Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/21/2015
01:30 PM
Andy Nieto
Andy Nieto
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Navigating The Slippery Slope Of Public Security Disclosure

In talking publicly about cybersecurity, CISOs need to portray capability, strength, and confidence, but without offering critical details that could lead to an attack.

Mountain climbers call a narrow ridge with steep drops on both sides an “arête.” Crossing one can be one of the trickiest parts of any serious climb. Talking publicly about security is the chief information security officer’s arête.  There’s a thin area of even footing to follow in order to be successful, but make one misstep and a slippery slope and catastrophic consequences will follow. 

When a CISO discusses security, he or she can’t be too boastful or they paint a target on their company’s back. Many hackers are childish and what they perceive as public bragging is a challenge to them. The CISO cannot disclose too many details about their measures, for that will simply end up providing a blueprint for hackers. Staying silent is not an option either. The media, the public, investors and users demand answers and information about security. Is it possible to portray capability, strength, and confidence without key details? Yes, it is not only possible, it is the only path to cross the security arête. 

[By 2020 there will be 25 billion Internet of Things devices...all full of vulnerabilities. What can we do to solve the problem now? Don't miss the next episode of Dark Reading Radio, "Fixing IoT Security," this Wednesday, Sep. 23 at 1 p.m. Eastern Time.]

First, the CISO must state, and act, on the principle that security is a process. The general public, investors and even board members often see “bottom line” and “deliverables” as finite accomplishments. Security is a constantly evolving, changing action. Security is a verb. Educating the public to this fact is critical to controlling your message. When planning your public security persona, consider what parts will need to be visible as a deterrent as well as a protection and which parts need to be anonymous in order to dissuade interest in attacking.

The message must contain action verbs: “Our firewall scans all inbound and outbound traffic” is a more powerful statement than, “Our firewall has traffic audit features enabled.” The action verbs should speak to real processes, but be cautious. Provide only a vague description of the process. 

For example, “We conduct regular internal and external perimeter testing with currently available methodologies” is a good statement. It does not speak to any specifics and yet provides a clear statement that there is an active process. Stating, “We conduct regular internal and external denial of service and port-scan tests” is a poor statement. A hacker may know of several other attack vectors which you are not testing for. This is their blueprint for a possible attack. 

When considering a public message, consider our most secure US public figure, the President. We know that the President is the most guarded and protected person on the planet. What the Secret Service won’t tell us is how they accomplish this -- and that is by design. Grand visible gestures are a small fraction of the actual security measures in place, yet they serve as a visible and impressive deterrent to foul play. Strong public statements on security without specific details are good. “We employ a myriad of applications, systems and processes to ensure the protection of your personal data” is one such statement.

When making your statements, avoid “naming names.” An executive I know recently made a very public announcement about hiring an “ethical hacker” as a member of his security team. This new team member had recently bragged to other hackers about winning a “black hat” contest. Their name alone became the catalyst for an inbound attack. Remember, as I mentioned, some hacker personalities are childish. 

In our Presidential example, we did not discuss what the public doesn’t see. The public does not see the “pre-work” put in before the President lands. This advance preparation is much like the risk assessment and risk mitigation programs which all CISOs should actively run.

For each risk or security situation, you must evaluate the strategic and technical response, and then also prepare a public statement. You may never have to use the public statement for each element of risk or security. However, having the answer ready helps present a calm, powerful, and deterrent public image of security and strength.

Proper planning and knowing where to step, and areas to avoid, is the way to navigate an arête. Similarly, when discussing security publicly, determine your approach, don’t let distractions impede your focus, and stick to your path. 

Andy Nieto is the IT Strategist for DataMotion, an experienced email encryption and health information service provider (HISP). DataMotion was founded in 1999, and today, millions of desktop, tablet and mobile users leverage its mature, cloud-based data delivery platform to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
9/21/2015 | 2:42:59 PM
Exercise in Diction
You should always be careful with what you say. However, I don't think that rearranging your statements in such a minimal fashion as explained by the article is going to help you not become a target. Don't be arrogant, I agree. But I believe you are a target due to the foundations of your business. What do you do, what information do you hold, etc?
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.