Navigating The Slippery Slope Of Public Security Disclosure

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/operations/navigating-the-slippery-slope-of-public-security-disclosure/a/d-id/1322268

Mountain climbers call a narrow ridge with steep drops on both sides an
“arête.” Crossing one can be one of the trickiest parts of any serious
climb. Talking publicly about security is the chief information security
officer’s arête.  There’s a thin area of even footing to follow in order to
be successful, but make one misstep and a slippery slope and catastrophic
consequences will follow.

When a CISO discusses security, he or she can’t be too boastful or they
paint a target on their company’s back. Many hackers are childish and what
they perceive as public bragging is a challenge to them. The CISO cannot
disclose too many details about their measures, for that will simply end up
providing a blueprint for hackers. Staying silent is not an option either.
The media, the public, investors and users demand answers and information
about security. Is it possible to portray capability, strength, and
confidence without key details? Yes, it is not only possible, it is the
only path to cross the security arête.

First, the CISO must state, and act, on the principle that security is a
process. The general public, investors and even board members often see
“bottom line” and “deliverables” as finite accomplishments. Security is a
constantly evolving, changing action. Security is a verb. Educating the
public to this fact is critical to controlling your message. When planning
your public security persona, consider what parts will need to be visible
as a deterrent as well as a protection and which parts need to be anonymous
in order to dissuade interest in attacking.

The message must contain action verbs: “Our firewall scans all inbound and
outbound traffic” is a more powerful statement than, “Our firewall has
traffic audit features enabled.” The action verbs should speak to real
processes, but be cautious. Provide only a vague description of the
process.

For example, “We conduct regular internal and external perimeter testing
with currently available methodologies” is a good statement. It does not
speak to any specifics and yet provides a clear statement that there is an
active process. Stating, “We conduct regular internal and external denial
of service and port-scan tests” is a poor statement.“ A hacker may know of
several other attack vectors which you are not testing for. This is their
blueprint for a possible attack.

When considering a public message, consider our most secure US public
figure, the President. We know that the President is the most guarded and
protected person on the planet. What the Secret Service won’t tell us is
how they accomplish this -- and that is by design. Grand visible gestures
are a small fraction of the actual security measures in place, yet they
serve as a visible and impressive deterrent to foul play. Strong public
statements on security without specific details are good. “We employ a
myriad of applications, systems and processes to ensure the protection of
your personal data” is one such statement.

When making your statements, avoid “naming names.” An executive I know
recently made a very public announcement about hiring an “ethical hacker”
as a member of his security team. This new team member had recently bragged
to other hackers about winning a “black hat” contest. Their name alone
became the catalyst for an inbound attack. Remember, as I mentioned, some
hacker personalities are childish.

In our Presidential example, we did not discuss what the public doesn’t
see. The public does not see the “pre-work” put in before the President
lands. This advance preparation is much like the risk assessment and risk
mitigation programs which all CISOs should actively run.

For each risk or security situation, you must evaluate the strategic and
technical response, and then also prepare a public statement. You may never
have to use the public statement for each element of risk or security.
However, having the answer ready helps present a calm, powerful, and
deterrent public image of security and strength.

Proper planning and knowing where to step, and areas to avoid, is the way
to navigate an arête. Similarly, when discussing security publicly,
determine your approach, don’t let distractions impede your focus, and
stick to your path.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!