How a CISO Can Use Home Field Advantage to Defeat Attackers

Summer is over and as fall starts to settle in, football season starts again. It was while reviewing my son’s upcoming schedule that he pointed out that some of the earlier games in the season are against teams with more skilled players. However, he quickly pointed out that those games are at home and that this would be a big advantage to him and his teammates. This got me thinking about how those of us tasked with defending our organization’s information assets prepare to tackle our adversaries.

There have been recent headlines about attacks that nobody would blame any CISO for, which makes us think that criminals had all the advantages on their side, guaranteeing a win. Those articles give us a constant stream of news highlighting recent security breaches in organizations, warnings about Advanced Persistent Threats (APTs), how attackers are easily circumventing security solutions and how users continue to compromise systems by clicking on links or attachments.

How CISOs Need to Play to Their Strenghts

It was then that I thought that if a kids’ football team can look at how to play to their strengths to defeat their more skilled opponents, then CISOs should look to do the same. The biggest advantage a football team and a CISO has is that they always have home-field advantage.

Playing at home gives you many advantages over the opposition — you know where every bump and hollow is on the pitch. You know which end of the pitch is more favorable depending on the weather or which way the wind blows. You also have local resources to help support you.

We should look to those same advantages when defending our networks. The attacker has to learn how your network is connected together, where the valuable targets are in that network and how to avoid being detected by your security controls.

So if home-field advantage is such a plus, why are we reading about so many breaches? Are the attackers we face so highly skilled and sophisticated that we don’t stand a chance in competing against them?

It’s Often the Simple Mistakes That Allow Attackers to Breach Defenses

This is not the case. Yes, we do read many stories about sophisticated attacks and major breaches, but these tend to be rare items. If we look into the details of these attacks, we find that it is often simple mistakes that enabled the attackers to breach the defenses, resulting in any home field advantage being undermined. Just as in sports, if your team is not operating as a well-oiled machine, then your security program will similarly fail if it is not operating properly.

The IBM Security Services 2014 Cyber Security Intelligence Index (Index) highlights a number of examples where the home team lost by not focusing on the advantages they had over the attackers. The Index analyses the data from attacks and security incidents from IBM’s worldwide security operations and provides great insight into how the threats face all organizations.

For me, the key takeaway from the report is that 95% of all incidents involved some form of “human error” as a contributing factor to the incident. In other words, if humans had not been involved, 95% of attacks would not have been successful. So what type of “human errors” contributed to these incidents? They range from;

  • Users double clicking on links in emails or unsafe URLs
  • The use of poor passwords
  • The use of default user names and passwords
  • Lost laptops or mobile devices
  • Poor patch management
  • Misconfiguration of systems

The report also highlights how many companies are struggling to deal with the sheer volume of alerts their systems generate each day, if indeed they are monitoring those alerts in the first place.

Where Should a CISO Focus?

So it appears that instead of playing the home-field advantage and using all our resources to protect our systems, many organizations are not focusing on the contest at all.

Given the rising number of attacks, greater connectivity and integration of systems and our businesses dependency of secure and reliable systems, we need to properly focus on what we are trying to achieve and take better advantage and utilization of the resources we have in hand.

To do this, we need to better engage the business and senior management into accepting that information security risks are not just risks to the IT systems but indeed are risks to the business. These risks need to be treated and managed the same as any other business risk. We also need to look at how to reduce the “human error” factor. This will involve the CISO engaging with the users and providing effective security awareness programs. These programs should not just focus on the end-user, but those responsible for developing, implementing, managing and supporting our systems. This group needs to be made more aware of the risks against those systems and how they can better secure them.

As CISOs we will never fully reduce the “human error” factor, so we need to review how well we monitor our systems and whether or not we are monitoring the right systems, for the right events, at the right time. In addition, to do this, we need to ensure we get timely, actionable and effective alerts so that any attacks are detected and dealt with quickly and efficiently.

Playing at home is a major advantage, let’s make sure it’s not undermined by neglecting to ensure we’ve taken the proper preparations before we take the field.

Share this Article:
Brian Honan

CEO, BH Consulting

Brian Honan is an independent security consultant based in Dublin, Ireland, and is also the founder and head of IRISSCERT, Ireland's first CERT. He is a Special Advisor to Europol's Cybercrime Centre (EC3), an adjunct lecturer on Information Security in University College Dublin. He is the author of the book ISO 27001 in a Windows Environment and co-author of The CSA Guide to Cloud Computing and The Cloud Security Rules. He is a regular speaker at major industry conferences. In 2013 Brian was awarded SC Magazine Information Security Person of the year for his contribution to the computer security industry.