Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

8/10/2017
05:10 PM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now
50%
50%

Lawyers Are Friends, Not Foes

When it comes to security allies, your corporate counsel should top the list.

Many programmers and engineers possess a natural distrust of attorneys. Nonetheless, when it comes to protecting their organization's data, the attorney and the security engineer can be natural allies because of their mutual interests and similar ways of thinking.

Both want to reduce the organization's attack (or liability) surface while doing what they can to mitigate damages should something go awry. Both are paranoid about people out to get them (or, at least, get their employers). And both hold Murphy's Law as a universal truth.

Moreover, the company lawyers, whether in-house or outside counsel, have greater influence and responsibility when it comes to crafting and ensuring the enforcement of company policy. Accordingly, they are arguably the next-to-last lines of preventative defense against ransomware -- before the user himself or herself.

Below are but three things security-minded organizations can learn from -- and do with -- their legal counsel to better protect organizational data.

Plan for everything with compulsive pessimism
Good lawyers (and those inclined or destined to be good lawyers) are great "What if...?" askers -- particularly because asking "What if...?" is the very essence of effective law practice. At least one study has shown that law practice is the sole profession in the world in which pessimists generally enjoy greater career successthan do optimists. Of course, this study was conducted before the field of cybersecurity had taken off to the extent it has today. Lawyers know that just about anything can happen; so too do good cybersecurity workers. The partnership between the two roles should be natural -- and the two can work well together on meaningful data-protection compliance, tabletop exercises, and handling data-breach crises after the fact.

CISOs and InfoSec workers, therefore, are well advised to welcome teaming up with in-house counsel to construct and enforce exhaustive -- yet meaningful -- policies, procedures and solutions for data-protection training, emergency planning, disaster recovery, breach tracking and notification, and other cybersecurity issues.

No policy unenforced
If there's a policy, for heaven's sakes, follow and enforceit!

This may seem obvious, but consider the impact of social engineering. Every year, Social-Engineer, hosts a Social-Engineer Capture the Flag Contest (SECTF), in which contestants compete to obtain as much sensitive information as they can from a selection of major enterprise companies by way of social engineering. The results are often celebratory for the contestants while embarrassing for the targeted companies.

"The companies who happened to do well did so accidentally or out of ignorance in [that] they either couldn't answer the question or didn't know how, so the call shut down," said Michele Fincher, Social-Engineer.org's COO, after the 2013 SECTF -- in which tech giant Apple scored abysmally. "Very few [employees] said, 'I am not allowed to give out this information.' "

This kind of policy-enforcement failure can lead -- and, in the case of Apple, as well as others, has led -- to headline-grabbing data breaches, such as the kind Wired writer Mat Honan suffered in 2012 (the year before Apple was targeted in the SECTF). That year, hackers seized control over all of Honan's major online accounts by using social engineering to exploit mutually unsecure policy flaws at Amazon and Apple respectively -- despite not knowing the answers to Honan's security questions or other key information that only he would know. Had the company lawyers -- or HR people or other leaders with lawyer-like minds -- enforced their organizations' putatively strict policies for customer-service password resets, Honan's hack might never have happened.

Ditto when it comes to NSA employees -- approximately two dozen of whom reportedly may have voluntarily given their password credentials to leaker-to-be Edward Snowden when he simply asked for them.

Don't reuse; don't recycle
One of the biggest threats to information security is password reuse. When a breached organization's compromised user credentials are the same as the those of the employees at your own enterprise, you become all the more vulnerable -- particularly as word across the news and passwords spread across the DarkNet.


Want to learn more about how LTE-A Pro and Gigabit LTE will impact the 5G market? Join us in San Francisco for LTE Advanced Pro and Gigabit LTE: The Path to 5G event -- a free breakfast collocated at Mobile World Congress Americas with a keynote address by Sprint's COO Günther Ottendorfer.

It's happened before. Last time, I wrote about how password recycling led to a major security breach at restaurant-finding service Zomato. The 2014 security breach of DropBox, meanwhile, provides a more notorious (albeit less recent) example; the cloud storage company blamed the hack on their users' password reuse across multiple services along with their own DropBox accounts.

This is where the lawyer-drafted company handbook can help -- particularly in conjunction with proper employee training.

"I wish passwords weren't reusable," lamented Patrick Hynds, Founder and President of New Hampshire-based cybersecurity consultancy DTS, in a keynote he delivered at last year's meeting of the Boston chapter of the National Information Security Group (NAISG). "So we have a format that I've used for the last 20 years, which is that in the employee handbook in every company that I've had any power over has a page -- and a brief that goes with it -- that says, 'The password you use on our network belongs to us. If you use it anywhere else and we find out, you're fired.' "

That stick, granted, is heavy indeed -- but it need never come to that. Recently, security researcher Troy Hunt released a database of 320 million compromised passwords that can be used for preventing reuse of known passwords.

In any case, strict enforceability to the point of actual employment termination is not the point; nurturing a culture of security is.

"We've never fired anybody [over it and] we probably never will," continued Hynds, "but it gets it in their head that this is not a game. It's important."

Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. His expertise on legal topics has been sought for several major publications, including US News and World Report and Personal Real Estate Investor Magazine.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...