Category Archives: Strategy

Security Policies IRL (Part 1)

If you’ve been following the news lately you would have heard about a large real estate group in China with a large debt problem. In short, the Chinese government decided to reduce risk by limiting the amount of debt held by Real Estate companies. To accomplish this, they implemented a new policy which could play out to a major disaster.


  • Implementing a policy without consultation could lead to chaos
  • Creating policy requires lots of communication and solid knowledge of the macro and micro environment
  • Consultation with functional units and effective policy metrics serve as good indicators as inputs for current and new policy

Now here lies the problem: by implementing a new policy in a short space of time meant that, companies that are heavily exposed without adequate cash flow are suddenly unable to service their debts. Evergrande is one of those companies with large unserviceable debts.

You have probably seen this in the InfoSec realm, policies that are dysfunctional, out of place in the real world? We’re not talking about the no personal floppy disk policy rather, policies that prevent the business from, well, doing their business. If you ever heard the phrase, sorry, you can’t do that because it’s against security policy then that is the problem right there.

Take a step back for one second, remember why you are creating the policy in the first place? It is to protect and enable the business to operate in a secure manner (add your own seasoning to that but generally speaking, it is in the same theme/spirit). However, if you are creating policies without business consultation, you’re effectively creating policy in a vacuum, leading to distrust, policy circumvention and ultimately, a policy fail.

Back to Evergrande for a second, while this is not a suggestion that Beijing created their policy in a vacuum, they knew companies were in debt but had to take corrective action they, pulled the plug to available credit expecting the problem to resolve itself or worse still, actually implemented a policy without stakeholder consultation.

Beijing is now playing a game of chicken, either Evergrande resolves their debt issue or they will step in. Why? Beijing does not want an economic meltdown, citizens losing funds, supply chains closing, etc at the same time they can’t afford to bail Evergrande out as other companies would then seek to request funds. Damned if you do, damned if you don’t, the intent was good but the execution, not so.

Unless if your operating within an authoritarian organisation, then a democratic approach to the solution is required to enable the business. You still want the business to curtail risk while consultation will allow the policy makers to understand the current situation and devise an appropriate strategy to level out risk over an appropriate timeframe to a mutually agreed, manageable level.

Well, where to I start? How does one know if a policy is causing fires within the organisation? Simple, ask the people on the ground for feedback. For existing policies, if the people on the ground have used the phrase, it’s against security policy so many times, well, it’s time for a review. Naturally, there are reasonable bounds in which the business may operate but if this the phrase is being used time and time again, it is time to change the policy or devise a solution that is capable of fulfilling the request.

Does this mean that the policy is bad? Not necessarily, it could be as simple as tweaking the wording, providing standards, guidelines to supplement the policy or a test case to identify how the policy could satisfy all parties. The point being is that all of the mentioned solutions cannot be completed in a vacuum, they all require consultation, constant, regular consultation.

Secondly, if you caught on to the fact that the phrase sounds like a policy metric, that’s because it probably is. Consultation will allow for open lines of communication for feedback, any feedback positive and negative is a metric. No consultation, no feedback, no metric, simple. What about other ways of obtaining policy metrics? You may not have time to consult all the business units, communicating that there’s a feedback line is a start or better still, speak to the front line staff, establish regular catchup sessions.

Other metrics could be obtained through other business functions, Shadow IT is just one example, the fact that it exists could suggest that a policy could be hindering the business. Assuming that you have a procurement function, significant IT purchases for assets or services that are not completed through approved procurement channels could suggest a policy failure. However, you would never know if you have not established a communication channel with Finance/Procurement.

Another way is to employ technical means to verify the effectiveness of the policy. It could be as crude as leveraging your support ticketing system and categorising the tickets. If there is trust in the establishment, expect constructive feedback. Unless if there is a structural problem with your policies, you should not expect an avalanche of responses either because it working or there is no trust and your policies are being circumvented.

So what happens if my policies are circumvented? Well, aside from implementing a dictatorship, asking your IT support, security teams in ways to look for holes would be a first step. They may also provide information on technical solutions such as infrastructure monitoring to provide metrics.

Now this is no means a comprehensive list, context is required to devise an suitable approach and effective solution but let it be known that, unchecked, ineffective policies leads to a divisive environment for ripe for abuse but change is possible and assistance can be provided by starting one simple constructive dialog.

In the next blog we will discuss policy development.



Online dating at the organisation’s expense – covered by your InfoSec policy

A few months after the sensational Ashley Madison data breach, another dating website has been breached. Members of Beautiful People have their personal details floating around on the internet.

Previously undisclosed intimate details such as sexual preferences and orientation will have a social impact on the unfaithful and close family members. Personal impact has serious consequences spanning beyond financial impact such as strained family relationships, reputational damage and adverse health consequences (eg: stress).

Organisational policy is there to ensure that staff behave in line with organisational expectations. Just as staff are not allowed to take bribes, turn up intoxicated to work, staff are expected to ensure that their behaviour online do not tarnish the organisation’s reputation. When allowing personal use of corporate systems organisations must consider the external impact of the staff member’s actions.

An organisation’s security policy must reflect the level of professionalism expected by senior management and importantly their customers. Policy, communication, education, transparency (and incident response/public relations) must be in place to protect all parties involved.

After all, staff that behave badly is a reflection on the organisation as a whole.

Operations security (OPSEC): part of a balanced organisational security awareness diet


  • The goal of OPSEC is to limit the adversaries capability to gather information about individuals or the organisation
  • Implement OPSEC just as you would for controls
  • Assess whether OPSEC could aid your existing information security program.

Authentication based on something you know is the easiest and cheapest way to prove someone’s identity, however it is also one of the most easiest to defeat. With personal privacy not being as private as it used to be, it is hard to establish a universal authentication system based on something you know.

The age of mass surveillance, Social media, Internet of Things (IoT) track individuals and record secrets. Continuous changes with social media features, IoT devices gathering detailed information provides a challenge with maintaining a high level of privacy. Criminals feasting on personal gain leverage lapses in privacy to exploit organisations relying on weak authentication to clean up innocent victims.

The absence of a suitable technological solution (at the moment) makes the security of something you know rest solely with the subject.

This is where Operations Security (OPSEC) comes in.

Operations security condition individuals to think about limiting the information that they disclose to the public. The military and other clandestine groups have employed OPSEC for many decades now and it serves to limit the effectiveness of reconnaissance on individuals.

Considering that offensive teams such as penetration testers, social engineers leverage intelligence as one of their first stages, information starvation would limit or prolong the opportunity of a successful ‘attack’.

Incorporating OPSEC into organisational security awareness does not require staff to undergo military style training, instead consider:

  • is there a gap that OPSEC could address (eg: organisational or private use of social media, job listings, etc)
  • the level of detail the program will cover. This needs to strike a balance between practicality, freedom and security.

Two examples where OPSEC in security awareness would be valuable include:

  • Compartments – defining boundaries between professional and private or segmentation within professional ie: secret vs internal
  • Need to know – Do you *have* to communicate this information? Is it necessary for them to function? Could the information be used against the individual or organisation? For example: security questions/password reset, does your online trader need to know your date of birth?

Before OPSEC can be deployed throughout the organisation, there are some considerations

  • OPSEC augments information security and should be part of an existing security awareness program
  • OPSEC may not be for everyone, some specific groups will benefit more from OPSEC more than others
  • Does the culture of the organisation allow for OPSEC to be implemented? Will staff allow for their organisation to interfere with their personal lives
  • People are human, mistakes happen. OPSEC serve to limit fallout.
  • OPSEC is expensive not only financially but continuously maintaining good OPSEC is quite hard to do.

There may be some debate as to the effectiveness and application of OPSEC however, a successful campaign could provide an adversary a run for their money.

If you are running an OPSEC campaign in your organisation, I’d like to hear about it.

Some information

You are the weakest link…attacking the weakest link on a global level

When protecting a high value target, a single point of failure could be a catalyst for a catastrophic breach.

When securing multinationals, consideration must be made for the smaller subsidiaries. They are connected to the corporate network and as any good pentester can tell you, pivoting is a powerful concept.

Smaller subsidiaries may not have the same level of physical, network, endpoint security. Some subsidiaries may face different level of threats: political, socio-economic, domestic instability.

A quick example is an UK multinational operating in Argentina, or Taiwanese company operating in China, could there be repercussions?

On the other end of the spectrum, subsidiaries may not have faced the same level/intensity of threats as their parent company. Psychologically, citizens maintain the perception that being in a safe backwater nation, the developed world threats are not of major concern.

It is important to note that security is a global effort, consider the threat level and adjust to it.

Importance of Trust and Security as Sales Differentiators

The world is embracing the golden age of knowledge. Delivery of information is approaching instantaneous, volume of data is increasing and the computation/conversion of data to human digestible information can be presented in many different ways.

Goods vs Services

During the industrial revolution, sales were based on goods. Now, sales are based on services and information.

The transition from a goods to an information/knowledge based market have several few major differences.

A goods based offering would usually involve a transaction with the delivery of a product. A information/knowledge based offering does not always result in a physical product.

QA processes, reliability, function are all traditional elements used to establish trust in a product. How does this all function in a information/knowledge based world?

With a physical product, the warranty and the length of time a company has been in service are indicators of the commitment of the company to it’s product. Reliability, service, QA are all criteria used to provide consumers an understanding to the level of standard offered by the company. Longevity of the company underwrites the warranty, level of standard and performance/growth of the company. Naturally, poor governance, inadequate disaster recovery, etc could bring a company down faster than you can say trust.

Some criteria are not as important, have a different meaning/context or no longer relevant such as installation, logistics and delivery times.

Where as other criteria are new or have become very important such as availability, response times.

As a result, an information/knowledge based offering will have a heavier dependency on several traditional consumer criteria.

While the list is not comprehensive, Consumers will apply greater weighting on the following requirements when considering a information/knowledge based offering:

  • Value of goods
    The value of the good/service provided will determine the importance of all requirements. For small ticket items, the criteria isn’t as important as compared to a large, multi-year service offering. Further scrutiny would be made on a high value product.
  • Length of engagement
    Goods would follow a short engagement life cycle. There is the marketing to entice consumers to the product and once the product is purchased, the engagement ends (unless if it’s a high value good, see below). With information/knowledge based services, there is a longer engagement as the consumer would subscribe to the service for the life of the information or until such time the service is no longer required.
  • Consumer Risk appetite
    How dependent is the consumer on the good/service? If the consumer requires the service for their business or livelihoods, then further scrutiny would be made on the service.
  • Effectiveness of transition
    A company that used to be successful selling goods may not successfully transition over to the digital age (Borders, Kodak are two examples). How aware is the organization in it’s direction towards the new age, this is evident in their offerings and differentiators. More on this later.

Given key consumer criteria, it’s time to make the sale.

Selling in the golden age

All good sales people know that when you have competition, you need to differentiate yourself from your competitors. What is your unique selling point?

As mentioned, services and information are no longer physical rendering lots of traditional sales criteria obsolete.

Some differentiators remain the same but in different forms.

As mentioned, a company which has been successful selling goods may not be as successful selling services/information. A company which is aware of this will be required to diversify to capture the market as well as build on the new market to secure and grow.

The New Business Road Test by John W Mullins, assesses a business opportunity and establishes if it is worth pursuing or if an existing opportunity is viable. The book is an excellent book which goes into a lot of detail which unfortunately we won’t be able to cover here. It describes several domains for consideration and one domain noted is found at the Micro level. Two of the five questions to consider are:

  • Is there a clear and compelling benefit for the offering?
  • Are the benefits from the customer perspective different and superior in some way?

If a service offers no benefit to the consumer or if it is no different to any other service then your opportunity is not going to stand the test of time, the opportunity is over even before it started.

A service must be able to offer clear a benefit to the customer and/or is superior to any other offering from your competitors. The benefits are made up of some of the criteria mentioned previously and the missing link are the differentiators that puts your offering ahead of any competitors.

Understanding differentiators

Moving from a goods based industry have a different set of differentiators to a service/information industry.

Diversification is not without risk. Knowledge of the new market, identification of USPs and opportunities in the new market and so on will lead a solid footing in the new market place.

Just because you might be good at executing with meeting customer demands it doesn’t mean that it will be the same for eternity, look at Borders, Kodak, etc. Their failure to successfully transition lead to their downfall. As consumers no longer want the pain of managing their resources in a time poor society, they turn to offerings which ease their pain, this is where services and convenience comes in.

Ok, even if an organization has transitioned, their competition will seek ways to meet consumer demands and therefore other criteria is required to differentiate themselves as an organization with a superior and competitive offering.

What makes your offering better than the competition, that difference is called a differentiator.

Trust and security as two powerful differentiators.

All your competitors have met the basic consumer requirements, now what…products are no longer physical, there is nothing to physically show that an offering is superior, how does an organization show it is superior?

This is where trust and security comes in.

An organization must now prove that it is even more trustworthy than its competitors.

  • How does a customer know that they are getting value for money for a particular service?
  • How does a customer know that the organization they are dealing with will be there for the long haul?
  • How does a customer know that the organization will be there for their business or livelihoods?
  • How does a customer know that the organization’s offerings are future aware?

To answer these questions, consider the following as differentiators:

  • Trustworthy, otherwise the deal is not worth the paper it’s written on. Remember, there is no physical element, the deal better be good for the long haul.
  • Secure, if your business or livelihood relies on confidentiality, privacy, integrity, you expect that the organization you’re dealing with also does the same. Your customers do not care if your service provider is not up to par, your customer is dealing with you and therefore the buck stops with you.
  • Transparent, the last thing you want is an organization beating around the bush or worse still, covering things up.
  • Assurance, has the organization been assessed by others to ensure that what they are doing is in line with what other professionals are saying? After all, a second pair of eyes is not a bad thing.

If you are running a service, your competitors are competing on cost and offerings but are they in line with what your customers are asking?

Aligning Security with the business: Recent News


  • Recent surveys show that CxOs lack appreciation for CISOs
  • It is up to us as InfoSec professionals to show the importance and value of integrating security with the business

Security is a cost…heard that one before? This is the primary goal of this blog, to change this mindset to ‘Security is an investment‘.

It is hard to show how security has saved an organisation’s bacon, after all, if nothing happens, everything must be fine…right?

Let’s put this into perspective:

  • Traditionally, businesses depend on IT solely for day to day inhouse functions. Now, it is required for new/modern functions such as: business intelligence/strategy, R & D/innovation, data warehousing, marketing, etc. This changes IT dependencies within a business from ‘just a tool’ to core business functions, entire departments are created through information technology.
  • Information is a valuable commodity, just ask the NSA or a competitor.
  • Freedom and accessibility to information is easily accessible to all, anywhere at any time. This increases both perceived and actual anonymity and educational standards in everyone.
  • As long as an organisation is valuable, there will always be malicious financially motivated threats: espionage, extortion, etc.
  • Information security is about maintaining the CIA: Confidentiality, Integrity and Availability of information.
  • As an adversary, carrying out a threat and disrupting the CIA by obtaining or destroying something of value has never been easier.

C-level executives need understand that the above points outline the current situation on information security.

Now for the evidence showing otherwise:

A recent survey show that CxOs have a lack of appreciation for CISOs.

One piece stands out, quote:

More than half of the C-suite executives in the survey said that CISOs provide valuable guidance on cybersecurity matters. However, they also felt that their CISOs did not possess enough broad awareness of organizational objectives or business needs to deserve a place at the leadership table.

This just re-iterates the importance of getting security functions aligned with the business.

Adding to this is the fact that C level executives are not aware/don’t believe that cyber security is a priority. The Homeland security in the US thinks otherwise: C level execs need to know that Information Security is a business issue.

Just as we are good technically, we also need to be able to be proficient on a management level (or get a CISO that is!). By being creative, providing ways to show that information security can provide a return on investment for the business is key to help change this mindset.

The Business as Stakeholders


  • The business must be involved as stakeholders as they are the owners of the data
  • The business must be made aware of not only the risks but also quantify the fallout
  • Financial, productivity, competition losses, legal or compliance violations are terms that the business understands
  • Any pitch must be at the CxO level in order to filter down to the business

It is easy to throw blame at the business for going out and acquiring systems without IT input however, if the business does not know who to contact to help with the selection process, what are they to do?

Like a high visibility vest, security people must be visible in order to provide protection. You want to be there for the business and come to you when it is too late.

Any security program must work with the business for a number of reasons:

  • Applicability: does the business require a particular security control/countermeasure (you would find out through a risk assessment but it also shows that you understand the business and that they are more likely to work with rather than against you)
  • Practicality: will the security control hinder productivity (if it does the business may complain or worse still, reject/counter act the control)
  • Metrics: the business will be able to provide constructive feedback, this way you can gauge the effectiveness of a countermeasure
  • Consequence: explaining what the consequence from a failure in business terms will help them better understand the importance of the security program

As an example, metadata in public documents would provide information about the internal structure of an organisation which can lead to targeted attacks.

Explaining to the CEO that:

  • what is information disclosure and how it occurs
  • provide a case study: his/her login details can be found in a public PDF that
  • can lead to an attacker being able to social engineer a password reset and
  • accessing the CEO’s email and latest financial statements via VPN
    is a potential risk (this is also another way of obtaining funding for two factor VPN).
  • This will lead to a loss of business confidence, CEO’s privacy and could be used against him in the future…

By pitching this to the CEO, he/she are aware of the risks, losses and can help you with obtaining the resources required for the security program and help leverage your way to send out the security message throughout the organisation.

The importance of strategy, metrics and KPIs


  • Security has always been and will continue to be a moving target
  • Information Security has always been and will continue to be a fast moving target
  • Doing ‘security by audit’ only fail. Security strategies are required to adapt to new threats.
  • Strategy, metrics and KPIs must be available and flexible enough to adapt to changes in the business

There are people out there that may remember this:
Centralised computing (Mainframes)->Client/server computing->Centralised¬† computing(Data centres/virtualisation)->Decentralised computing(Cloud)…

During each stage, information has shifted back and forth between computing models and business boundaries.

What has always been at the core is the ability for any Information Security discipline to identify and secure this information where ever it may be.

There are organisations that are at the cutting edge and there are some that still use mainframes.

If the organisation’s security strategy is to ensure that all systems are behind a perimeter but yet, data is in a 3rd party cloud, the strategy is destined to fail.

This is one the reason why organisations only doing ‘security by checkbox’ continue to get compromised. Iterations of audits/standards must consider change in order to keep pace with the current threat environment. Ticking checkboxes can only provide you with a *baseline* level of security.

Security gaps appear between the last checkbox review and new developments from the adversary.

Strategy or to be precise, Information security strategy is designed to ensure that information remain secure, agnostic of business/computing model.

Strategy should consider and respect the basic security tenets: CIA triad, need to know, data at rest/transit, etc…

Metrics are used to gauge what the current state of play is. Nothing complex, just plain and simple information. Items of interest include: computing equipment, applications, data and associated classifications, etc.

KPIs are used to ensure that any program being implemented meet or exceed the intended level of protection. eg: ‘Strength’ of countermeasure, level of compliance, effectiveness/penetration of policy, etc. This is continuously reviewed based on the security strategy/scope, ie: strategy/scope changes the KPI changes.

As a specific working example (don’t implement to this level of detail, it should be from a higher level)

  • Strategy: ensure that the passwords remain secure and only accessible to me and another person, passwords are to be kept in a centralised location and not transmitted over the wire, etc…
  • Metrics: Who has accessed it? How many times has it been accessed? Number of attempted breaches? Number of successful breaches? etc
  • KPI: Has there been any attempts to gain unauthorised access to the passwords? How long did it take for the breach to be reported? Was it handled promptly and closed?

Without the above, adapting security to a changing environment is an extremely difficult task.

What makes for a well oiled security strategy


  • CIOs/CISOs need to be able to determine and provide a unified communication strategy to other CxOs and staff outlining what needs to be protected, risks associated and how to mitigate these risks.
  • Security efficiency is achieved by integrating as much as possible as normal business functions.
  • To measure the effectiveness of any security program, it must be measurable
  • Scope, timing, statistics and integration is required.

As all good security conscious organisations, you have security policies, security software, procedures, etc is all well and good but how effective is it?

Coming from an incident response/project management background every task is quantified hence (aim), scope, timing and statistics/metrics are extremely important. Integration is to ensure that there is no disjoin between the business and security functions, this also avoids missing out/overlooking security tasks.

The CIO/CISO is steering the security ship, communicate to other C level executives and get their support to communicate to other staff.

Aim needs no introduction, for completeness, the aim is to protect the organisation’s assets by identifying risk against the assets and developing measurable strategies to ensure that the exposure is reduced in the shortest period of time.

  • To understand the impact of the situation and to reduce resource utilization in critical situations, scope is very important,¬†what assets are you trying to save/protect? Prioritise what is critical to the business. This also has the added benefit of getting everyone on the same page by knowing that information staff handle should also be protected accordingly.
  • Timing is critical. Timing is used to test how long it takes before a threat is detected, to see how long it takes to break into a system, time to immobilise incident response teams, to neutralize any threat, determining resourcing consumption/availability, etc.
  • Statistics/metrics is used throughout to determine if a response has a positive effect, milestones are used to determine when to stop neutralising a threat and assist with the next course of action, mark how far a system has been compromised before detection, etc.
  • Finally, much of this should be integrated/embedded into the business ideally through an existing business function. Functions such as system life cycle management, asset management, incident reporting, etc.

If we relate this to a racing team we have the following:

  • Aim: to win the race
  • Scope: only dealing with cars and not trucks etc, prioritise on improving the performance of the car, provide constructive feedback to the driver, etc…also each discreet unit perform a well defined, unique task
  • Timing: it’s a race, quickest team wins, how long each component/process/team is taking
  • Statistics: How fast is fast? How do you know you’ve improved? Where can you improve?
  • Integration: This is what makes the team, every discreet unit works together with a common goal.

What is the end result:

  • business intelligence gained from this can be applied to other disciplines eg: strategy/planning, project management, forecasting/projections, etc thus delivering tangible benefits to the organization
  • business agility can be achieved as changes can be implemented quickly and effectively
  • risk assessment/planning
  • from a security point of view, security visibility will improve, anomalies would be easier to detect, posture is easier to assess, improved delivering simplicity when performing security functions

In the upcoming blogs, we discuss a working example where this can be integrated.

Security is a balance between offence and defence.


  • How do you know that your defences are good if you don’t test them?
  • What lengths would your adversaries take to compromise your systems?
  • Adopt the same offensive mentality as your adversary in order to test your defences

You have your security strategy, you know (most of*) your threats/vulnerabilities, you implemented a top-down well oiled security program, policies, procedures, processes, technology, etc. You’re now safe…


As mentioned in a previous blog, security must be tested either by you or by your threat.

The Mandiant Threat Landscape report shows that intruders can be on your network for 243 days before being detected. (1)

Let’s be ignorant and ask a few questions:

  1. How did they get through our defences?
  2. Why did it take so long for them to be detected?


Let’s assume that all the policies and technology is capable of keeping the adversary out, how would *you* know? Business is evolving, computational power is getting cheaper, inter connectivity is expanding, attack information is easily accessible and adversaries adapt. With all of that in mind, is your security program evolving?

This gap between the security program and the adversaries’ capabilities is the current risk to the organisation.

From the last blog, an assessment would have been made to find out an organisation’s assets and threats. As part of the threat analysis, some consideration would have been made to examine the likelihood and the capabilities of the threat.

Risk mitigation will consider the threat analysis then apply the appropriate risk treatment.

A lot of threats could be addressed by going through a ‘checklist’, this would be considered to be a ‘baseline’. However to stop a determined adversary, advanced threats, etc some innovation is required. As a penetration tester, you need to be innovative and think outside of the square to find ways to get in, this is where innovation is practised.

Back to answering question 1, To be a good security professional you have to think like *the* threat, adversary, a pen tester in order to minimise the risk of a threat from compromising your organisation.

As for the second question, it is obvious that the adversary was not detected at the time of entry and that raises other questions: how well oiled is your security program? Is it measurable? Were the right vulnerabilities addressed?

To answer this, you need to put your defensive hat on…