Not Secure, so what?

Our research using Whitethorn Shield? typically identifies organisations with Internet facing Systems hosting weak encryption Protocols (such as SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2) and Cipher Suites such as 3DES, MD5, SHA-1 etc. Organisations that are heavily regulated will have internal Information and Technical Security Policies and Standards as part of a wider organisational Governance, Risk and Compliance (GRC) and Enterprise wide Risk Management frameworks (EWRMF). When Not Secure, these organisations are targeted as rich pickings for cyber criminals who, armed with some knowledge can use a scatter gun approach and hit as many Not Secure domains as possible. The list of those being successfully attacked is alarming, however a massive percentage of these are also found to be Not Secure at their internet facing domains. There are no coincidences.

Typically, these same organisations will evidence, through Security Measures, Metrics and reporting via the GRC channels their Security posture and Compliance position in relation to their internal Information and Technical Security Policies and Standards as well as external Standards such as COSO, GDPR, PCIDSS, ISO27001, NIST and CBEST. However are clearly failing to achieve the desired standards and quite frequently, by a considerable margin.

Most large organisations are likely to also have Cryptography Standards as part of their Compliance and Assurance reporting via their GRC channels. This further raises the question, how can any such organisation state that it complies with its own Information and Technical Security Policies and Standards - as a reflection of its own Corporate Risk appetite set by and tied into their wider Board level Corporate Governance Code, when their Internet facing Systems are hosting and running vulnerable, weak and broken Technologies, Protocols (such as TLS) and Cipher Suites? Put simply they cannot.

In simple terms, an organisations Internet facing Systems, Web Domains and Web sites, by the sheer fact they are exposed to the untrusted Internet must be a priority of focus for Audit, GRC, IT and Security teams to ensure all internal and external Policies and Standards are adhered to. The design and implementation of effective internal Controls i.e. non-vulnerable Technologies, strong encryption Protocols and Cipher Suites and reduced Attack Surface must be robust and managed correctly. Our evidence shows some 75% plus of all FTSE 250 companies and Fortune 1000 organisations are not up to standard (including Financial services regulators and Payment organisations) and by being Not Secure are undermining every $ spent on security.

When Whitethorn Shield? evidences implied vulnerabilities by discovering those organisational Internet facing Systems that are hosting and running vulnerable, weak and broken Technologies, Protocols (such as TLS) and Cipher Suites then the entire organisational Security Governance and posture is brought into question together with the effectiveness of those internal Audit, GRC, IT and Security teams. Saying we are changing web sites in a few months does nothing in the meantime to protect the organisation or the PII data held on your clients and customers. If breached, you will certainly fall foul of GDPR (regions vary) or similar and no regulator will be lenient of your new web site plans when issuing GDPR fines.

How then can organisations spending millions on Cyber Security detective, preventative and corrective Controls in conjunction with their 3 Lines of Defence, who are supposedly continuously assessing, verifying and validating the design and operating effectiveness of those Controls and Compliance of those Controls to internal and external Policies and Standards, still have Internet facing Systems that are Not Secure? Is it mishap, malice or misdirection that is leading so many organisations ignoring the Security of their Internet facing Systems when those Systems - when proved vulnerable and exposed by Whitethorn Shield? provide an entry point for attackers or nefarious users directly into the Core of the organisation.

The 'fog of war' certainly appears to have evolved and is clearly effecting IT and Security teams as the fundamentals are being missed or ignored either through a false sense of Security brought on by having purchased 'every tool in the tool shop' - or a complete lack of capability and situational awareness. Either way, there is no excuse for any Not Secure Internet facing systems we identify given the level of spend and number of so called SMEs involved in the detection and prevention of successful Cyber Attacks. 

This lack of situational awareness and false sense of Security reaches the Board through regular internal reporting and even makes it in to Annual Reports where the 3LOD is lauded as effective - how can any of this be accurate when an Internet facing systems - a direct entry point for Bad Actors are Not Secure? 

CIP have identified 75% of the FTSE250 state they operate 'effective internal control' through robust 'three lines of defence' consisting of Audit, Assurance and Line of Business, that statistic means 75% of FTSE250 organisations are misreporting their Operating effectiveness quite deliberately - of they simply do not know their Internet facing systems are materially Not Secure. This is before we even consider the woefully poor track record of the Certificate Authorities and bungled certificate issuance such as Let's Encrypt 3 million recall of certs and Digicerts recent breach and revoking tens of thousands certificates.

Either way, this 'false sense of Security' has infected Boards, employees, Shareholders and Customers alike. No evidence of a Breach doesn't mean you have not been breached, it means if you do not Secure your most exposed Systems - you cannot state with any confidence whether you have been breached or not, as such rather than waxing lyrical on the effectiveness of your Internal Control, perhaps improving the Security posture of your most exposed Systems would be worthwhile - and while doing so, plan for the worst case outcome that by being vulnerable on your most exposed Systems, chances are you probably are already breached. 

Whitethorn Shield? Actionable Intelligence today.

[email protected]