Everyone who works in or is tasked with hiring for the InfoSec industry understands that one of the biggest challenges is acquiring and keeping talent. There is a deficit of good people, and that includes senior executives. In the case of CISOs, the average tenure (according to industry research) is 24 to 48 months, with many CISOs changing companies even more frequently.
In my 12+ years at Depth Security, I’ve seen many CISOs move to greener pastures, which is perfectly normal given the state of the industry. I have also observed a large variance among the first actions CISOs tend to take after landing new jobs. Which raised an important question: What are the first five things I would do as a new CISO? And with that, here they are:
#1: Enterprise Penetration Testing and Red Teaming
A new CISO needs to understand what the real-world security posture of the organization is. Not the perceived posture, or all the things the organization seems to be doing well from a security perspective, or last quarter's pen test report, but the no- holds- barred, truth of what the organization looks like right now from all perspectives. What better time to do it than right at the beginning of your tenure, when you are held least responsible for the status quo? You want answers to important questions like:
- Are there critical flaws that can be exploited to fully compromise the company?
- From what perspective? (External, Internal, Wireless, Contractor, etc.)
- If exploitation and compromise occur, did anyone notice?
- Once attackers have a foothold, how long does it take the whole domain to fall?
Here are some tips to make sure you stand the best chance of getting accurate answers to those questions:
- Be sure not to allow your people to define the scope of the engagement. Attackers do not care about your formalized scope and therefore you shouldn’t either.
- Include discovery to identify assets you may not know you have and add them into the scope of testing.
- If the security organization is extremely mature and you feel confident with the previous penetration testing results, it may be prudent to move forward with a Red Team engagement to simulate a determined, evasive attack against the organization.
- Penetration Testing or Red Teaming needs to be executed by a trusted, and competent 3rd party. As a new CISO you can with almost 100% certainty NOT trust what has been passed off as a “penetration test” at the organization thus far. There are many companies out there providing “penetration testing” that couldn’t find and exploit a flaw if their lives depended on it. See our blog post “Indicators of Poor Assessment Work” here: https://depthsecurity.com/blog/indicators-of-bad-assessment-work
The bottom line: You want to find (and fix) flaws before someone else does. Even discovering one externally available critical-severity issue that can be used to compromise your organization is worth many times the price of admission.
#2: Manually assess all Internet-accessible websites and web applications
Web applications are one of the main ways attackers get remote footholds into your organization. Make sure you're testing them properly. Here are some pointers:
- Testing needs to include everything regardless of where it is hosted.
- If it's dev/test/QA/staging, attackers will look at it with even more scrutiny. Either test those instances in addition to production or restrict public access somehow.
- Test from both unauthenticated and authenticated perspectives.
- Even if you already have an automated or hybrid application security scanning program, it isn’t enough; you need skilled human beings manually testing. We can’t tell you how many times we find critical flaws in applications that are being scanned already by all the usual suspects.
Summary: Every Internet-facing website and application should be manually tested. We have exploited critical issues in even basic, non-interactive marketing websites that eventually resulted in the complete compromise of the organization’s infrastructure, users and data.
#3: Implement Multi-Factor Authentication on All Internet-Accessible Systems (where possible)
Password reuse is rampant, and breach databases are plentiful. It may sound lo-fi, but even basic password spraying attacks still yield catastrophic results. It's summer of 2018 at the time of this writing. How much would you wager on there being no user accounts in your Active Directory with a password of Summer18 or Summer18!?
- The most critical systems are those that provide remote access such as Citrix, VPN, SSLVPN, etc.
- Got OWA? Implement MFA there too. It’s a real attack vector.
- Almost anywhere a username and password are used can be a target. Including your cloud services(Office365, Box.com, Dropbox, Workday, Salesforce, etc.).
- Don’t forget those DR systems or those single hosts that are still Internet-accessible.
Takeaway: MFA needs to be implemented in totality. We see 96% all the time; it’s not good enough. Our assessors are experts at finding that one device or that one realm on that one service that you forgot doesn't have MFA.
#4: Implement Advanced Endpoint Protection on All Systems
This recommendation sounds rather tactical, I know. It even looks strange to me, but from my perspective, this can be one of the most effective ways to reduce risk to an organization quickly when done right. What does “right” mean? Great question, let’s dive in:
- Efficacy – The right solution needs actually to stop attacks effectively. There are many Advanced Endpoint Protection and Next Generation Anti-Virus solutions out there that don’t effectively stop attacks. We know; we’ve tested them.
- Endpoint Detection & Response Capabilities – Repeat after me: “No solution exists on the market that cannot be bypassed.” We walk right through AEP and NGAV solutions every day during assessments. That’s why it’s extremely important to have EDR functionality in place as well. You need to have plans for when an attack bypasses your chosen AEP or NGAV solution(s). EDR is the answer. The proper solution will alert you to suspicious behavior and allow you to look back in time when you have questions.
- Ease of Management – If you can’t easily deploy and manage a solution, it will not work. The whole point here is to gain a quantifiable level of protection and visibility into attacks ASAP. Spending months or years ramping up doesn’t fit into this use case.
- Cross-platform - The solution needs to be deployed, in prevention mode to all your systems. That includes servers, workstations, kiosks and domain controllers. And not just Windows systems but also MacOS and Linux too.
#5: NAC & Security Automation: Visibility & Control of ANY device on your networks
We can’t defend what we don’t know is there. I encounter organizations that struggle with visibility into assets on their networks. For example, most organizations struggle with accurate asset management and inventory of IT assets. To clarify, I define visibility as not only the who, what, where and when of every device on the network but also visibility into the configuration of these devices as well. Here are the things you need to look for in the right solution:
- Vendor-Neutral – It’s unrealistic to expect an organization to forklift core infrastructure to accommodate security. You need a solution that works with your infrastructure as it is today AND tomorrow.
- Coverage for ALL devices– You need to have coverage for any device on your network. That includes servers, workstations, kiosks, printers, routers, switches, TVs, webcams, insulin pumps, x-boxes, Iranian centrifuges or anything else.
- Real-time, Continuous and Accurate – You can’t make decisions on old data. Visibility needs to be as real-time as possible and accurate. You need an authoritative source of real-time information for assets on the network, not just another tool.
- Granular Control – Simply blocking or allowing all network access isn’t realistic. You need to have granular control options for a wide variety of situations.
- Integration and extensibility – Silos of information can still be valuable but aren’t good enough today. We need to be able to easily integrate into other systems to gain context and ultimately to enhance both our visibility and control.
Visibility into all assets on your network is useful and actionable on its own. But when coupled with the ability to granularly control any device on your network in an automated fashion, it becomes invaluable.
I recognize that there are many essential initiatives a new CISO needs to accomplish that are not on my list. Understanding your organization's business goals, aligning security initiatives with those goals and building trust are all important aspects of a CISO role within an organization. But at the end of the day, the primary mission of any information security team is to protect the organization. And these are the first five things I would do in support of that mission.