Inception and the Road from Security Serendipity

You spin the top and wait to see if it continues in kinetic motion or if it falls to the pull of gravitational force. You trust that the road chosen to walk the path of serendipity toward an anticipated culmination of the correct state of scientific innovation – which, in this case, has been forged to deliver a true state of cyber security is correct. The question is, after investing much time, effort and finance in support of the anticipated goal, does the spinning top fall, or does it continue to spin in an unrealistic world of imagery expectation?

The above introduction may seem to be very unconventional but I believe that it can be aligned to the real-world of security and successful hacks, associated with some areas or deep-rooted breaches that have manifested into significant and expressive compromises of what were supposed to be secure assets and infrastructures.

As an example, take the UK-based organization who had invested in commissioning an IT security company to support their mission to deliver robust cyber security defenses into their operational area.

Post ISO/IEC 27001 reviews, consultations and risk assessments, several observations were made and followed up on to deliver the desired level of recommended security. And yet even after the delivery of these expensive long-term professional services, this organization suffered a breach of their firewall and security infrastructure, compromise of their WiFi network, and an almost complete breach of servers and desktop systems.

This must surely pose the question, just how could this be?

The second example is the company who sought security support post what they considered to be a run-of-the-mill low-level security compromise by ransomware – which after days of investigation transpired into a case relating to an attack by international actors, who had managed to compromise several key sensitive targets.

Again, I pose the question: how can such widespread security incursions and compromises take place post such organizations engaging professional services that were anticipated to deliver security?

OK, so I do accept that there is no such thing as 100% – and that most organizations have been, or will be breached. But my point here is, where such widespread security breaches do occur, impacting just about everything from the firewall, down to server and workstations, and the complete compromise of the WiFi network – something drastic has gone wrong with the delivery of the onion rings of security, allowing such wide and seemingly unfettered access to supposedly secured operational assets.

In the case of one of the serious incursions, indications of a lacking in professional understanding skills got much, much worse. Upon encountering the widespread breach, the first reaction was, not to conduct a forensically sound investigation to acquire the related information and artifacts to assess the situation in flight. The response was to conduct a post-horse bolting penetration test to locate the manifestation of the incident’s root (wherever that root – or roots – may be).

Here, such actions of this nature when engaging an cyber security incident as a first responder, not only display a fundamental lacking professional understanding but also serves the potential to further compound the breach in flight.

The point I am seeking to make here is that the days of putting complete trust in an ISO/IEC 27001 top-level audit, or risk assessment with the application of soft Information assurance skills have now long gone by their sell date.

We are in a time in which we must conjoin such high-level soft-skills with real-time technical prowess, ensuring that what has been recommended at the higher/soft-level are conjoined with lower level back-to-basics old-fashioned skill sets. Assuring that systems are patched, configured in such a way they accommodate a balance of both authorized access, whilst hopefully denying all other potential intrusions. And of course, provisioning penetration testing services before, and not after the fact.

Such organizations who are paying premium prices for services need to also start eventuating any real-time shortfalls in security to assess if they are acceptable and justifiable encounters; or if they are the product of lacklustre consultancy, which has missed the technical security point in its entirety.

And in the worst-case situation, when an on-mass widespread breach does occur, the procuring organization should seriously look to swapping out the provider they have, and swap in one which has the required level of skill-set aligned to – not yesterday’s approach to IT security and assurance, but one who understands the real implication of the cyber threat in our current age.

So, if on the long serendipity road of attempting to deliver a robust and meaningful security posture, you happen to spin the top and notice that it is in continuous flight, it may be time to bite the bullet and move the mission into a real-world perspective where this can, do and will fall over.

This article is written by PLUS Specialty Training’s Cyber Security: Information Security Best Practice Trainer John Walker.

Prof. John Walker FBCS CISM CRISC CITP ITPC FRSA

John is a leading expert in the field of Cyber-Security. With over 30 years of international experience, he is a World Class Info-Crime, Cyber Security Researcher who has worked within the Covert Worlds of CESG, GCHQ, ‘TK’ Sky Technology, with the Security Services. He has delivered over 90 Global Presentations, and has originated over 100 Papers, & Articles on Cyber-Security.

He is actively involved with supporting the countering of eCrime, eFraud, and on-line Child Abuse, an ENISA CEI Listed Expert and an Editorial Member of the Cyber Security Research Institute (CRSI).

John is a Fellow of the British Computer Society (BCS), Fellow of the Royal Society of the Arts (RSA), Board Advisor to the Digital Trust and Writer for SC Magazine UK. He was the Originator of DarkWeb Threat Intelligence, CSIRT, Attack Remediation and Cyber Training Service/Platform, Accreditation Assessor and Academic Practitioner and Accredited Advisor to the Chartered Society of Forensic Sciences in the area of Digital/Cyber Forensics.

John is also a practicing Expert Witness in the area of IT, and the originator, and author of a CPD/MSc Module covering Digital Forensics, and Investigations. Professor John Walker is a Visiting Professor at the School of Computing and Informatics, Nottingham Trent University (NTU), Visiting Professor/Lecturer at the University of Slavonia, CEO of HEXFORENSICS LTD, and Independent Consultant in the arena of IT Security and Forensics, and Security Analytics.