The CIFR approach to security:Challenge, Inspect, Fix and Repeat
A few days ago, I got sucked into a pretty interesting discussion around security.
Person 1> "We have devised a way in which we secure the data, but it is a secret we are not supposed to share". Person 2> "What if you do? Will it become less secure if you somehow tell people about it?". Person 1> "Well, we don't want to give pointers about where to start attacking?" Person 2> "You think, a real hacker is waiting for your pointer?" Person 1> silence... Person 2> Quotes Dan Farmer:
People don't want to talk about death, just like they don't want to talk about computer security. Maybe I should have named my workstation Fear. People are so motivated by fear.
I got a sense of Déjà vu and that was because a few CISO's I have met and known don't really like to call out and be challenged for their approach towards security. I totally understand the pressure of the job along with the ever looming threat of hackers. After all, CISO is a comparatively new, but VERY DEMANDING role! There is an article that elaborates fireable offences that may cause a CISO their job. Here is a gist of what these offences are (read the article for details):
- Failure to prevent a data breach with significant financial or reputation damage
- Covering up a breach. Read the Uber Case.
- Taking on too much responsibility for risk and not communicating the risk to others
- Failure to achieve or maintain compliance
- Unprofessional conduct
- Failure to deliver reliability and uptime
Challenge, Inspect, Fix... Repeat
We have worked with many customers and helped them with various approaches to data and device security. In our humble opinion, instead of fear... the security problem should be dealt with a heavy handed top-down approach. One approach that we often recommend our customers is CIFR:
CHALLENGE > INSPECT > FIX > & REPEAT
The attackers are becoming smarter. There is no reason why you shouldn't!
Challenge the setup periodically
Ask yourself these questions...
Question 1> Can you confidently & openly challenge your OWN employees to gain access to ANY data they are not authorized to access and reward them if they are successful?
Why you should do this?
Insider threats are on the rise and your data is precious. Often, people have more access than they need. Thales Data Threat Report[^1] reveals data breaches at all-time high.
Privileged insiders (51%) were the top threat by a wide margin, substantially ahead of cybercriminals at 42% followed by Contractor Accounts, Executive Management & Partners with internal access!
Question 2> Do your employees understand the importance of security?
Why you should educate them?
Not everyone understands the policies and why they must adhere to it. Most people treat security measures as a discomfort caused to them, and often complain about productivity loss due to security constraints. You should educate them repeatedly to ensure they understand the importance of securing data at rest on devices like their PCs, laptops, etc.
With proliferation of mobile devices, BYOD culture & a plethora of SaaS solutions in the enterprise... it is now more important than ever to sensitise your employees about enterprise data being a collective responsibility and take care of data on the endpoint devices. Not only does it help in keeping the honest people honest, but it also helps in avoiding unintentional mistakes.
Data-at-rest defences (encryption, tokenisation, etc.) was selected as the top defence globally (77%), just ahead of network security and data-in-motion defences (both at 75%).
It was ranked dead last in terms of planned spending increases (just 40% globally and 44% in the U.S.). In sharp contrast, the biggest planned increases are targeting endpoint security (global 57%, U.S. 65%, up from 60% last year) – the same category deemed least effective in protecting sensitive data.
Did you know that Microsoft has a solution called Azure Information Protection (AIP) that can classify and secure content? Also, are you aware of disk encryption software like Microsoft BitLocker, that comes for FREE on the Windows OS? Yet, we find many enterprise customers who are not encrypting devices as a practice. It is just a matter of using the software to its full potential to reap great rewards from security perspective.
There are solutions from other vendors as well. I would love to hear your perspective on the solutions you are using and the challenges you are facing, if any.
Question 3> Are you sure that your ex-employees, vendors or partners are having appropriate access at all times?
Why you should dynamically assign permissions based on policies instead of fixed policies?
There is a common practice of securing resources by default, and giving access (sometimes using change requests) to sensitive resources on need basis. BUT, even more common is a mistake of NOT revoking access under situations like:
- The employee changing a team or role
- The employee leaving the system or org
How are you handling such cases? Is this process manual? How reliable is the process of revoking access when a person quits the organisation. Are you using any system or software to take care of this?
Question 4> Does the Identity follow the user?
Why you should work towards a better employee experience using single/same sign-on?
Your business is complex and with various line-of-business (LOB) applications you own, discovery becomes quite a task for the employee. Once the apps are discovered, they have to now get access to various apps based on their role. More apps is often equal to more login names and passwords to remember. In turn, it means people taking shortcuts by storing passwords in EXCEL sheets, plain text files or password management softwares (sometimes pirated!).
Wouldn't it be nice to have a single/same sign-on to all the apps? How would the identity data be synchronised in various apps? Sounds like a challenge... right? Well, that's because it is! Luckily, there is a software to help. Microsoft Identity Manager can not only keep the identities in-sync across various LOBs, but also automate quite a few tasks for you and saves you top $$$!
The response to the challenges you have posed should yield considerable results. Now, the idea here is to strike a balance between cost, user experience and overall efficiency. So, inspect all inputs and act where necessary.
You are the boss! Now, you need to take decisions about which area to fix first.
Fixing is usually much harder than it sounds. Primarily because it changes the status quo. The mantra to fix is... do it slowly, and do it without rush. I mean, plan every step, have backup plans ready and go.
Security is often not a panacea and you need to stop treating it as an action item to be ticked off the "To Do" checklist. It is about the mindset. Something that grows organically to become a culture. So, let it brew. Let it grow on people. Education is the best way here and if you don't rush, the chances are, you won't fall hard either. We have personally experienced the rush causing more harm than good, simply because it breaks the confidence of the implementer and changes become more difficult.
Another piece of advice is that hire the best experts in the field and don't cut costs here in the name of speedy and rushed deployments. Your shiny Limousine needs a good Driver, and "just any driver" who knows how to drive won't cut it.
A successful iteration of Challenge > Inspect & Fix will leave you tired for some time. Recharge yourself, take a break and REPEAT. It sounds tireless, and it indeed is, but that's the way. CISO's don't get it easy. There is a lot at stake, and YOU, dear Chief... are the reason why those pesky folks are still only knocking at your door. Had it not been you, they would have it too easy barging in and putting the company up for ransom! Be the hero your company needs.
Check out our services or contact us at firstname.lastname@example.org for your data and device security needs. We would like to hear what you think about enterprise security and the challenges you face. It would also be great if you could share this article, leave a comment or Subscribe to stay updated through our newsletter.