Never waste a good security incident

Matthew Hackling

Matthew has over ten years experience operating solely in the area of information security, holds a Bachelors degree in security management from ECU and is also a CISSP. He is a former Account Director in Deloitte’s Security & Privacy Services practice. Matthew has led security testing teams on assessments of large core systems replacement projects for banking institutions. He operates more in the area of information security governance these days, despite his urges still stay a bit technical. Hence he plays with backtrack linux, metasploit and new web application security assessment tools in his rare free time. Currently he runs his own consultancy called Ronin Security Consulting and holds the title of General Manager of Security Testing at Enex TestLab. He is an active member of the Australian Information Security Association, and held the office of Melbourne Branch Executive for a number of years. Matt’s security blog is called Infamous Agenda and he is an active twitter user with the handle @mhackling

Organisations often pay lip service to security "Oh yeah, security is important...pass the sugar please" but don't properly fund and hence resource the information security function. Once a security incident occurs its all "who do I pay to make this go away".  The unfortunate reality is that a security function is a slow moving beast, and a rapid cash injection doesn't realize immediate results.

Most improvements are made through people (new capabilities introduced) and process (repeatable documented processes for key security controls especially documented usage of built in security functionality in systems) not shiny new toys.  Good information security people are in short supply and getting the wrong people can end up with your organisation stuck in "analysis paralysis" or "compliance tunnel vision".  Without the right people embedded in your organisation how does your organisation you uplift processes or even understand the reports/processes written by your consultants? 

If your security function is effective, will there be a reduced number of security incidents due to your effective prevention measures?  Potentially there will be more security incidents discovered because you are checking logs and looking for evidence of a compromise!

If your security function is in-effective, there is likely to be security incidents, but you won't know about them!  We're not in the 90s anymore where security incidents were all digital vandalism style web defacements.  Attackers these days are often criminals who don't want attention drawn to their activities. 

If you are a CISO or perhaps someone with a keen interest in security at your organisation I suggest you try and remember the following phrases in case of a security incident:

"Who do we task with responding to this security incident? Gee I wish we had a CISO to organise us"

"What did you say?  The SOE doesn't have security patch requirements? Well let's note that for further attention".

"What an accidental misconfiguration of a system let this happen?  Hmmm.. How could we perform compliance checks in future of production systems?"

"Sorry, you say that the evidence of the compromise was there in the security log all the time? How can we automated review of these logs in future and assign someone to action the alerts generated?"

"An application security flaw you say allowed this incident to occur? Perhaps we should suggest security requirements for applications in the post incident review for this incident".

I suggest you forget the following phrase "I told you so"

Tags: CISO, security incidents

Show Comments