What, me hacker?

I spent week 4/2018 on EC-Council Certified Ethical Hacker (CEH) training. After over 13 years in CSO position looking corporate security mostly from governance and risk management perspective, this may not be the most obvious choice. Let me explain.

Last spring Finnish Information Security Association awarded me as the CISO of the year 2017. As if the honor wouldn't been enough, I also got a free place on CEH course (sponsored by Arrow ECS). I postponed the opportunity nine months, but decided to attend the training now before the offer expires. Course normal price is 3,500€ after all.

I haven't been on full week's training in ages. I think the previous time was in 2011 when I attended SABSA security architecture training. By the way, got my first security certification, CISSP, 20 years ago. I attended the first ever CISSP training held in Finland 1998.

It certainly was interesting (and tiresome) week. Huge amount of information and loads of hacking/auditing/pentesting tools not to mention hands-on labs. The courseware had about 1800 slides and 20 hours' worth of labs. The instructor presented maybe one third of the slides with quick pace pointing out the most important stuff. The material was from 2015 and therefore a bit outdated, but the instructor filled in the gaps. Expectation was, that after nine-to-five day in classroom, students would continue studying and doing labs at home in the evening. I spent hour or two every evening to browse through the days material and did some labs.

The following topics were covered:

Introduction to Ethical Hacking Footprinting and Reconnaissance Scanning Networks Enumeration System Hacking Malware Threats Sniffing Social Engineering

Session Hijacking Hacking Webservers Hacking Web Applications SQL Injection Hacking Wireless Networks Hacking Mobile Platforms Evading IDS, Firewalls, and Honeypots Cryptography

I was surprised how well I still remembered network protocols, attack methods and basic auditing tools. It's after all over 15 years from my consultancy days and more than 20 when I knew Unix security inside out. Of course, I follow information security threats, trends and technology closely all the time. Security expertise requires lifelong learning.

I expected that the course would have emphasized ethical questions more. It's CEH, not CH, right? Ethics of hacking was discussed briefly a few times, but not so thoroughly as one would have expected. CEH code of ethics can be found here.

At the end of the week we had an opportunity to take certification test. There's 4 hours to answer 125 multiple-choice questions and have to get 75% correct in order to pass. Here's a site where you can test your skills, if you will. Whatever certification test you are taking, I've found that practice tests are very useful way to prepare yourself. You need to set your brain in to the right mode and understand how you are expected to answer.

I finished the certification test in 1,5 hours and passed with score 93,6%. So, I'm Certified Ethical Hacker now :-)

Don't worry. I'm not going after bug bounties. I'm leaving that to those with real hands-on skills. Had a fun week, though, and have even more respect for whitehat hackers who help organizations via bug bounty programs or responsible vulnerability disclosure.

However, next time I'm hiring security auditor, CEH certificate is not enough to impress me :-)

Information security state of the play

It's that time of the year again when information security predictions start pouring in. Many, if not most of them are pretty uninteresting since the world doesn't magically change with the new year. Predictions are also all over the place depending on who made the predictions and what they are selling.

My favorite is Information Security Forum's Threat Report, which is updated yearly and looks two years ahead. The report is mostly intended for business leaders and information security leaders (CSO, CRO, CISO - depending of your organization). I especially like that it's created via studying available research, interviewing experts and running several member workshops to discuss changes seen and expected in member organizations. The Executive Summary is available for download, the whole 50+ report is for members only. (Full disclosure: I'm a member of the ISF Executive Board).

Instead of making my own predictions - as if my 2010 predictions would need an update - I'm presenting how I see the current status of information security. By the way, in my vocabulary information security covers IT security, cyber security and digital security, if you fancy those terms.

User is not the weakest link

We humans are not rational decision makers who analyze pros and cons thoroughly. We mostly try to manage through the day (and IT challenges) with minimum effort, have lots of biases and are clever enough to go around (security) obstacles. It seems that often IT systems and applications are not built for humans. Since the artificial intelligence is not here quite yet, we still need to consider users as part of the solution and build people-friendly systems. Hence, I like the design thinking and service design approach - if only information security would be considered on those workshops.

Regular information security awareness training is required in order to promote secure behavior and build good security culture. We don't want our users to be clueless either. Also, I would recommend security practitioners to study behavioral economics and psychology. 

Most of the information security is a byproduct of good IT governance

When you know and manage your IT assets properly and have basic information security tools and processes in place, you are in a pretty good shape already. Have a good architecture, know your assets, make proper installations, have rigorous change management process, make (and test) backups, patch your systems and keep user accounts up-to-date. You certainly need some security tools and processes: antivirus, firewalls, log collection and analysis for starters.

On top of that there are no end of additional security tools and services which you may consider based on your threat and risk estimation. You have to know what you are protecting and against whom, right?

Most organizations have still lots to do with these basics. It's hard to protect something you don't know.

Information security is too important to be left just to information security experts

You may have started wondering where information security specialists are needed? Yes, all the basics shouldn't need any infosec experts. Architects, sysadmins and network admins worth their salt can manage most of it. Firewalls and VPNs are just network components, antivirus and log management something any sysadmin can handle.

Information security specialists could be hired to promote security, evaluate risks, help with trickiest cases, tackle the challenges with new technology and keep the management aware of the information security status. Remember, however, that it's not the CISO or information security experts who secure the organization. Information security is part of everyone's daily work.

Many organizations have hired just one information security expert, call him CISO, and expect him/her to understand all of information security. That's impossible. Information security covers everything from cryptography to secure architecture to enterprise risk management. Can't expect one poor person to handle all of it. Think about categories: Manage - design - implement - evaluate. Different roles and skills are needed.

Evaluate your service providers information security promise and capabilities

More and more of ICT are acquired from different service or cloud providers. From information security perspective this is usually a good thing, since good security is a lifeblood for most service providers. You need to verify, though. Ask service providers to prove they capabilities. Security certifications, audit reports and documented security promise of the service is a good start for evaluation.

Don't forget to have information security in the contracts as well. I recommend having your own security contract template ready and start negotiations with it. Be flexible, though. Usually it's better to allow service provider to follow its own standards and processes - just check that those are good enough for you. It's difficult to change the service provider processes - exceptions tend to be forgotten.

Go ahead with new technology, but understand your risks

There's a lot of technology innovation going on and of course business wants to follow trying out innovative ways to make use of new, often immature technology. However, the sad truth is that the innovation of information security tools and products has been and is falling behind.

Business may and should innovate, but at the same time we need to understand the possibility of increasing risk. New business models and plans making use of new technology, cloud and apps just have to consider information security risks. Crash test dummies has a very limited use in organizations.

An old infosec dog is learning new tricks - constantly

I regularly see articles and posts demanding that information security experts need to stop being naysayers. I wonder where they have found those old-school security guys who deny everything? In my (fairly wide) circles all my colleagues have been business-oriented and forward-looking for years. Maybe it's time for some business people to see the light and be more open-minded for security-enhancing suggestions? Information security is about enabling business and managing risk.

Business buzzwords like agile, cloud, devops, experimentation, big data, design thinking, API-driven business and machine learning mean that there's no rest for information security experts either. We information security professionals must adapt on agility, insecurity, risk tolerance, openness, user oriented approach and continuous change.

In fact information security practitioners should embrace new technology and trends. Think how to use them for better security instead of trying to delay the inevitable.

It's software, stupid

Everything is running on software. Everything from critical infrastructure to cars and mobile phones. I'm amazed how weak the understanding of secure software development still is. It seems that many organizations are still relying on external audits after their software has been developed. Fixing bugs in production is 100x more expensive than in planning phase. This is age-old software development truth, but apparently not too much cared about. If you don't think security requirements already when sketching your software, you may burn your fingers, sooner or later.

Don't forget to demand secure software from your vendors also - ask for evidence.

CISO on the board - not just yet

There is more and more noise about bringing information security expertise on the company board or management team. Most of the noise is coming from the infosec people, of course. In my experience there are very few - shall I say forerunner organizations - which has raised information security leader on the top management.

In my mind being on the board is not mandatory in order to success as a information security leader. But it's mandatory to have regular dialogue with top management and business. Being at most one hop away from the CEO in the organizational structure is ideal.

Organizational hierarchy is not the key issue. It's critical that the top management shows its commitment to information security and that information security leader has regular access to the top management. I believe that information security leader's most important job is to keep the board and management team aware of information security status, risks and risk mitigation possibilities.

Good luck with 2018 and beyond

Current environment is very complex with new technology, massive amounts of software and global connections. It's difficult - if not impossible - to understand and therefore also extremely hard to protect. Information security standards help and regulation forces us to implement the security baseline. Let's make information security great again with good IT management, risk assessments, user focus, vendor evaluations, secure software development, constant learning and real commitment from the top management.

Threat Cloud 2016

It's time to check again what a word cloud would reveal from different security predictions without reading the actual predictions. There are tons of (cyber) security predictions available from different organizations. I'm using the predictions from the same organizations I used for 2014 and 2015 word clouds in order to see the changes better: FireEye, Fortinet, Information Security Forum, Kaspersky, Microsoft, Sophos, Symantec, Trend Micro, WatchGuard and Websense,

The first word cloud is from the combined text of all predictions.



What's the conclusion from that? Mostly attacks against devices and data? Doesn't seem to differ much from last year. One change at least is that word mobile is not visible as it was last year, but Apple is.

The second was created using only the headlines from each prediction paper.



Not much change. It's a bit more clear that predictions included ransomware.

Some companies use "funny" headlines for their predictions (even Star Wars theme) which didn't make sense without reading the full text. Some predictions were even positive (!), but since most were about threats I didn't bother to make any difference between them.

So, in summary 2016 is predicted to bring us attacks against devices (IoT), more malware to take victim's data as hostage and Apple is expected to be a target.

Of course word cloud brings out only the common themes and lots of interesting threats are missed unless you actually read the papers. Problem is that I find many predictions biased and threats are all over the place depending who is making the predictions (and what solutions they are selling). I really would like to see a study analyzing different prediction papers and connections between threats and companies predicting them. Maybe even a study analyzing past predictions and their accuracy.

My favorite threat predictions come from the ISF, which are gathered from it's members and analyzed by the ISF team. Must say that I'm biased here, since I'm sitting on the ISF Executive Board. Favored ISF predictions even before that, though.

ISF Threat Horizon 2017 executive summary is available for download, the full paper is is free for members only. Here're the headlines for your convenience.



I advice you  not to focus too much on threats and media headlines. Threat info just add some spice to your daily security work.

Cyber security challenges

Cyber security is difficult. It’s actually so difficult that a few years ago the US National Academy of Engineering named securing the cyberspace as one of Grand Challenges of Engineering. Other challenges were e.g. providing access to clean water for everyone and making solar energy economical.

What makes cyber security so hard? There are several reasons. One is the complexity of networks and services. It is plain impossible for anyone to fully understand all the technologies, players, connections and code behind any important or popular service. Second is irrationality of users’ behavior. We tend to think that people are rational, risk-calculating machines. Although we know that’s not the case, services are still designed based on assumption that users will make rational decisions and behave. Third reason is that economics doesn't work for better security. Security level of software-based services is very difficult to explain and prove to users. The implication is that users won’t pay for better security, because they don’t see what they will get. That creates a well-known “market for lemons” problem, where it makes sense for vendors and service providers to implement just the minimum acceptable level of security.

It seems that there are endless list of reasons for cyber security problems, but I’ll add just one more. Fourth reason is that software engineering is very young science. We don’t well understand how to create quality software, not to mention secure software. Sometimes it seems to me that we are like kids playing with all new and fancy technology wanting it all right now without thinking of dangers.

So, how to tackle these problems? I afraid that cyber security will go south for a while before it’s going to get better. The most important thing needed is an attitude change of consumers and vendors. Consumers shouldn't accept insecure products and services – and we should understand that there’s a price tag coming with security. Vendors should make security of their products and services user-friendly, visible and understandable. Security should be sold as an enabler and protector of privacy. We’ll probably need regulation in order to get rid of the externalities and to speed up the process.

All our complex Internet services are based on code. It’s not just that Facebook page or cloud service, but the whole Internet runs on code. All the devices connected to it run some code. Then we stack all these separately coded devices, components and products together to create some new service, what the original developer never thought of. Hence our inability to create secure, quality software is a real problem. From my experience most developers would like to create good, secure code and many even know how to do it, but they have no time or incentives to do so. Universities need to start teaching how create good, secure software for modern, complex environments. Organizations need to understand that coding security in to the services require resources - it’s not just the user visible features that matters.

We certainly need better security products and automation to protect complex software-based services from ever increasing threats. I’m worried that there seems to be lack of security innovations. Technology innovations happen very fast horizontally and often also vertically, but security innovations happen much slower pace and most (if not all) of them seem to be horizontal innovations. We should have more non-security people involved in designing security of products and services. We need views regarding human behavior, economics, user interfaces, etc. Cyber security is too important to be left just to cyber security experts. We also should aim higher that “just security” or even resilience. We should think about anti-fragile systems – systems that become more secure if someone tries to breach them.

Cyber security will stay as a grand challenge for a long time. We need to understand that security can’t be isolated from technology, people, processes and organizations. We need to raise above technology and look at the bigger picture to build secure services. Cyber security will get worse before it’ll get better. We have taken the first step to right direction, though, by understanding that it’s the challenge worth solving. 

Concensus of 2015 security predictions

I find many security predictions unusable, uninteresting and often just pure marketing material or even misleading. Just for the fun of it, I still like to see the big picture of latest predictions. As in previous years I got security predictions from ten different companies and instead of reading them all, I just put all predictions together and created a word-cloud from combined text.

I used predictions from the same companies as last year: Fortinet, Information Security Forum, Kaspersky, Microsoft, Sophos, Symantec, WatchGuard, Websense, Trend Micro and FireEye.

Here's the "concensus" word-cloud:

2015 security predictions

Compare that to last year's predictions:

2014 security predictions

Couple of observations. The big ones - as in previous year - are data, devices, mobile and malware. There's a bit more focus on information now, not just data. In 2015 cyber is back. It was big on 2013 list, but less so last year. On the other hand, privacy have disappeared. It wasn't big before, but at least it was there.

My summary last year was: Expect data-stealing malware attacks against all devices.

Since no groundbreaking threats are seen, my summary this year is: Expect attacks against Internet-facing (cyber) systems. The attackers are more likely to go after valuable information, not just raw data.

This year I also tried another approach. I created a separate word-cloud from only the topics of security threats found from the predictions:

2015 security threats - topics only

Interestingly, from that picture, Internet of Things pops out. However, since the vendors often like to play with words when thinking of topic names and headlines, I find the full-text word cloud more interesting. Can't deny the security threat of IoT, though.

Feel free to make you own interpretations or - god forbid - read the individual predictions. You may also check this good summary of the 15 security predictions for 2015.

To me personally, the most useful security predictions document is Information Security Forum's (ISF) Threat Horizon report. It's freely available only to members and for others it's a bit expensive. However, a year old The Executive Summary of Threat Horizon 2016 is downloadable for free (requires registration). A new Threat Horizon 2017 should be out for members pretty soon now.

The Executive Summary of Threat Horizon 2016 shows this threat development according to global member organizations of the ISF:

Check also my word-clouds from previous years. Word-cloud of 2014 security predictions and Mother of all 2013 security predictions.