Security 101 Series – Volume 1

September 5, 2018 Don Ward CISSP, Cyber Security, InfoSecurity, Security 0


Hello again my old friends!

Since my last post https://www.linkedin.com/pulse/career-20-don-ward/ I’ve been keeping my head down below the parapet as I’ve focused all of my efforts on all things security including Cyber.

I’ve also been given an ear bending (aka nagging) from my fellow blog founders (Graeme cough cough) to put out more (giggedy – I mean blogs) so it’s time to surface once again.

Standard caveats apply to this post in that these are my opinions at the time of writing, subject to change and do not necessarily reflect the same opinions of my current or past employers.

Since joining my new organisation Atos as a principal Cyber Security Solutions Architect, the learning curve has been massive and the experiences I’ve gained already have made quite an impression on me. So allow me to begin to talk to you about them and maybe shed some light on the Cyber Security world. I’ll post more of these blogs as a series if it’s well received because to be honest, it would be a VERY long blog post otherwise. I feel as though my eyes have been pulled wide open since stepping up in to Cyber Security and I’ve a lot to say about it too.

Most of you reading this are more than likely going to be Solution Architects, Tech architects or guys and girls at sharp end of operations or a specialty within virtualisation because you’ve come through our blogsite vMusketeers of which I’m a founding member – points at Kim Bottu waving finger (private joke). My intent is for you to get outside your comfort zone in your chosen virtual world and skill set and the reasons will become clearer later.

Admit this to yourself that these are/were probably your highest priorities in your day to day job

  • Keep the infrastructure up and running
  • Keep it patched
  • Keep things licensed
  • Keep it performing
  • Back it up now and again 😉
  • Restore something you broke or someone else did (honest guv wasn’t me)
  • Look at new features, test, plan for deployment upgrades etc (also known as a wish list as you never get budget)
  • Make sure workloads are doing what they should be or at least try and figure out what your monitoring dashboards are trying to tell you through the mountain of white noise
  • Onboarding/offboarding services
  • Pulling your hair out due some idiotic management request that blatantly can never be achieved on time, on budget with no support and or tooling to do it with.
  • Maybe some security related items like firewall requests, locking down a VM/ESX host and mooching around with some permissions and roles.

There’s nothing wrong with the above as that’s just life in IT but my point here is that security used to be something that came last or even if it was looked at, it was never really given the full attention it deserved.

People will have you think that when an infrastructure was designed prior to deployment they (the salesman, architect and or service provider) would have gone through security in fine detail and covered all their bases.

It’s been my experience that this is not always the case. From a green field point of view the focus normally sits around where the workloads are going i.e. cloud, hybrid, on-prem as well as what the costs are to run tooling, workloads, licenses, costs costs and more costs. In the dark days security was also an expense that people really didn’t want to invest in or chuck too much money at due to the perception it’s just another OPEX cost and it’s just a firewall and few antivirus licenses, right? If you said yes then give yourself a kicking and read on.

My opinion is the reality of the pre-sales/sales world is that in order to win business, nine times out of ten it’s always going to boil down to costs versus meeting all the requirements lightly sprinkled with some relationships between client and salesperson and in more cases than not; security is usually the thing that kinda gets left out or bolted on at the end. Obviously if the cap fits then wear it and this is a generalist opinion of mine but I will stand by it but there is a point to what I’m writing.

And here it is, my point and you’ll hate me for saying it. The best thing to happen to the cyber security and security industry in general particularly in the EU is GDPR. There I said it so bite me! Why? Simple reason is that there are very real and tangible reasons to get security in the forefront of the C level execs minds as they don’t fancy losing all their profits and subsequent bonuses as a result of not investing in their security posture and technical controls. You can no longer avoid security.

Yes there has always been legislation regarding data security with a few slaps on wrists now and again but GDPR really has some teeth now and people are treating it seriously. Combine this with amount of media exposure and industry gossip and of course every man and his dog selling GDPR aligned vapourware/service but the end result is that security is now front and centre of the Sales/presales/architect’s minds but also the hardworking engineers keeping the cogs turning too.

So is that it then? Nope not even close. Once you open the security door it will lead you in to a new and VAST world you never knew existed especially in the way you think as an Architect. Most of you/us may already have been doing some of the foundations of security without realising it to some degree. As an example of cross pollination things like keep storage systems data online and high available meets one of the security triad principles which is “Availability”. The other two are Confidentiality and Integrity for reference if you didn’t already know.

I think the biggest change for me was not to think about the technical controls too much now but start thinking about the higher-level business focus. Start right at the very top and then work your way down because security isn’t just about firewalls, it’s all about RISK.

All businesses will have varying levels of risk appetite which is should be formally documented. Risks inevitably drive policies, procedures handed down from CEOs to the end users in which they are required to adhere to. To support the policies defined, technical and administrative controls are implemented to mitigate risks and offset the impact of a risk turning in to a reality.

If you get a chance, I’d encourage you all to spend some time looking at how to do a risk assessment and documenting it. I’ve added some suggestions below of what your table should contain as a bare minimum when you create one. I’ll talk about this more in another post

  • What’s the risk identified?
  • What is the impact if the risk becomes reality? Think along the lines of the scope i.e. what, who, how, when and how long does this event effect the business.
  • What’s the probability of the risk happening?
  • What is the tangible cost of impact i.e. embarrassment, loss of revenue, cost of replacing systems etc etc
  • What is the cost to mitigate the risk i.e. avoid it, reduce the impact or transfer the risk to someone else (think cloud/service providers/insurance)
  • What is the residual cost after mitigation has been put in place i.e. Cost of impact minus the mitigation cost.
  • Status of risk i.e. Accepted, open, completed
  • Who is responsible or signature or acknowledgement with a timestamp

I HATED doing these assessments at the start as they feel mundane and just another chore amongst many other activities an architect needs to do but I’ve learnt very quickly that these are also extremely useful for planning and justifying a solution design.

So whilst these are boring to fill out, just remember the end goal is building a solution that you can fully justify with metrics that it will be hard for an exec to say no.

If they do say no, then they’ll need to put their signature next to the risk along with a justification so that if it all goes wrong (which sods law says it will do) then their name will be the first point of contact if an auditor comes in and starts poking around. I can assure you that more often is the case that peoples egos will shrink and capitulate when faced with putting their head on the proverbial block.

That said, it also important to say that is in some cases a justifiable reason to say no and either accept the risk, avoid it or in some cases transfer it to someone else, but it still drives the conversation and focus so that it was taken seriously in the first place.

So you’ve done a risk assessment now what? Well typically speaking a security mission statement and or a policy would be written and signed by the CEO of the company. We had (still have) a saying in the army that shit rolls downhill. While this does not do any service to Security in terms of promoting it, you will get the idea that whatever the CEO decrees in terms of strategy or policy, everyone else will need to carry out activities to be able to meet the objective and goals but don’t forget that they also need to conform to law and subsequent regulations.

I inferred earlier that security isn’t just about firewalls, it’s also about processes too. There’s no point in putting a bulletproof/hacker proof firewall in if you’re just going to let anyone from the outside world come in off the street and have a play with it is there? It’s often the simple things that bring people down especially when it comes to an insider threat.

So to round off this blog before I go on and on forever let us part with a few takeaways and let you know what I’ll post next in the next blog.

  1. Security is a vast and potentially overwhelming subject to learn and get experience but oh my word is it interesting and rewarding!
  2. You will need help and education to even scratch the surface of the world that is security. I’m surrounded by experts with experience to spare and you should start building a similar network to work with and share.
  3. Remember that security is EVERYONE’S responsibility and problem.
  4. Forget about firewalls, think higher level i.e. what is it you are trying to protect and why?
  5. Security is no longer in the shadows – the spotlight is turned on to 11 and ignore it at your peril!
  6. Risk assessments and policy are going to be a big part of your lives
  7. Your adversary is likely to be highly intelligent, resourced and motivated to get what they want
  8. If they want to, they WILL breach your security eventually. No one is 100% safe. All you can do is piss them off and make it as hard for them as possible as well as make it long and painful.
  9. Security can be expensive but so are the consequences if you don’t invest time and effort in to it.
  10. Step outside your own bubble and get an understanding of what your role impacts upon the business’s security, you’ll be surprised and just how important you really are!

Next blog I might talk around more about the security basics I think everyone needs to learn no matter their position in an organisation and maybe talk about risk assessments in a bit more detail. I’d also like to hear from you the reader as to what you’d like to hear more about and what your opinions and fears are. Trust me everyone we’ve not even scratched the surface on security in this post and there will be more to come.

 


Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.