Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

8/10/2017
05:10 PM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now
50%
50%

Lawyers Are Friends, Not Foes

When it comes to security allies, your corporate counsel should top the list.

Many programmers and engineers possess a natural distrust of attorneys. Nonetheless, when it comes to protecting their organization's data, the attorney and the security engineer can be natural allies because of their mutual interests and similar ways of thinking.

Both want to reduce the organization's attack (or liability) surface while doing what they can to mitigate damages should something go awry. Both are paranoid about people out to get them (or, at least, get their employers). And both hold Murphy's Law as a universal truth.

Moreover, the company lawyers, whether in-house or outside counsel, have greater influence and responsibility when it comes to crafting and ensuring the enforcement of company policy. Accordingly, they are arguably the next-to-last lines of preventative defense against ransomware -- before the user himself or herself.

Below are but three things security-minded organizations can learn from -- and do with -- their legal counsel to better protect organizational data.

Plan for everything with compulsive pessimism
Good lawyers (and those inclined or destined to be good lawyers) are great "What if...?" askers -- particularly because asking "What if...?" is the very essence of effective law practice. At least one study has shown that law practice is the sole profession in the world in which pessimists generally enjoy greater career successthan do optimists. Of course, this study was conducted before the field of cybersecurity had taken off to the extent it has today. Lawyers know that just about anything can happen; so too do good cybersecurity workers. The partnership between the two roles should be natural -- and the two can work well together on meaningful data-protection compliance, tabletop exercises, and handling data-breach crises after the fact.

CISOs and InfoSec workers, therefore, are well advised to welcome teaming up with in-house counsel to construct and enforce exhaustive -- yet meaningful -- policies, procedures and solutions for data-protection training, emergency planning, disaster recovery, breach tracking and notification, and other cybersecurity issues.

No policy unenforced
If there's a policy, for heaven's sakes, follow and enforceit!

This may seem obvious, but consider the impact of social engineering. Every year, Social-Engineer, hosts a Social-Engineer Capture the Flag Contest (SECTF), in which contestants compete to obtain as much sensitive information as they can from a selection of major enterprise companies by way of social engineering. The results are often celebratory for the contestants while embarrassing for the targeted companies.

"The companies who happened to do well did so accidentally or out of ignorance in [that] they either couldn't answer the question or didn't know how, so the call shut down," said Michele Fincher, Social-Engineer.org's COO, after the 2013 SECTF -- in which tech giant Apple scored abysmally. "Very few [employees] said, 'I am not allowed to give out this information.' "

This kind of policy-enforcement failure can lead -- and, in the case of Apple, as well as others, has led -- to headline-grabbing data breaches, such as the kind Wired writer Mat Honan suffered in 2012 (the year before Apple was targeted in the SECTF). That year, hackers seized control over all of Honan's major online accounts by using social engineering to exploit mutually unsecure policy flaws at Amazon and Apple respectively -- despite not knowing the answers to Honan's security questions or other key information that only he would know. Had the company lawyers -- or HR people or other leaders with lawyer-like minds -- enforced their organizations' putatively strict policies for customer-service password resets, Honan's hack might never have happened.

Ditto when it comes to NSA employees -- approximately two dozen of whom reportedly may have voluntarily given their password credentials to leaker-to-be Edward Snowden when he simply asked for them.

Don't reuse; don't recycle
One of the biggest threats to information security is password reuse. When a breached organization's compromised user credentials are the same as the those of the employees at your own enterprise, you become all the more vulnerable -- particularly as word across the news and passwords spread across the DarkNet.


Want to learn more about how LTE-A Pro and Gigabit LTE will impact the 5G market? Join us in San Francisco for LTE Advanced Pro and Gigabit LTE: The Path to 5G event -- a free breakfast collocated at Mobile World Congress Americas with a keynote address by Sprint's COO Günther Ottendorfer.

It's happened before. Last time, I wrote about how password recycling led to a major security breach at restaurant-finding service Zomato. The 2014 security breach of DropBox, meanwhile, provides a more notorious (albeit less recent) example; the cloud storage company blamed the hack on their users' password reuse across multiple services along with their own DropBox accounts.

This is where the lawyer-drafted company handbook can help -- particularly in conjunction with proper employee training.

"I wish passwords weren't reusable," lamented Patrick Hynds, Founder and President of New Hampshire-based cybersecurity consultancy DTS, in a keynote he delivered at last year's meeting of the Boston chapter of the National Information Security Group (NAISG). "So we have a format that I've used for the last 20 years, which is that in the employee handbook in every company that I've had any power over has a page -- and a brief that goes with it -- that says, 'The password you use on our network belongs to us. If you use it anywhere else and we find out, you're fired.' "

That stick, granted, is heavy indeed -- but it need never come to that. Recently, security researcher Troy Hunt released a database of 320 million compromised passwords that can be used for preventing reuse of known passwords.

In any case, strict enforceability to the point of actual employment termination is not the point; nurturing a culture of security is.

"We've never fired anybody [over it and] we probably never will," continued Hynds, "but it gets it in their head that this is not a game. It's important."

Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. His expertise on legal topics has been sought for several major publications, including US News and World Report and Personal Real Estate Investor Magazine.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12505
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
CVE-2020-12506
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.