The Highest Risk Ever….. Not!


BlogWordleI just received one of my daily news reports about Cyber Security and it said something to the effect of such and such a Research group has found out that Application Security holes are at highest numbers ever and this number is expected to increase even further in 2016!  Companies really need to focus on fixing the risk incurred by these applications.  I thought, “Wow, Really”?  I mean yet another highest number, highest risk, most vulnerable, more danger than ever before message.  What a surprise it was to get yet another news feed about a Cyber Security vulnerability being the worst ever.  (that last sentence is dripping with sarcasm – just in case you couldn’t tell).   I really just want to shout and scream out that No It Isn’t the highest total ever!  None of these items being touted as worst ever are really the worst ever.  The simple reality is that we are still in our relative infancy when it comes to Cyber Security as a profession and as something to write about.  Being in our infancy means that we are still finding lots of this things that we couldn’t find before.

None of these vulnerabilities appeared overnight.  The vulnerabilities that we are now finding and that are generating these, at times horrific, Blog- Overnightreports about numbers of vulnerabilities have always been there.  Not only have these vulnerabilities been there but here is a secret I will let you in on – there are many more that we still haven’t discovered!  Companies, researchers, etc. now have the proper tools to discover concerning Cyber Security  vulnerabilities in large numbers.  These are items that in the past no one knew about even though they were there.  As more and better tools come out we will find even more of the worst vulnerabilities ever.

Vulnerable OS, vulnerable Webpages, vulnerable coding, vulnerable hardware or firmware,  these items have been around for decades and will remain around.  So while it is great that we can now find these and do something about fixing and remediation of these vulnerabilities they aren’t new.  Maybe newly discovered or newly recognized but they have always been there.   

Why am I going on about something that is basically hype, and in some ways good in that it publicizes exposure to these items so that Cyber Security professionals can use them to raise awareness, funding and support for remediation?  Because of the way the reports and news articles are written.  In too many cases these articles raise awareness and hype of issues that are much lower risk than the ones the organization’s Information Security team are already working on.  I have sat in many meetings where executive management has looked at the Chief Information Security Officer (CISO) and said “I know your team is really busy remediating core vulnerabilities across our Financial landscape but I read something yesterday about mobile devices being very vulnerable and I think we need to re-focus our resources….  the article really made this mobile risk sound like the most dangerous thing ever.”  

Don’t get me wrong,  I appreciate the awareness being generated but …. the WORST EVER …. no in most cases it really isn’t.  There are lots of Cyber Security items just as bad or worse that most organizations need to fix and the decision on where the highest Information Security risk sits inside of the company should not be decided by reporters and vendors but should rest on the shoulders of the CISO and the experts they have hired to analyze and determine what risk items need immediate attention.


Posted in Uncategorized | Tagged , , , , , , | Leave a comment

A Note I Wrote to Someone Who Once Worked for Me

I recently had the honor to help provide a strong reference for a person who worked for me as a Cyber Analyst.  She got the Senior position she was going for but was just a little worried about what they should do in order to lead a team and be a good leader.  Here is what I related to this extremely competent future Cybersecurity leader.


First and foremost – you are going to do great in your new role. I encourage you to model your leadership style after the following rule(s):

Use the leadership model of:
Am I doing the right thing
Am I doing it for the right reason
Am I doing it at the right time
Am I doing it in the right way

This is on the back of the Challenge Coin I had made up for our UC team.

Always act with Integrity and walk your talk. You don’t always need to be right but you always need to be honest with the people you lead.

Remember that “We are smarter than Me” and foster healthy discussion and debate on topics. Try to pull ideas and suggestions from those you lead who are more on the quiet side. Don’t let aggressive Type A personalities (like me) dominate the conversation.

When coming out of a meeting get your team members used to doing a 5 minute feedback session (what did we do right, wrong, what should we (or I) have done differently, etc. Remember – Feedback is a gift.

Training of your people needs to be a priority and always remember to help others be Greater Than Yourself. There is enough success out there for everyone, help grow your people so that they can be your boss some day and if that did happen they would be a good boss to work for.

Don’t hesitate to email if you have specific questions. Have confidence, breath deep and believe in yourself – you got this!

Posted in Uncategorized | Tagged , , , , , , , | Leave a comment

CIsO or ciSo?

In some big companies it does make sense to have a polished CISO who is responsible for working both the Boardroom and the IT Executive management group. In those cases a strong security focused Deputy CISO should be considered for the heavy Security lifting that is also required. As a CIO friend of mine told me recently both of those skills is very hard to find in a single person.

My primary concern is for mid-range and smaller companies that want a CISO and are unsure of what skill set is most needed on the part of their CISO to fight organized crime, unscrupulous competitors or nation state actors. I believe that they are making a mistake with some current hires I have observed.

A somewhat scary trend that I am starting to see is now that CISO salaries are going up companies are putting Deputy or Associate CIO’s in those positions. This makes sense if we consider human nature as the CIO’s seem to be more comfortable with someone who is not “such a security guy or girl” talking to Executive Management.

Of course this approach continues to severely downplay the S (Security) component of the CISO role and is yet another path which, IMO, will lead to failure in the fight against Cyber Criminals. In many cases we need to move to having a ciSo instead of CIsO (a catch-phrase I am trying to get to catch on) and remember that it takes trained and experienced security professionals to fight organized crime, unscrupulous competitors and nation state actors. In my opinion the S in the ciSo title needs to carry the most weight for the majority of companies in their fight against cyber crime.

Posted in Uncategorized | Leave a comment

Your Horse Was Analog

Your Horse Was Analog

Kevin L. McLaughlin

A  speech I made to 350+ people at the Michigan joint Military Ball.  Amway Grand Plaza Hotel.

Like my tie? My wife didn’t – gave me a lot of grief before we left the house,  you know how difficult things can be when your significant other doesn’t approve of your choice in clothing.

Well you see this tie has snoopy, the moon, the space shuttle and Apollo craft on it and it was given to me by Fred Hayes, yes the Apollo 13 Fred Hayes , yes astronauts are pretty neat people,  anyways Fred gave this to me when we were working on a project together and he told me that whenever I wore this tie I could look down at the pictures and that no matter what I do in the life I should remember that if we put a man on the moon we can do anything as a country.

…. as a country we can do anything,  even figure out how to defeat this cyber threat.

I want to change that thought just a little bit because I know what type of people went to and walked on the moon –  as a whole the U.S. Military and its veterans can do anything   make no mistake we are under attack, not by conventional weapon systems like guns and missiles but by cyber warriors utilizing digital attack vectors.

My speech tonight will be about trust and how it will help us win our cyber battle.  But, before I start I would like to do a shameless plug for the Whirlpool Veterans Association, who mentors soldiers transitioning to the private sector and with multiple outreach programs – I am sure many of the companies you work for have similar programs and a big thank you to those as well.

Trust and authority will be tonight’s theme. A lot of Information Security Professionals left Home Depot after years of not having their voices heard and repeatedly being over-ridden about whether a system could be touched or not.  Many Board of Directors are asking how to fix the cyber issue  –  a lot of the CIO’s and some of the CISO’s when asked that question are taking a passive posture of saying that their job is to make them aware of the risk versus telling them what to do.  In my opinion that is not the right answer… the people who are trained in cyber defense need to drive answers and solutions not just show risks

I will admit though that this morning while I was working out I had a big moment of angst,  you see I am an expert in this field and I can have an opinion and if I get it wrong a company will lose money but you know – if you get it wrong  lives will be lost and in the worst case our Homeland can fall.  Even with that – tonight you will hear what I feel we need to do in order to start winning the cyber battle.  We got our butts kicked by the bad guys in 2014 and it was a loud wake up call to anyone paying attention that what we have been doing is not the answer.

The general theme throughout my speech tonight will be one of trust. High performing teams consist of players that trust each other and who understand that each of the team members has an area that they are the expert in.  We cannot continue to ignore or muffle the voices of our highly trained and skilled cyber defenders and expect to be successful in our cyber defense efforts.

One of the first things we need to understand is that there is always in existance a large understanding gap.  I got my first taste of this type of understanding gap when I returned from Basic Training and I was talking to my Grandpa.  He asked me where I was stationed and I said Fort Bliss Texas,  he asked me what units were stationed there and I said the 3rd Cavalry. He got excited and we started talking;  about 5 minutes into the conversation it dawned on me that he was talking horses and I was talking tanks.  He was talking analog.

You see, we continue to increase our combat effectiveness by implementing new tools and technologies the majority of which are not analog, but are instead digital.  Digital means that they present entirely different attack vectors and will require us to have an entirely different level of trust in the expertise of the cyber defenders we put in place.  We must protect our digital assets.

The current generation of service men and woman are some of the first who have known nothing but digital tools.

(I left out this next part due to time constraints)

[Did anyone see the movie BattleShip? It’s a bit of a cheesy movie but there is a part in it where the modern digital destroyer gets blown up and the only available ship to fight the aliens was a WW II BattleShip,  they are working to try and figure out how to use the ship and the Chief looks at the Ensign and says “sir, this old thing is completely analog, it will take us years of reading the manuals to learn how to float and fight it”.  All of a sudden a long line of navy veterans come walking up and they are able to work side by side to show the team how to run and fight the ship –  think about this – in another 10 to 15 years people who understand analog are not going to be around to help us out.  ]

I continued my speech here —    I have to wonder how many of these digital troops would use a smartphone or GPS, even if disallowed in the mission parameters,  if they get lost during training?  I’m not disparaging anyone, I just realize how very hard it would be for any level of team leader to stop themselves from using an alternative before calling into command and telling someone that they were lost.  We all know how difficult that radio call would be to make.

What is scary is that if these digital devices were suddenly taken away our combat effectiveness would be greatly impacted – maybe by 90% or greater.  Ok,  each of your digital devices, smartphones, etc. have just been reset to 0:00 – how many of you can tell me what time it is?  Show of hands  {note – out of 350+ people in attendance only 2-3 raised their hands} wow, that was actually far worse than I expected it was going to be.

Having these digital items give us a significant advantage but also put us at risk if we don’t adequately protect them from cyber attack.  Tanks, Planes and ships will not operate if their computer systems are taken off-line.  Year after year we see annual reports that tell us  that our military systems are in no better shape than private sector systems are and our military IT staff feels the same pressures to get systems in place quickly rather than securely – we must be better than that. {looked down at tie and lifted it up}  We can do anything….

Most of us Cybersecurity professionals (risk professionals, assurance, etc. ) are very passionate about what we do – I personally spend upwards of 30-40 extra hours each week staying current, learning, wargaming, gathering intelligence, figuring out business enabling security strategies, and more.

How many of you in this room (Cybersecurity men and women you are not allowed to answer) can say you spend that much time studying and focusing on cybersecurity? How many of you even spend 2 hours per week?  Of course you don’t spend time studying Cybersecurity nor should you – that’s why you put cyber security professionals on your team.

Then why is it that across Corporate America, and I can only imagine it is a bit worse in the military, is it so hard to build trust between the Cyber defenders and the management community of the organization?  I know some of you are sitting out there thinking -What’s this guy talking about – I trust my Cybersecurity person.  Do you?  Do you really?

Think about this … you are the Colonel in charge of finance imagine an E6 Cyber defender walking into your office at month end closure and telling you that he has to take one of your business critical system off-line immediately for security patching as it is critically exposed and can be very easily compromised which could put the rest of our infrastructure at risk. He then tells you that the outage may last 8 to 10 hours.    Well, after 17 years experience as a security professional in Corporate America I can tell you that this request would be met with a lot of resistance and most likely the Cyber Defender will be told to wait for a day or two to do the patching.   Often times that directive will come with a comment about “you security guys and girls don’t really understand the business and tend to over-react”….

Hmmm…  I can only imagine similar conversations happening inside of Target, HomeDepot, Sony, Subway, Dairy Queen, Sigh, I’m not going to name them all – but like I said earlier we really got our butts kicked in 2014.  2015 continues the theme with the Anthem breach – a breach which directly impacts each one of you the Feds feel China committed the breach to continue their mission of gathering the personal data of our active and former military and their dependents.  We don’t know what they want the data for but it is obvious that they want it

Trust,  Target has a 148 million reasons – those are dollars by the way – plus open lawsuits, HomeDepot has 120 million reasons and Sony has 1 billion reasons, to implement a Cyber Defender authority policy.   1 billion?  how many of you work for companies that would even be able to survive a 1 billion dollar loss? I imagine if I lost a billion dollars for a company I’d be out on the street. and luckily for us we are starting to see Board Chairman, CEOs and CIOs resigning due to allowing a security breach to occur on their watch. Why is that lucky?  because it might raise the awareness we need to help fix this issue.

A base level of trust needs to be in place that makes it so that is assumed your cyber defender, who also is part of your profit sharing plan and wants the company to make money or who is a strong patriot and wants our tanks to run or planes to fly,  is not going to willy-nilly.  I just wanted to say willy-nilly in a formal speech,  is not going to willy-nilly take systems off-line and that when they say a system really needs to be fixed immediately they need to be granted the authority, we already give them the responsibility and career risk when a breach occurs,  now let’s give them the authority they need to protect the organization,  even if there is a small short term negative profit impact – wow that is hard to say but I bet if we asked Target, HomeDepot, Sony, Anthem, you get the idea if they could go back in time and accept a $5,000.00 profit hit in order to take a system off-line and patch it instead the breach they would all say yes.

For you the risk of allowing the E7, E8, Lt. Captain, Major, etcetera, I’d try to go on but I’ve been out of the military for a loooong time and would most likely get the other command ranks wrong…   to trump the cyber defender may just result in a significant loss to both your combat effectiveness and your ability to defend our country.

Trust,  trust the cyber defense experts that we are graduating from our military schools to both understand the business and to effectively assess the risk and make the call on fixing open and exploitable channels of attack.  While the department heads and commanders should still have the final say an answer of “don’t touch this system” or an answer of “you are over-reacting to this threat  – yet how would they even have the expertise to make that judgment?  should be the rare exception and not the norm.       – Trust and authority-   we can win this cyber war and defend our systems against the cyber threat.

Posted in Uncategorized | Tagged , , , , , , , , | Leave a comment

I just read an article on LinkedIn about the negative impact caused by the recent Home Depot breach. Here are my thoughts about how all the 2014 breaches should change some C level and Information Security paradigms. These could cause a major C suite thought shift and maybe even a large paradigm thought shift in how our profession thinks about the skills and talents really needed by Information Security professionals.

Note – I know this opinion will not resonate well with some CISO’s – Major IT departments continue to hire CISO’s that have little to no security background. Hackers and blackhats are associated with organized crime and IMO until we put more of an emphasis on the word SECURITY in the CISO title and until CISOs stop walking a tightrope by always trying to compromise and keep the business happy by letting the business need trump the security need (“ok, don’t patch that extremely vulnerable system I understand your business need not to” ) the crooks will continue to win.

Also, it appears that too many companies are basing their CISO hiring decisions on the candidate’s business acumen. Wouldn’t it be better to focus on how well the candidate knows how to fight and deter criminals?
I’m not saying CISO’s don’t need to understand the business I am saying that a stronger focus should be on how much the CISO knows about criminals and crime fighting. I also realize that thought would take a major paradigm shift in the thinking of the C suite.

Posted on by mclaukl | Leave a comment

The Insider Threat is Alive and Well – a summary taken directly from Raytheon’s How to Build an Insider Threat Program (2014) …

Aspects of human nature further complicate matters: Well-intended managers resist any notions of “their people” doing “bad things.” They screened them. They hired them. They work with them side-by-side and – if they’re good bosses – have developed a genuine interest in their career development and even personal happiness. In addition, one of the most critical elements in building a high performing team is trust, so anything thaWhite Hatt can have a negative impact on that trust needs to be very carefully analyzed and explained before being implemented.  This disposition is not about being gullible, we all have white hat syndrome at times. It’s about being a helpful manager – and a decent person.

But it would be imprudent to completely abandon a sense of cautionary oversight, as there has been a steady flow of news reports about insiders doing harm to their organizations. They range from probably the most notorious of incidents – Edward Snowden’s carefully plotted leaking of sensitive NSA documents after downloading 1.7 million files – to possibly the funniest (except for the company in question): A software developer for a U.S. critical-infrastructure company literally outsourced his job by sending his log-in credentials to a Chinese contractor, so he could get paid six figures to surf Reddit, post Facebook updates, shop on eBay and watch cat videos all day2.  While the latter anecdote has generated considerable amusement, it underscores the reality that internal threats pose serious risks: 53% of organizations have experienced an insider cybercrime incident, according to the 2013 U.S. State of Cybercrime Survey from the CERT Insider Threat Center at the Carnegie Mellon University.  So who are the users who pose threats? In all cases, they have authorized access to the network and their co-workers and managers are usually shocked that they would do such a thing.  Clearly, tech departments need the support of their leadership to do what plant managers and foremen did in the 1950s: Watch. Audit. Intervene. Prevent.

Regardless of the user’s full time or contractual status, you want to look for classic “tip-off” behaviors which can lead to trouble, e.g. the clear taking of proprietary information NinjaHackerwithout need or approval; expressing increased interest in matters unrelated to defined duties; and connecting to the network remotely from unusual places at unusual times, having access to machines that they really don’t need access to, constantly seeking for elevated privileges, to list a few examples from the FBI profiling studies.  Without a program in place to stop these individuals, organizations stand to lose an estimated $412,000 on average per incident.

In many organizations, a “we trust everyone to do the right thing” mindset too often prevails, and data points abound, such as 50% of employees who leave a company admitting to taking proprietary data,  to show why this is highly questionable logic.

Another issue is with internal rule benders who conclude that the added layer of protections are either unnecessary and/or overly alarmist and/or present too many inconveniences for them to deal with. They consider themselves and their work as above it all, and decide on their own as to when to follow security protocols – and when to circumvent them. As they grow more comfortable with the latter, they choose it as their “default” setting, doing things such as sending proprietary information outside the company “walls” without encryption, logging onto systems that they should not have access to, elevating other person’s access rights because security doesn’t understand the person’s real need, etc.  They love external drives and USB sticks, because these tools make it nearly impossible to distinguish risky behavior from harmless, work-related shortcuts. In fact according to a recent survey conducted by Voltage Security 50% of network users admitted to having bypassed security controls to complete a task more quickly and easily. Internal Rule Benders make up 15% of treat actors who have caused or committed a breach of their organizations’ data.  Senior executives are disinclined to acknowledge that the worst is, indeed, possible: “We trust the people we hire” and they perform a valuable role. We do not want to promote a culture of suspicion.  These Senior executives need to realize that Trust but Verify is a good mantra for them to start living by.

oopsIt’s too difficult. It’s too costly. There’s no imminent crisis. “Status quo”                                  is working out just fine. Then like, Target, Home Depot and many others they                      find out that it’s not, after it’s too late. 

On our team how can we implement items that allow us to do the following?

  • CERT’s “Common Sense Guide to Mitigating Insider Threats” has emerged as an industry standard for program implementation. Among its recommended actions:
    • Launching a security information and event management (SIEM) system to log, monitor and audit user activity.
    • Detecting activities outside the users’ normal scope of duties via phone/network logs, etc.
    • Regularly reviewing accounts to verify that all are still active and necessary.
    • Ongoing auditing of user accounts created and passwords provided.
    • Requiring all system administrators to change passwords when a fellow administrator leaves his or her job.*
    • Monitoring and controlling remote access from all end points, including mobile devices.
    • Incorporating threat awareness/prevention policies into comprehensive termination policies.
    • Developing a baseline of “normal” network device behaviors.
    • Inventorying IT assets and routinely assessing their present-day role and relevancy.


If you don’t go looking for trouble you will never find it.  

But, Trouble will find you / your Organization

How do we get back to this future in a technological workplace?

In the classic factory of the 1950s, managers strolled from their offices on a floor that towered over plant activity, closely observing whether shift crews below were doing what they were supposed to do. Because employees knew the eyes of a supervisor may be upon them at any time, they were less inclined to cheat the system – such as slipping any of the company’s property or product into their pockets, or sabotaging a machine out of spite. Thus, the business was protected. And what was good for the business was good for everyone involved: the bosses, the investors and, yes, the workers.  Said another way, it is good for business and for organizations to keep one rotten apple from spoiling the bunch.


Posted in Uncategorized | Tagged , , , , , , , , , , , , , | Leave a comment

Just a Random Thought After an Information Technology (IT) Meeting

It is not the job of IT operational support staff to eliminate 100% of failures across the corporate infrastructure. (cost would be too high) It is ITs job to manage failures so that they stay within the levels of operation the business has determined as acceptable.  – Kevin McLaughlin

Posted in Uncategorized | Tagged , , , , , , , , | Leave a comment

A day in the life of a senior Cyber Security Incident Responder


The day was proving to be an exciting one for team Havoc, the Company’s cyber Red Team, as the L2 report he had just read showed that 4 of the core company servers were vulnerable to a very common exploit.  Glacier, the Red Team leader, was evaluating the report and figuring out how he was going to communicate this to the Global IT leaders.  It was important to not just inform IT of the vulnerability, but to have recommended solution sets to present that were reasonable and that would allow them to be able to
remediate the vulnerabilities.  Glacier was on his second read through of the report whencyber hacker he noticed a section that mentioned end user data on the systems being encrypted.

“Hey Hammerhead come over here.” Hammerhead is the teams best Wintel expert. “What’s up?” “Take a look at these systems and check out what is happening with the data on the shared drive.  I’m thinking we’ve already been hacked and have a serious issue here.  What do you think?” “Oh man Glacier, it looks like we have an active ransomware attack, maybe using something like Cryptowall. ”

Glacier immediately contacts NightShade, the Cyber Incident Response Team (CIRT) coordinator and asks her to get the team assembled.

While the above scenario does happen more often than we would like it to, thankfully it is not an everyday occurrence.  Most days consist of conducting risk assessments on malware and zero-day events, investigating abnormal system behavior, and investigating employee or corporate security reports of suspicious activity. Each of these events has to be analyzed and assessed quickly, all the while knowing that each of the actions decided upon will be second guessed by arm chair quarterbacks across corporate IT leadership.  Let’s say the Incident Response (IR) team makes a decision to patch systems based on their initial intelligence gathering and risk analysis. If any of these systems have a production failure due to the patch, pushback from IT immediately begins and argument over the need and criticality of the patch ensues. Even when the actions taken, such as having corporate executives change their passwords, are less impactful to productivity than leaving a Second Guessingbuilding due to a fire alarm, second guessing by business leaders is inevitable. Even though the IR team’s decisions are rooted in cyber intelligence followed by an appropriate risk analysis, they are frequently told they are overreacting.

The business and IT leaders who do this second guessing often ask that in the future when these decisions are made they be made by group consensus.  This thinking shows a complete lack of understanding on how fast cyber-attacks can move.  For example:  When the blaster worm came out as a zero day event it took down Fortune 500 companies around the globe in less than 15 minutes. The other issue with this type of reasoning is that these business and IT resources, while highly intelligent, have limited knowledge of cyber security and what it takes to prevent or quickly remediate data breaches. This fact has been made obvious by the long line of large data breaches all in companies that had limited Cyber Security resources or that did not listen to the ones they did have.

The same business and IT leaders who are doing the second guessing of Cyber Security professionals most likely read the first paragraph of this paper with thoughts that it is silly and bizarre for Cyber Security IR teams to use nicknames.  Experienced IR professionals understand that hackers and fraudsters are highly intelligent and capable of conducting social engineering research to find the names of IR members so they can track those names on chats and systems in an effort to disrupt response capabilities.  In the past, law enforcement professionals have had the bad guys call police stations pretending to be a hospital where their wife or husband had just arrived after being in a car accident. it is very possible that cyber attackers would try some of the same tactics to disrupt IR response capabilities.  There are many IR teams that only have one UNIX or one Wintel resource and having them not engaged would cause a large negative impact to team operations.  So, not only should IR teams use nicknames but these nicknames should also be treated as restricted data.

So, after that interlude, let’s get back to a day in the life of a senior IR professional.   As with most jobs, coffee is the beginning of the day. While drinking their coffee, the IR professional reviews a variety of Cyber Intelligence sources to determine potential impact to the current employer.  On some days this leads into the intelligence gathering and risk analysis work discussed above, on other days it leads to a check through emails to make sure that the Level 1 (L1) or Level 2 (L2) Security Operations Center (SOC) did not have any urgent findings for immediate handling.  If there are no urgent needs in email, then a variety of L1 and L2 SOC reports are reviewed and analyzed and items of interest are followed up on as needed.  Being a student of Stephen Covey’s 7 habits and the Corporate Athlete methods, lunch is something lite and is followed by a walk or quick work out.  After lunch, the senior IR professional performs a quick check-in with each of the team members to see what items they are working on and to make sure that moral is high. This is followed by another quick email review to make sure nothing urgent has come in from Corporate Security, the company’s See Something – Say Something campaign, or either of the SOCs.   Assuming nothing needing attention has come in, the IR professional brings up the SIEM dashboard to conduct a Quality check of the work being done by the L1 and L2.  This often leads to some phone calls or a meeting with their team leaders to reinforce Standard Operating Procedure (SOP) items that are not being correctly followed.  The end of the day usually consists of going through all the emails that have had to sit while the daily tasks were completed.

Posted in Uncategorized | Tagged , , , , , , , , , | Leave a comment

What’s It Going to Take to Have Cyber Security?

Written by- Kevin L. and Kody T. McLaughlin

If you are a Cyber Security professional do you get as mad as I do when you read and hear

over and over again that Cyber Security professionals don’t have enough talent, skills, or

business acumen to effectively secure systems? I say bull!  That’s right bull!  In wargame

after wargame I have observed that the defending team must keep an unused port open,

or have a small exploitable vulnerability on their systems so that the attackers have a

chance and the games are interesting.  What that tells me is that many of us know what to

do and we have the skills necessary to do it but there are organizational blockers that

prevent us from effectively securing the systems we are trusted to safeguard.  Until we

change the business culture into one that allows cyber security professionals the latitude

to mandate that system baselines are kept, that critical vulnerabilities are remediated

immediately, that unused ports and unused services remain off, that comprehensive logs

are sent to a security tool for analytics,etc. we will continue to have data breaches

reported on pretty much a daily basis. Organizational data breaches are getting to be too

common and too severe to be ignored. Already this year we have seen:

  • A 56 million card credit card breach at Home Depot
  • 4.5 million patient records compromised at Community Health Services
  • A breach of over 216 stores at Jimmy John’s
  • The discovery of a 2-year, 82,600 patient breach out of Aventura Hospital and Medical Center
  • 1.4 million TripAdvisor customers compromised
  • A Neiman Marcus breach of 350,000 cards
  • A breach of 868,000 cards from 330 stores at Goodwill

Oh well, at least at the end of the day we can forget about these breaches and unwind

with a few video games. That is, of course, as long as they aren’t one of the games like

Destiny and Call of Duty that hackers DDoS’d with little effort.

The bulleted items above are just the high-profile incidents. Numerous smaller

companies have also been compromised. Yet companies still refuse to believe that this

could happen to them. According to the Ponemon Institute, 43% of companies had a data

breach in the past year. It is time for companies to realize the cyber threat isn’t some

boogieman in the closet; it is a real and increasingly present threat.

These threats come with real consequences. According to a report published

by IBM the average cost of a cyber breach is $201 per record compromised. This

averages out to a cost of $5.9 million per breach with some breaches exceeding

$21 million. The IBM report also suggests that customers and investors are becoming

increasingly less likely to continue doing business with an organization that has had a


Breaches also come with legal battles. Right now, Home Depot is caught in a

firestorm of suits, one of which is to the tune of $450 million for negligence.

It is a sad state that it appears as if Information Security teams are woefully incapable of

keeping up with the increasingly prominent and advanced cyber threat. This isn’t due to

lack of knowledge or talent but due to lack of influence within their organization. It is too

easy and too common for companies to hire CISOs and large security teams to make

themselves feel safe and then when those teams want to change policies, procedures,

or add security controls they are shunned and ignored due to the inconvenience

associated with securing systems. Or, and this appears to be the non-security business

executive’s number one trump card these CISOs and their teams are told “you just don’t

understand the business”;  which really means that the business executive doesn’t

understand or believe the security analysis.  Worse is that in most organizations these

Cyber Security teams have no power to mandate appropriate action be taken to secure

organizational systems.  When organizational charts put the CISO underneath executive

decision makers, instead of high enough to warrant a chair at “the big kids table,” it is

extremely difficult for security teams to make a meaningful change in their organization’s

security posture. Until security teams are given the authority they need to be effective

these daily breaches will continue.

Posted in Uncategorized | Leave a comment

The Cyber Security CIA explained via Calvin and Hobbes

Leave it to my son Kody, who is starting his Cyber Security career to come up with this novel way to explain the CIA triad for Cyber Security.

In InfoSec terms, CIA refers to Confidentiality, Integrity, and Availability. To illustrate how these principles work, let’s look at Calvin and Hobbes.

Calvin and Hobbes create a club called the “Super-Secret-No-Icky-Girls-Allowed” club. During their very first treehouse meeting, they draft a document entitled “member list” and write the names “Calvin” and “Hobbes” on the list. This list is the club’s most valuable asset so Calvin and Hobbes need to maintain the CIA of the asset. The confidentiality of the list is critical as the exposure of the secret member list would cause the entire super-secret club to lose its purpose. The integrity of the list is also important to ensure that unauthorized modifications of the list can’t be made. It would be terrible if Susie’s name were to make it on the list of if Calvin’s name were to be removed. Lastly, the availability of the list is important. When the club meets to have their secret meetings, they need the list do roll call and to ensure that those in attendance are listed.

So now that we’ve got the idea, we can explain how CIA works for business assets. The confidentiality of the asset is necessary to ensure that only those with appropriate privileges and appropriate need can see the asset. The integrity of the asset is necessary to ensure that the data has not been changed and, if it has, a log of changes is kept. The availability of the asset is necessary because it is not of any value if no one can interact with it for its intended purpose.

Posted in Uncategorized | Tagged , , , , , , , | Leave a comment