Application Security // Database Security
1/9/2013
01:35 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Airing Out Security's Dirty Laundry

Former South Carolina security guru's testimony shows how lack of security culture can open an organization to threats

Last week a former security chief with the South Carolina Department of Revenue got to live out many a frustrated CISO's fantasy. He got to say, "I told you so."

More than a year after Scott Shealy was fed up enough with the lack of support for security within his department to quit, that same agency came forward to announce a breach of millions of state taxpayers. And last Thursday, Shealy testified in front of the South Carolina House committee about the departmental problems that led him to quit and likely contributed to the state's IRS becoming a target for hackers.

According to Shealy, he resigned from his job because he wasn't getting support to adequately perform his duties. He told legislators that his suggestions went unheard to install security measures, citing the department's failure to replace him for a full year as a sign of its lack of commitment to security.

"That guy got to have the meeting that every CISO who's ever been unsupported by their bosses wanted to have," says Mike Murray, managing partner for consulting firm MAD Security. "I have had jobs where I've wanted to be able to go in front of Congress and talk like that. It's heartbreaking for that guy and the people who lost their data, but, at the same time, I certainly have had times where I wish I could be that guy."

[How are CISOs preparing for 2013? See 7 Risk Management Priorities For 2013.]

But if reports of the scene are true, it was hardly a satisfying experience for Shealy, who was said to have "sometimes quivered" during his testimony, according to Greenville Online. Nevertheless, his public post-breach airing of South Carolina's dirty laundry offered a number of key lessons to the infosec community at large, most notably about how important line-of-business support is to security endeavors.

"Until security finds a way to have meaningful discussions about risk and security effectiveness with business owners, it will be hard to get attention and funding for security programs," says Andrew Storms, director of security operations for nCircle. "South Carolina isn't the first organization to have this problem. 'It won't happen to us' is a nearly universal mind set that affects boardrooms and executives everywhere."

As universal as it is, when the alignment of culture between a security organization and the desires of the business are out of whack, it becomes nearly impossible to manage risk, Murray says.

"This guy couldn't be effective at doing his job because he couldn't affect change the way he wanted to," Murray says. "It wouldn't matter if he was the best CISO in the world or the worst. He still couldn't have gotten his job done because he and the security organization were out of alignment with the rest of the organization."

As beneficial as it is to hear publicly about other organizations experiencing the same kind of cultural misalignment that's usually only whispered about in trade-show hallways, there's a reason why Shealy's airing of the dirty laundry makes for such a rare occasion.

"Speaking publicly about your current or former client is a professional risk to your career and your perception as being the 'I-told-you-so-guy,'" says Gal Shpantzer, an information security professional working in the Washington, D.C., area. "You have to be very careful, especially in infosec, because if you're seen as breaching trust, you're never going to work anywhere again."

Shpantzer warns CISOs and security clients to tread carefully following a breach when the urge to burn bridges for the sake of speaking the last word hits.

"No. 1, don't do something stupid that will get you sued or perceived by others as someone who can't keep a secret. Be careful not to violate any contractual obligations," he says. "If you're dragged into committee and forced to submit a statement, that's different."

At the same time, security pros should be prepared for the inevitable fallout that comes from a breach, he says. Whether or not a security officer ever finds himself in the hot seat -- at a public testimony or just a closed-door board meeting -- it pays to keep records.

"Every security officer is a potential 'fall guy' once a breach occurs. So some CISOs keep what we call in the D.C. area a 'Washington Post file,'" Shpantzer says, explaining that this file should be ready for when the bad news about a breach at your company hits the pages of major news outlets. It's a time where many a boss will ask why a CISO didn't ask for resources or warn about the risks.

"You can say to your boss or a lawyer under subpoena that all the emails are archived, all the proposals are archived," he says, "but just to save you time, here's a DVD with information about every budgetary request and the risk justification for it for the last couple of years, along with presentations on similar examples in our sector paralleling the nature and amount of information at risk."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lancop
50%
50%
lancop,
User Rank: Apprentice
1/9/2013 | 4:15:57 PM
re: Airing Out Security's Dirty Laundry
When CISO's are not getting the support they need to implement effective security, then just imagine what is happening to MSSP's - they're being set up as the fall guys when the inevitable massive breach occurs "during their watch". The takeaway is: yes, you better have your "due diligence" Washington Post files in order for when that subpoena shows up at your door, so that your lawyers will have a prayer at saving your neck. Better have your professional liability insurance up to date as well. Are we having fun yet?
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
1/9/2013 | 3:37:51 PM
re: Airing Out Security's Dirty Laundry
Being vindicated is one thing, but being prepared for a breach & fallout is wise advice (Shpantzer).

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web