inside of a network segment provides a strong front line of perimeter defense for factories involved in Critical Manufacturing.  These IPS’ do not have to be overly tweaked and analyzed to be effective, running them in default signature mode is an adequate layer of defense for the network segment protecting and controlling a factory environment (DHS, 2009).

Posted in Critical Manufacturing Cyber Security, Uncategorized | Tagged , , , , , , , , , , | Leave a comment

Cyber Security – A basic look at Defense in Depth

A basic somewhat quirky and fun look at Defense in Depth.

 

Posted in Uncategorized | Tagged , , , , , , , , , | Leave a comment

The Highest Risk Ever….. Not!

 

BlogWordleI just received one of my daily news reports about Cyber Security and it said something to the effect of such and such a Research group has found out that Application Security holes are at highest numbers ever and this number is expected to increase even further in 2016!  Companies really need to focus on fixing the risk incurred by these applications.  I thought, “Wow, Really”?  I mean yet another highest number, highest risk, most vulnerable, more danger than ever before message.  What a surprise it was to get yet another news feed about a Cyber Security vulnerability being the worst ever.  (that last sentence is dripping with sarcasm – just in case you couldn’t tell).   I really just want to shout and scream out that No It Isn’t the highest total ever!  None of these items being touted as worst ever are really the worst ever.  The simple reality is that we are still in our relative infancy when it comes to Cyber Security as a profession and as something to write about.  Being in our infancy means that we are still finding lots of this things that we couldn’t find before.

None of these vulnerabilities appeared overnight.  The vulnerabilities that we are now finding and that are generating these, at times horrific, Blog- Overnightreports about numbers of vulnerabilities have always been there.  Not only have these vulnerabilities been there but here is a secret I will let you in on – there are many more that we still haven’t discovered!  Companies, researchers, etc. now have the proper tools to discover concerning Cyber Security  vulnerabilities in large numbers.  These are items that in the past no one knew about even though they were there.  As more and better tools come out we will find even more of the worst vulnerabilities ever.

Vulnerable OS, vulnerable Webpages, vulnerable coding, vulnerable hardware or firmware,  these items have been around for decades and will remain around.  So while it is great that we can now find these and do something about fixing and remediation of these vulnerabilities they aren’t new.  Maybe newly discovered or newly recognized but they have always been there.   

Why am I going on about something that is basically hype, and in some ways good in that it publicizes exposure to these items so that Cyber Security professionals can use them to raise awareness, funding and support for remediation?  Because of the way the reports and news articles are written.  In too many cases these articles raise awareness and hype of issues that are much lower risk than the ones the organization’s Information Security team are already working on.  I have sat in many meetings where executive management has looked at the Chief Information Security Officer (CISO) and said “I know your team is really busy remediating core vulnerabilities across our Financial landscape but I read something yesterday about mobile devices being very vulnerable and I think we need to re-focus our resources….  the article really made this mobile risk sound like the most dangerous thing ever.”  

Don’t get me wrong,  I appreciate the awareness being generated but …. the WORST EVER …. no in most cases it really isn’t.  There are lots of Cyber Security items just as bad or worse that most organizations need to fix and the decision on where the highest Information Security risk sits inside of the company should not be decided by reporters and vendors but should rest on the shoulders of the CISO and the experts they have hired to analyze and determine what risk items need immediate attention.

 

Posted in Uncategorized | Tagged , , , , , , | Leave a comment

A Note I Wrote to Someone Who Once Worked for Me

I recently had the honor to help provide a strong reference for a person who worked for me as a Cyber Analyst.  She got the Senior position she was going for but was just a little worried about what they should do in order to lead a team and be a good leader.  Here is what I related to this extremely competent future Cybersecurity leader.

Hi:

First and foremost – you are going to do great in your new role. I encourage you to model your leadership style after the following rule(s):

Use the leadership model of:
Am I doing the right thing
Am I doing it for the right reason
Am I doing it at the right time
Am I doing it in the right way

This is on the back of the Challenge Coin I had made up for our UC team.

Always act with Integrity and walk your talk. You don’t always need to be right but you always need to be honest with the people you lead.

Remember that “We are smarter than Me” and foster healthy discussion and debate on topics. Try to pull ideas and suggestions from those you lead who are more on the quiet side. Don’t let aggressive Type A personalities (like me) dominate the conversation.

When coming out of a meeting get your team members used to doing a 5 minute feedback session (what did we do right, wrong, what should we (or I) have done differently, etc. Remember – Feedback is a gift.

Training of your people needs to be a priority and always remember to help others be Greater Than Yourself. There is enough success out there for everyone, help grow your people so that they can be your boss some day and if that did happen they would be a good boss to work for.

Don’t hesitate to email if you have specific questions. Have confidence, breath deep and believe in yourself – you got this!

Posted in Uncategorized | Tagged , , , , , , , | Leave a comment

CIsO or ciSo?

In some big companies it does make sense to have a polished CISO who is responsible for working both the Boardroom and the IT Executive management group. In those cases a strong security focused Deputy CISO should be considered for the heavy Security lifting that is also required. As a CIO friend of mine told me recently both of those skills is very hard to find in a single person.

My primary concern is for mid-range and smaller companies that want a CISO and are unsure of what skill set is most needed on the part of their CISO to fight organized crime, unscrupulous competitors or nation state actors. I believe that they are making a mistake with some current hires I have observed.

A somewhat scary trend that I am starting to see is now that CISO salaries are going up companies are putting Deputy or Associate CIO’s in those positions. This makes sense if we consider human nature as the CIO’s seem to be more comfortable with someone who is not “such a security guy or girl” talking to Executive Management.

Of course this approach continues to severely downplay the S (Security) component of the CISO role and is yet another path which, IMO, will lead to failure in the fight against Cyber Criminals. In many cases we need to move to having a ciSo instead of CIsO (a catch-phrase I am trying to get to catch on) and remember that it takes trained and experienced security professionals to fight organized crime, unscrupulous competitors and nation state actors. In my opinion the S in the ciSo title needs to carry the most weight for the majority of companies in their fight against cyber crime.

Posted in Uncategorized | Leave a comment

Your Horse Was Analog

Your Horse Was Analog

Kevin L. McLaughlin

A  speech I made to 350+ people at the Michigan joint Military Ball.  Amway Grand Plaza Hotel.

Like my tie? My wife didn’t – gave me a lot of grief before we left the house,  you know how difficult things can be when your significant other doesn’t approve of your choice in clothing.

Well you see this tie has snoopy, the moon, the space shuttle and Apollo craft on it and it was given to me by Fred Hayes, yes the Apollo 13 Fred Hayes , yes astronauts are pretty neat people,  anyways Fred gave this to me when we were working on a project together and he told me that whenever I wore this tie I could look down at the pictures and that no matter what I do in the life I should remember that if we put a man on the moon we can do anything as a country.

…. as a country we can do anything,  even figure out how to defeat this cyber threat.

I want to change that thought just a little bit because I know what type of people went to and walked on the moon –  as a whole the U.S. Military and its veterans can do anything   make no mistake we are under attack, not by conventional weapon systems like guns and missiles but by cyber warriors utilizing digital attack vectors.

My speech tonight will be about trust and how it will help us win our cyber battle.  But, before I start I would like to do a shameless plug for the Whirlpool Veterans Association, who mentors soldiers transitioning to the private sector and with multiple outreach programs – I am sure many of the companies you work for have similar programs and a big thank you to those as well.

Trust and authority will be tonight’s theme. A lot of Information Security Professionals left Home Depot after years of not having their voices heard and repeatedly being over-ridden about whether a system could be touched or not.  Many Board of Directors are asking how to fix the cyber issue  –  a lot of the CIO’s and some of the CISO’s when asked that question are taking a passive posture of saying that their job is to make them aware of the risk versus telling them what to do.  In my opinion that is not the right answer… the people who are trained in cyber defense need to drive answers and solutions not just show risks

I will admit though that this morning while I was working out I had a big moment of angst,  you see I am an expert in this field and I can have an opinion and if I get it wrong a company will lose money but you know – if you get it wrong  lives will be lost and in the worst case our Homeland can fall.  Even with that – tonight you will hear what I feel we need to do in order to start winning the cyber battle.  We got our butts kicked by the bad guys in 2014 and it was a loud wake up call to anyone paying attention that what we have been doing is not the answer.

The general theme throughout my speech tonight will be one of trust. High performing teams consist of players that trust each other and who understand that each of the team members has an area that they are the expert in.  We cannot continue to ignore or muffle the voices of our highly trained and skilled cyber defenders and expect to be successful in our cyber defense efforts.

One of the first things we need to understand is that there is always in existance a large understanding gap.  I got my first taste of this type of understanding gap when I returned from Basic Training and I was talking to my Grandpa.  He asked me where I was stationed and I said Fort Bliss Texas,  he asked me what units were stationed there and I said the 3rd Cavalry. He got excited and we started talking;  about 5 minutes into the conversation it dawned on me that he was talking horses and I was talking tanks.  He was talking analog.

You see, we continue to increase our combat effectiveness by implementing new tools and technologies the majority of which are not analog, but are instead digital.  Digital means that they present entirely different attack vectors and will require us to have an entirely different level of trust in the expertise of the cyber defenders we put in place.  We must protect our digital assets.

The current generation of service men and woman are some of the first who have known nothing but digital tools.

(I left out this next part due to time constraints)

[Did anyone see the movie BattleShip? It’s a bit of a cheesy movie but there is a part in it where the modern digital destroyer gets blown up and the only available ship to fight the aliens was a WW II BattleShip,  they are working to try and figure out how to use the ship and the Chief looks at the Ensign and says “sir, this old thing is completely analog, it will take us years of reading the manuals to learn how to float and fight it”.  All of a sudden a long line of navy veterans come walking up and they are able to work side by side to show the team how to run and fight the ship –  think about this – in another 10 to 15 years people who understand analog are not going to be around to help us out.  ]

I continued my speech here —    I have to wonder how many of these digital troops would use a smartphone or GPS, even if disallowed in the mission parameters,  if they get lost during training?  I’m not disparaging anyone, I just realize how very hard it would be for any level of team leader to stop themselves from using an alternative before calling into command and telling someone that they were lost.  We all know how difficult that radio call would be to make.

What is scary is that if these digital devices were suddenly taken away our combat effectiveness would be greatly impacted – maybe by 90% or greater.  Ok,  each of your digital devices, smartphones, etc. have just been reset to 0:00 – how many of you can tell me what time it is?  Show of hands  {note – out of 350+ people in attendance only 2-3 raised their hands} wow, that was actually far worse than I expected it was going to be.

Having these digital items give us a significant advantage but also put us at risk if we don’t adequately protect them from cyber attack.  Tanks, Planes and ships will not operate if their computer systems are taken off-line.  Year after year we see annual reports that tell us  that our military systems are in no better shape than private sector systems are and our military IT staff feels the same pressures to get systems in place quickly rather than securely – we must be better than that. {looked down at tie and lifted it up}  We can do anything….

Most of us Cybersecurity professionals (risk professionals, assurance, etc. ) are very passionate about what we do – I personally spend upwards of 30-40 extra hours each week staying current, learning, wargaming, gathering intelligence, figuring out business enabling security strategies, and more.

How many of you in this room (Cybersecurity men and women you are not allowed to answer) can say you spend that much time studying and focusing on cybersecurity? How many of you even spend 2 hours per week?  Of course you don’t spend time studying Cybersecurity nor should you – that’s why you put cyber security professionals on your team.

Then why is it that across Corporate America, and I can only imagine it is a bit worse in the military, is it so hard to build trust between the Cyber defenders and the management community of the organization?  I know some of you are sitting out there thinking -What’s this guy talking about – I trust my Cybersecurity person.  Do you?  Do you really?

Think about this … you are the Colonel in charge of finance imagine an E6 Cyber defender walking into your office at month end closure and telling you that he has to take one of your business critical system off-line immediately for security patching as it is critically exposed and can be very easily compromised which could put the rest of our infrastructure at risk. He then tells you that the outage may last 8 to 10 hours.    Well, after 17 years experience as a security professional in Corporate America I can tell you that this request would be met with a lot of resistance and most likely the Cyber Defender will be told to wait for a day or two to do the patching.   Often times that directive will come with a comment about “you security guys and girls don’t really understand the business and tend to over-react”….

Hmmm…  I can only imagine similar conversations happening inside of Target, HomeDepot, Sony, Subway, Dairy Queen, Sigh, I’m not going to name them all – but like I said earlier we really got our butts kicked in 2014.  2015 continues the theme with the Anthem breach – a breach which directly impacts each one of you the Feds feel China committed the breach to continue their mission of gathering the personal data of our active and former military and their dependents.  We don’t know what they want the data for but it is obvious that they want it

Trust,  Target has a 148 million reasons – those are dollars by the way – plus open lawsuits, HomeDepot has 120 million reasons and Sony has 1 billion reasons, to implement a Cyber Defender authority policy.   1 billion?  how many of you work for companies that would even be able to survive a 1 billion dollar loss? I imagine if I lost a billion dollars for a company I’d be out on the street. and luckily for us we are starting to see Board Chairman, CEOs and CIOs resigning due to allowing a security breach to occur on their watch. Why is that lucky?  because it might raise the awareness we need to help fix this issue.

A base level of trust needs to be in place that makes it so that is assumed your cyber defender, who also is part of your profit sharing plan and wants the company to make money or who is a strong patriot and wants our tanks to run or planes to fly,  is not going to willy-nilly.  I just wanted to say willy-nilly in a formal speech,  is not going to willy-nilly take systems off-line and that when they say a system really needs to be fixed immediately they need to be granted the authority, we already give them the responsibility and career risk when a breach occurs,  now let’s give them the authority they need to protect the organization,  even if there is a small short term negative profit impact – wow that is hard to say but I bet if we asked Target, HomeDepot, Sony, Anthem, you get the idea if they could go back in time and accept a $5,000.00 profit hit in order to take a system off-line and patch it instead the breach they would all say yes.

For you the risk of allowing the E7, E8, Lt. Captain, Major, etcetera, I’d try to go on but I’ve been out of the military for a loooong time and would most likely get the other command ranks wrong…   to trump the cyber defender may just result in a significant loss to both your combat effectiveness and your ability to defend our country.

Trust,  trust the cyber defense experts that we are graduating from our military schools to both understand the business and to effectively assess the risk and make the call on fixing open and exploitable channels of attack.  While the department heads and commanders should still have the final say an answer of “don’t touch this system” or an answer of “you are over-reacting to this threat  – yet how would they even have the expertise to make that judgment?  should be the rare exception and not the norm.       – Trust and authority-   we can win this cyber war and defend our systems against the cyber threat.

Posted in Uncategorized | Tagged , , , , , , , , | Leave a comment

I just read an article on LinkedIn about the negative impact caused by the recent Home Depot breach. Here are my thoughts about how all the 2014 breaches should change some C level and Information Security paradigms. These could cause a major C suite thought shift and maybe even a large paradigm thought shift in how our profession thinks about the skills and talents really needed by Information Security professionals.

Note – I know this opinion will not resonate well with some CISO’s – Major IT departments continue to hire CISO’s that have little to no security background. Hackers and blackhats are associated with organized crime and IMO until we put more of an emphasis on the word SECURITY in the CISO title and until CISOs stop walking a tightrope by always trying to compromise and keep the business happy by letting the business need trump the security need (“ok, don’t patch that extremely vulnerable system I understand your business need not to” ) the crooks will continue to win.

Also, it appears that too many companies are basing their CISO hiring decisions on the candidate’s business acumen. Wouldn’t it be better to focus on how well the candidate knows how to fight and deter criminals?
I’m not saying CISO’s don’t need to understand the business I am saying that a stronger focus should be on how much the CISO knows about criminals and crime fighting. I also realize that thought would take a major paradigm shift in the thinking of the C suite.

Posted on by mclaukl | Leave a comment

The Insider Threat is Alive and Well – a summary taken directly from Raytheon’s How to Build an Insider Threat Program (2014) …

Aspects of human nature further complicate matters: Well-intended managers resist any notions of “their people” doing “bad things.” They screened them. They hired them. They work with them side-by-side and – if they’re good bosses – have developed a genuine interest in their career development and even personal happiness. In addition, one of the most critical elements in building a high performing team is trust, so anything thaWhite Hatt can have a negative impact on that trust needs to be very carefully analyzed and explained before being implemented.  This disposition is not about being gullible, we all have white hat syndrome at times. It’s about being a helpful manager – and a decent person.

But it would be imprudent to completely abandon a sense of cautionary oversight, as there has been a steady flow of news reports about insiders doing harm to their organizations. They range from probably the most notorious of incidents – Edward Snowden’s carefully plotted leaking of sensitive NSA documents after downloading 1.7 million files – to possibly the funniest (except for the company in question): A software developer for a U.S. critical-infrastructure company literally outsourced his job by sending his log-in credentials to a Chinese contractor, so he could get paid six figures to surf Reddit, post Facebook updates, shop on eBay and watch cat videos all day2.  While the latter anecdote has generated considerable amusement, it underscores the reality that internal threats pose serious risks: 53% of organizations have experienced an insider cybercrime incident, according to the 2013 U.S. State of Cybercrime Survey from the CERT Insider Threat Center at the Carnegie Mellon University.  So who are the users who pose threats? In all cases, they have authorized access to the network and their co-workers and managers are usually shocked that they would do such a thing.  Clearly, tech departments need the support of their leadership to do what plant managers and foremen did in the 1950s: Watch. Audit. Intervene. Prevent.

Regardless of the user’s full time or contractual status, you want to look for classic “tip-off” behaviors which can lead to trouble, e.g. the clear taking of proprietary information NinjaHackerwithout need or approval; expressing increased interest in matters unrelated to defined duties; and connecting to the network remotely from unusual places at unusual times, having access to machines that they really don’t need access to, constantly seeking for elevated privileges, to list a few examples from the FBI profiling studies.  Without a program in place to stop these individuals, organizations stand to lose an estimated $412,000 on average per incident.

In many organizations, a “we trust everyone to do the right thing” mindset too often prevails, and data points abound, such as 50% of employees who leave a company admitting to taking proprietary data,  to show why this is highly questionable logic.

Another issue is with internal rule benders who conclude that the added layer of protections are either unnecessary and/or overly alarmist and/or present too many inconveniences for them to deal with. They consider themselves and their work as above it all, and decide on their own as to when to follow security protocols – and when to circumvent them. As they grow more comfortable with the latter, they choose it as their “default” setting, doing things such as sending proprietary information outside the company “walls” without encryption, logging onto systems that they should not have access to, elevating other person’s access rights because security doesn’t understand the person’s real need, etc.  They love external drives and USB sticks, because these tools make it nearly impossible to distinguish risky behavior from harmless, work-related shortcuts. In fact according to a recent survey conducted by Voltage Security 50% of network users admitted to having bypassed security controls to complete a task more quickly and easily. Internal Rule Benders make up 15% of treat actors who have caused or committed a breach of their organizations’ data.  Senior executives are disinclined to acknowledge that the worst is, indeed, possible: “We trust the people we hire” and they perform a valuable role. We do not want to promote a culture of suspicion.  These Senior executives need to realize that Trust but Verify is a good mantra for them to start living by.

oopsIt’s too difficult. It’s too costly. There’s no imminent crisis. “Status quo”                                  is working out just fine. Then like, Target, Home Depot and many others they                      find out that it’s not, after it’s too late. 

On our team how can we implement items that allow us to do the following?

  • CERT’s “Common Sense Guide to Mitigating Insider Threats” has emerged as an industry standard for program implementation. Among its recommended actions:
    • Launching a security information and event management (SIEM) system to log, monitor and audit user activity.
    • Detecting activities outside the users’ normal scope of duties via phone/network logs, etc.
    • Regularly reviewing accounts to verify that all are still active and necessary.
    • Ongoing auditing of user accounts created and passwords provided.
    • Requiring all system administrators to change passwords when a fellow administrator leaves his or her job.*
    • Monitoring and controlling remote access from all end points, including mobile devices.
    • Incorporating threat awareness/prevention policies into comprehensive termination policies.
    • Developing a baseline of “normal” network device behaviors.
    • Inventorying IT assets and routinely assessing their present-day role and relevancy.

Remember:

If you don’t go looking for trouble you will never find it.  

But, Trouble will find you / your Organization

How do we get back to this future in a technological workplace?

In the classic factory of the 1950s, managers strolled from their offices on a floor that towered over plant activity, closely observing whether shift crews below were doing what they were supposed to do. Because employees knew the eyes of a supervisor may be upon them at any time, they were less inclined to cheat the system – such as slipping any of the company’s property or product into their pockets, or sabotaging a machine out of spite. Thus, the business was protected. And what was good for the business was good for everyone involved: the bosses, the investors and, yes, the workers.  Said another way, it is good for business and for organizations to keep one rotten apple from spoiling the bunch.

factory

Posted in Uncategorized | Tagged , , , , , , , , , , , , , | Leave a comment

Just a Random Thought After an Information Technology (IT) Meeting

It is not the job of IT operational support staff to eliminate 100% of failures across the corporate infrastructure. (cost would be too high) It is ITs job to manage failures so that they stay within the levels of operation the business has determined as acceptable.  – Kevin McLaughlin

Posted in Uncategorized | Tagged , , , , , , , , | Leave a comment

A day in the life of a senior Cyber Security Incident Responder

 

The day was proving to be an exciting one for team Havoc, the Company’s cyber Red Team, as the L2 report he had just read showed that 4 of the core company servers were vulnerable to a very common exploit.  Glacier, the Red Team leader, was evaluating the report and figuring out how he was going to communicate this to the Global IT leaders.  It was important to not just inform IT of the vulnerability, but to have recommended solution sets to present that were reasonable and that would allow them to be able to
remediate the vulnerabilities.  Glacier was on his second read through of the report whencyber hacker he noticed a section that mentioned end user data on the systems being encrypted.

“Hey Hammerhead come over here.” Hammerhead is the teams best Wintel expert. “What’s up?” “Take a look at these systems and check out what is happening with the data on the shared drive.  I’m thinking we’ve already been hacked and have a serious issue here.  What do you think?” “Oh man Glacier, it looks like we have an active ransomware attack, maybe using something like Cryptowall. ”

Glacier immediately contacts NightShade, the Cyber Incident Response Team (CIRT) coordinator and asks her to get the team assembled.

While the above scenario does happen more often than we would like it to, thankfully it is not an everyday occurrence.  Most days consist of conducting risk assessments on malware and zero-day events, investigating abnormal system behavior, and investigating employee or corporate security reports of suspicious activity. Each of these events has to be analyzed and assessed quickly, all the while knowing that each of the actions decided upon will be second guessed by arm chair quarterbacks across corporate IT leadership.  Let’s say the Incident Response (IR) team makes a decision to patch systems based on their initial intelligence gathering and risk analysis. If any of these systems have a production failure due to the patch, pushback from IT immediately begins and argument over the need and criticality of the patch ensues. Even when the actions taken, such as having corporate executives change their passwords, are less impactful to productivity than leaving a Second Guessingbuilding due to a fire alarm, second guessing by business leaders is inevitable. Even though the IR team’s decisions are rooted in cyber intelligence followed by an appropriate risk analysis, they are frequently told they are overreacting.

The business and IT leaders who do this second guessing often ask that in the future when these decisions are made they be made by group consensus.  This thinking shows a complete lack of understanding on how fast cyber-attacks can move.  For example:  When the blaster worm came out as a zero day event it took down Fortune 500 companies around the globe in less than 15 minutes. The other issue with this type of reasoning is that these business and IT resources, while highly intelligent, have limited knowledge of cyber security and what it takes to prevent or quickly remediate data breaches. This fact has been made obvious by the long line of large data breaches all in companies that had limited Cyber Security resources or that did not listen to the ones they did have.

The same business and IT leaders who are doing the second guessing of Cyber Security professionals most likely read the first paragraph of this paper with thoughts that it is silly and bizarre for Cyber Security IR teams to use nicknames.  Experienced IR professionals understand that hackers and fraudsters are highly intelligent and capable of conducting social engineering research to find the names of IR members so they can track those names on chats and systems in an effort to disrupt response capabilities.  In the past, law enforcement professionals have had the bad guys call police stations pretending to be a hospital where their wife or husband had just arrived after being in a car accident. it is very possible that cyber attackers would try some of the same tactics to disrupt IR response capabilities.  There are many IR teams that only have one UNIX or one Wintel resource and having them not engaged would cause a large negative impact to team operations.  So, not only should IR teams use nicknames but these nicknames should also be treated as restricted data.

So, after that interlude, let’s get back to a day in the life of a senior IR professional.   As with most jobs, coffee is the beginning of the day. While drinking their coffee, the IR professional reviews a variety of Cyber Intelligence sources to determine potential impact to the current employer.  On some days this leads into the intelligence gathering and risk analysis work discussed above, on other days it leads to a check through emails to make sure that the Level 1 (L1) or Level 2 (L2) Security Operations Center (SOC) did not have any urgent findings for immediate handling.  If there are no urgent needs in email, then a variety of L1 and L2 SOC reports are reviewed and analyzed and items of interest are followed up on as needed.  Being a student of Stephen Covey’s 7 habits and the Corporate Athlete methods, lunch is something lite and is followed by a walk or quick work out.  After lunch, the senior IR professional performs a quick check-in with each of the team members to see what items they are working on and to make sure that moral is high. This is followed by another quick email review to make sure nothing urgent has come in from Corporate Security, the company’s See Something – Say Something campaign, or either of the SOCs.   Assuming nothing needing attention has come in, the IR professional brings up the SIEM dashboard to conduct a Quality check of the work being done by the L1 and L2.  This often leads to some phone calls or a meeting with their team leaders to reinforce Standard Operating Procedure (SOP) items that are not being correctly followed.  The end of the day usually consists of going through all the emails that have had to sit while the daily tasks were completed.

Posted in Uncategorized | Tagged , , , , , , , , , | Leave a comment