The illusion of being in control-part 1


Welcome to October Cyber Security Awareness month-
article 1-The illusion of being in control


P@ssport is a disruptive Cyber Barrier Risk Management Company focused on prevention –since an ounce of prevention is better than a pound of symptom mitigation. Huh, isn’t that proverb different? No, not for cyber security.

The reason  why I write about this is to bring awareness to the reader.
Not by telling that threats are exponentially taking over targeting critical infrastructure like Government in dutch , that Department of Health and Human Services (HHS) Office for Civil Rights is heeding these counter threats and requires implementation of effective security measures for HIPAA or that half of the Dutch population haven’t even heard of these threats, in dutch . This makes us wonder whether the other half who are in the know  all work for the government and healthcare. For those that don’t we would like to introduce the paradox of the current security systems. We got these systems for one purpose only and that is to defend ourselves against digital attacks.

Trust in defense measures

Coming from the Netherlands we have great pride in building and protecting things, as we have done for centuries. As people living in this country we have been building dikes since the first or second century before dutch

We even made the dikes a part of our military strategy the dutch waterlinie. But when the French attacked us in 1795, the water got frozen and the defenses where useless. Quickly troops with ice-skates made of bone were deployed and trying to fend off the French but alas, we lost.

Root cause analyses

So the trusted model  that our defenses were capable of fending of the enemy was only based on the fact that no one looked at all the riskfactors that could make the defense useless, water freezing over being quite obvious but still no one doubted the water defense mechanism.
Compare the dutch troops on ice-skates with your current IT department and their advisors. They are moving based on information they have to intercept troops that have already invaded the land. See the different attack patterns as the treacherous ice and the vulnerabilities as holes in the ice.
Here we introduce more risks due to the fact that we have to cope with landscape introduced to us, a barren, waste frozen land and not capable to stop the attacks.

Cyber risks and opportunities

Most managers see risks as challenges for their skills and believe that the actions they and their company have institutionalized in frameworks are influencing the results positively. When predictions have to be made whether we are compliant to the upcoming General Data Protection Regulation they have the tendency to play down those cyber threats or just ignore them.
P@ssport sees this tendency standing in the way of achieving a goal, like exploring the new cyber opportunities as Big Data, Internet of Things or Mobility,
Cyber opportunities  are not in tune with the ISO/IEC norms

The urge to follow suit with new cyber opportunities is so strong that new departments are setup and fed by business money and endorsed by Gartner with the title Bimodal IT.The “old “ it department is therefore the samurai bound by codes and tradition ( iso 27001, ITIL, COBIT ) and the “shadow it” is therefore the ninja, actually moving into the dark and muddy waters of exploration on someone else’s infrastructure. Cloud and data center providers offer these new services to be integrated into your current operation.

Other viewpoints position stakeholders

Depending on who is giving the advice the viewpoint on opportunities and risk can be totally opposite:

Risk blissfully ignored

Line-of-business leaders everywhere are bypassing IT departments to get applications from the cloud (also known as software as a service, or SaaS) and paying for them like they would for a magazine subscription. And when the service is no longer required, they can cancel that subscription with no equipment left unused in the corner.” – Daryl Plummer, Gartner analyst

Risk aware

Pay-for-use was supposed to be one of the foundational tenants of SaaS but has rarely been offered because SaaS vendors want large contract lock in. SaaS vendors were also supposed to be agnostic to the end of quarter or end of year deals. Clearly, in my experience of reviewing hundreds of contracts a year, SaaS vendor salespeople behave just like their on-premise ancestors. The bottom line is: SaaS vendors will resist to the move to ‘pay as you go’ because it will have a very big impact on their business model predictability
Robert DeSisto, Vice President and Distinguished Analyst at Gartner

Root cause
Here the ice-skating is not possible since shadow IT refers to IT devices, software and services outside the ownership or controlof IT organizations. This goes directly against requirements of ISOIEC  on ownership. So we have a workaround advertised by Gartner and we ask our providers to be ISO/IEC 27001 certified as if  exchanging cards and certificates will take away the rootcause ,
What are the requirements for cloudbased security management systems across the whole chain so that the customer can check if they are in control?

What is lacking here is control which is only based on trust that the current defense mechanisms of those Shadow IT  providers are working as advertised.
Results driven flexibility matters more than rehearsals , explained during the cloud architect alliance meeting  when disaster hit in Dutch

History lesson

The dangers that loss of control gives you are summed up if we go back to the victorious French and their tactics:
The French military had a strategy which they used for the first half of the 20th century. Initially they focused on attack as the best form of defense. Looking at the barrel of amachinegun on the battlefield which brought them great losses and they changed their strategy during World War I to a purely defensive strategy.
This mindset was so strong that they build a fortification called the Maginot line to keep the Germans out, which sole purpose was to defend the borders from invasion. We learned from history that the Blitzkrieg didn’t have any problems with these fortifications and therefore didn’t stop the attacks. So in effect the lessons they learned in World War 1 were basically the root cause which led to the downfall in World War 2.

As the strategic “frames” got entrenched in corporate policies we still build on electronic “Dikes and Maginot” lines demanded by outdated policies, and are failing bitterly.
We have all reactive ice-skating troops delivering all kind of reactive information of attacks which happened long time ago through a plethora of complex cyber security solutions, we modernized but are still skating this time also into the cloud.

Focus on insider threats

Insider threats are not only coming from the inside, a pattern already been setup to compromise accounts , machines or even complete websites delivering malicious programs like malware, ransomware or stealth password stealing programs nicely situated on your computer. Some of this malware programs evaded in critical infrastrure 5 years long antivirus detection . Or your current defense mechanisms like Cisco and Fortinet  firewalls that are exposed in the open after the NSA hack , and which  you need to patch, which is complex and cumbersome and also expensive. Reason one that most companies are reluctant to do it, but there is another risk here. The patches needed are only supplied to those that bought the cisco devices from an authorized dealer. So when an IT department busy with costs showed two options to procurement one from cisco VAR or from  a refurbished dealer which is cheaper with the same guarantee and choose the latter they will find themselves in the trenches and vulnerable.

Insider risks are also coming from the outside think :

  • Managers working from home , seen as an insider threat when devices are compromised yet the connection comes from outside the company.
  • Technical support from third parties on your internal assets

Lessons learned

As strategic frames become entrenched, companies keep fighting the same way they did in the last “war”.
If the French had investigated and looked at their former war in 1795 the military would have known what the success factors were. Dutch as well trusted  their defense built on dikes like the French did with their Maginot line. Just as in real life there is no single way in which the organization can reach that dynamic state to optimally balance flexibility and still stay in control as the situation changes.

By adding more cyber opportunities we also create more external interdependencies.
The problem with this is that we put emphasis on cyber defense specialization making the ice-skaters better, quicker and more prone to environmental changes. This is by giving them better equipment aiming on still ice-skating which needs special skills but they still need the ice..The truth is that with first response emergency services are very important but having regulations and login procedures can become cumbersome and take away the effectiveness of the response. Also training, hacking simulations and other possible disasters are good, but they don’t take away the need to prepare the organization when a fail happens .It is not a substitute for the true battleground these defenders may be exposed to in real life.

P@ssport says: don’t focus on specializations because this hampers your company flexibility. This becomes a problem as the complexity of the chosen (Big Data, IOT, mobility ) solutions increases. Or that immediate changes in the network, account management or data transport are needed to increase profitability in the value chain.

To seize control back instead of trusting current security mechanisms and certificates you need no more delay , the GDPR is getting into force in 2018.

Show your board and shareholders that you are in control we need to shift to more generalist architectures and that is exactly what we have done with our Triple A switchboard.
This makes it easy for an organization to have a system of routines and conventions for ongoing activities. By adding our innovative ways of investigating whether your current cyber barriers are still effective across the whole cyber value chain, you can use our inspectors so you can combine
compliance and audits and be confident that you are in control.

C. Northcote Parkinson once said, “Delay is the deadliest form of denial.”

Hereby we are helping your organization to create exciting cyber opportunities, new possibilities and future achievements and help you with WHY you should change instead of WHAT to buy NEXT, building upon old dikes and Maginot lines.
Have cyber embedded in your risk management procedure and recognize new opportunities and new orientations on how to operate in a cyber environment instead of being hampered by IT security.

Hard figures on IT security

The IT market is growing exponentially .Market researcher Gartner says worldwide the money spend on IT is  $2.77 trillion. Worldwide IT security is for 2015 $75,4 billion (million *million ) . According  IDC, the areas that are growing the hardest is security Analitcs/ Siem ( 10 procent) , mobile security ( 18 procent) and cloud security (50 procent). Tech Republic produced a report Transparancy Market Research in which the expectation  is that  cloud security markt 12 billion ( miljoen * million=12 zeros )
With this money at stake it can be reality that risk  are for your company while the profits will land elsewhere. 100 % security does not exists yet the bill needs to be paid 100% in full…

The illusion of being in control

See it as follows:

A burglars’ wave is coming into town. They aim for your windows. Recent research of interpolis, a dutch insurance company, found that 71% of the burglars entered through an open window using ladders.
And this was as easy as childplay.
So in the old defense days we put motion detectors, infra-red cameras, and for the most important rooms we have a person 24/7 in the room . These are the same for your current Next firewall, next endpoint protection, next,next… . The burglar is already gone and only Sherlock Holmes actions can be setup with all the costs as  cyber security cost calculator from fireeye shows 21 million dollar a year on reactive actions.

A smoking gun found at the crime scene is found within minutes while whole episodes are filled on how to find the person who did it.
The crime is committed and the cyber crook already gone. We will find that the device was vulnerable , a report delivered that stated it should have been patched and we once again look to  an it department that is already suffering from patch fatigue . Which is still symptom mitigation.

Sadly, most small, mid-size and large organizations tend to not learn as much as they should from these massive data breaches. Far too many organizations (remarkably) still believe “it won’t happen to us.” The same can be said of individuals who need to change their online security settings or reset passwords or use two-factor authentication.
If you want to see if you are hacked with your yahoo account see this video here.

What does P@ssport do

We take away the burglars ladder and its anchor points and test if your vendors ,service providers, business providers are in control of your business critical data .A feature that is important since the worldwide EU General Data  Protection  Regulation will be  effective in  2018 with great impact on operations and states that fines can be added up to  20 million euro en 4 procent of the company yearly revenue whatever is greater. This is mandatory for all businesses in or outside the European Union so worldwide and it either:
1.Offer goods and service to EU residents
2.Monitor the behavior of EU residents
Stack on top of that the reactive costs maintaining status quo and it will be clear that defense mechanisms invented in the 20th century will not alone be capable to conduct business in the 21st century. Or you cant fight a new war expecting the same results as the former one if you didn’t investigate the risks involved,

So if you want to maximize effectiveness  get the results you need to be in control become effective so you can conduct your activities with a minimum of waste you can become compliant and very quickly and reliable in control. By asking for our Cyber Barrier Inspectors we help you to become in control of your processing data activities. P@ssport is not bound to hardware or software vendors and have something the others don’t have ,the experience and knowing what it is to be outnumbered and being a reactive firefighter in the trenches.

Reason that we don’t trust on only reactive countermeasurements to stop the next cyberthreats but enabling preventive  cyber opportunities while having a flexible cyberapproach to external environments , valuing innovation and integrate this into your organization incident and change management

Don’t delay and see us and add a meeting request on how to become compliant! We are present at seaside cyber match making event 14 October in Scheveningen , The Hague

And give your cyber troops more leisure time to spend with their family instead of sifting through correlating reports on dreary weekends.

This part 1 from a series written for Cyber Awareness month October 2016

You can find  part 2 here  –Illusion of being in control-part 2-an ounce of prevention is worth a pound of response activity 

Peter Rus
Chief innovation Officer

P@ssport-cant hack what you cant enter

P@SSPORT B.V. | Keizerstraat 17 | 2584BA | Den Haag | KvK 63236257 |

Tel: +31 (0)70-7370471