Attacks/Breaches

11/29/2017
07:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

First US Federal CISO Shares Security Lessons Learned

Greg Touhill's advice for security leaders includes knowing the value of information, hardening their workforce, and prioritizing security by design.

INSECURITY CONFERENCE - Washington, DC - Greg Touhill encouraged his audience of security leaders, whom he dubbed "the cyber neighborhood watch," to swap war stories and lessons learned during his keynote at Dark Reading's inaugural INSecurity conference, held this week in Washington, DC.

As the first CISO of the US federal government, and with an extensive background in government cybersecurity and the military, Touhill has several stories of his own. Drawing from years of experience, the Cyxtera president shared his own lessons learned to kick off an event created to bring cyber defenders together so they can discuss problems and challenges.

One of the biggest problems is explaining to the business how cybersecurity is a risk management issue. Most security pros struggle to communicate with business leaders, who "speak a different language than we do," he explained.

"I keep on hearing executives talk about cybersecurity being a technology problem, and they keep pouring money into buying new stuff," said Touhill as an example. The enterprise instinct to buy new protective tools often distracts them from the core problem of managing risk.

One of Touhill's lessons was to avoid chasing fads. Sometimes new doesn’t mean improved, he noted. Security leaders need to keep tech current, not buy every new tool. They should do their homework and base their product decisions on both risk potential and business value.

Knowing the value of corporate information is a key part of evaluating and managing risk. Business leaders know their data exists but can't explain what it means or how much it's worth. It's tough to know where to prioritize security if you don't know which data is most valuable.

"Information is one of the most valuable assets any business, any operation has," Touhill emphasized. "Look at your infrastructure, look at how you architect. Know the value of your information and don't try to defend everything. Defend what you need to defend."

Security leaders must also prioritize security by design, he continued, using the transition to the cloud as an example. "A lot of folks jumped into the cloud without knowing about the tall, craggy mountains on the other side of that cloud," he pointed out.

Touhill's lessons extended to security employees. "Humans fail all the time," he said, but you can bring down the risk of catastrophic events by training people and making sure they're appropriately resourced. Hardening the workforce is "critically important."

"People are your weakest link but also your greatest assets," Touhill continued. It's up to security leaders to make the business case for additional training, which is necessary but expensive. The need for education will never go away. Team members, and colleagues across the enterprise, should be taught to "think like a hacker" and "be very suspicious."

The sentiment extended to another lesson: have a zero-trust model. Most security pros haven't taken a full inventory of all the trust relationships they have, he argued, encouraging the audience to look at where their trust lies and "be skeptical." Knowing and remembering the value of information will be critical as a new wave of professionals enters the workforce.

"We're raising a generation of folks who are freely surrendering their privacy - your privacy - by giving up information and not recognizing the value of it," Touhill said.

Other lessons touched on security fundamentals. He urged the audience to identify where they aren't mastering basics or being consistent. "How many times has someone gotten breached and left the backdoor open?" he asked, relating his advice back to thinking like a hacker.

Attackers will go for the underbelly, Touhill continued. They will check every door and window to make sure they are locked. And if they're not, they will take advantage of it.

Ultimately, along with protective measures and strategies, leaders must also "be prepared for a really bad day," he concluded. Security teams identify risk and threats, protect against them, and often build response plans but rarely exercise them to practice for a real incident. Those who need to practice the most often don't.

In the best organizations, everyone participates in cyber exercises and drills - even the boards and the CISOs. "A bad day is going to come for each and every one of us," Touhill emphasized.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/30/2017 | 8:32:12 PM
Re: Executives wait for "technologists" to lock their own front doors
@SchemaCzar: Not just executives -- even the very top executives. An MIT professor once told me a story of how a company sent out "fake" phishing emails to its employees as a test, and one of the people who clicked on the link was a C-suite executive. When asked why he clicked on the link, the C-suiter responded, "I wanted to see what would happen."
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
11/30/2017 | 9:32:07 AM
Executives wait for "technologists" to lock their own front doors
Reading security news and the general news, I conclude that Touhill needs to talk tougher to executives.  There are too many stories of executives who can't be bothered to follow the same security policies that must be followed by others in the organization.  They are the highest-value person targets in the organization, and they often feel they can dump their own security on an underling, or worse, that security is the organization's problem rather than their personal responsibility.  I recently heard of a high-level VP in a large, regulated business who flat-out refused to follow password change, or even password complexity policy.  This was before password change policies were brought into question, but long after secure password managers were available that make password change and complexity requirements manageable.

Touhill is right that these executives think cybersecurity is a technology problem.  So is the physical security of their own homes: a technology problem.  If they treated home security the way they do organizational security, they wouldn't even lock their own front doors.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/29/2017 | 8:30:55 PM
Basics
Reminds me of that old reality show "To Catch a Thief," which demonstrated to people how easy it was for burglars to break in and steal them blind in a matter of about ten minutes. Almost all the time, there was an unlocked window or unlocked door.

Same thing in cybersecurity. The bad guys don't go right to sophisticated techniques. They go to basic, common passwords and they go to recently announced zero-days to check for a lack of a patch.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.