Saturday, March 09, 2013

House is on Fire. Call 911? Do I have a choice?

If you were awakened in the middle of the night by the smell of smoke, would you call 911? Do you have a choice?

I’ve been talking and working with several organizations lately who for whatever reason, chose not to call 911. Worse, some (most all) either don’t have smoke detectors or the batteries have died, they don’t get tested annually, and aren’t even wired to a place that will let them be heard when they go off in the middle of the night.

So, what happens when there’s a fire and the owner is awakened by the smell of smoke? Maybe he’ll grab a fire extinguisher or buckets of water. Within a short time, the fire grows. Grab the garden hose!.... the whole time, as the neighborhood gathers to watch his house burn to the ground, little by little, he forbids the neighbors from calling the fire department.

Get the picture? We’re not talking about smoke. We’re not talking about fire at all. We’re talking about the stubbornness of IT directors and CIOs with emotional connections to the idea that whatever happens in the networks that they built; whatever happens, they can fix it. Let’s think...

  • The fire smoldering deep in their networks is largely undetectable by their current smoke detectors. Those things were installed years ago, and even though they auto-update, they might detect the old stuff, but can’t detect the new.
  • The team is all fairly new, and while they know tools exist on the network, they have no idea how to use them.
  • “The IT guy has been with the us for years. He’s never let us down before. We’ll cut him some slack.. just a few more months.”

Sound familiar?

So here’s the thing. In the last 30 days I’ve talked with at least three companies in this exact situation. One has started submitting information to Red Sky without actually joining. Another has a CSO and an IT director, but the IT guy doesn’t trust the CSO and thinks he can do it on his own. The third isn’t a corporation... but I could write a series of posts on government information security!

So let me pose a couple of thought questions...

Should IT security fall under the CSO when IT has no security organization? What responsibility is held by the CSO when no Infosec organization exists? If not the CSO, then who? In many of the companies I talk to, they have a CSO who’s responsible for physical security. The CSOs usually have no IT experience, but is the only security guy in the many of the companies. So what is their responsibility? If not the CSO, then who?

At what point do you call for help? Who do you call? FBI? Police? Consultant? When IT spends months playing ‘whack-a-mole’, when should IT be required to get outside assistance? How much of the budget should be allowed to be spent before IT is required to blow the whistle? When that occurs, who should they call?

Last, what role does the board play? When IT is unable to stop the intrusions, how much time/money should be spent before senior management reports to shareholders?  When a company refuses to ask for help, how much time (money) should be spent before liabilities fall to the board and senior management for not acting sooner? Is there a liability to the board for not notifying shareholders and requiring management to seek assistance?

BREAK BREAK

I haven’t done a Red Sky update in a couple of weeks. We have a lot going on...

  • This week we’re gearing up for our 5th quarterly threat day (in Tampa). We are really looking forward to a first time face-to-face with several members and to further building out the trust relationship which is so important in our space.
  • Two new Fusion Reports were released to our community. The latest introduced a new threat group to our list of tracked adversaries and provided detailed analysis on the leveraged protocol as well as mitigation recommendations. The second report provided additional analysis and attribution on a recent highly-publicized compromise.
  • We’ve added a new member to Beadwindow. Our newest member is a state level organization for higher education. We really like working with the city, state and local governments!
  • Last, we’ve just taken possession of the space in the Manchester mills. The new company (a Red Sky Alliance company; this one incorporated in NH) is called Wapack Labs, and we’re bootstrapping this one with contract security intelligence work, a bit of R&D, and some research.

I’m looking forward to talking with more of you in the future. We’re giving two more threat briefs, I’ll be presenting heading for Dallas this week, speaking at a McKinsey event in New Jersey and then headed for New York for another panel discussion with the financial community. We’re busy and doing great!

Enough for now.
Have a great week!
Jeff