Monday Morning Voicemail:
Good morning high-powered CSO, this is Brian with Raxis. I sent over a draft of the most recent assessment report as you requested. Just to recap, there were seven critical findings, 5 severe, and a menagerie of others that we can discuss at your convenience.
You’re the CSO of a major enterprise. You’ve hired us to perform a penetration test, and the results aren’t pretty. What now?The team at Raxis brings a rich depth of experience in articulating risk to all audiences. We can talk technical with the engineering groups and discuss strategy with C-level executives. It’s how someone deals with adversity that defines them as a leader. We’ve seen leaders emerge from the fire to rise above the fray. We’ve also witnessed the fallout when leadership decisions are made in ignorance or for political expediency.A security assessment is only one step in a process, and its value is largely determined by what happens after we’re out of the fray, so to speak. So, there you are; you have an unexpectedly thick and verbose penetration test report sitting in your inbox. Here are the 5 worst things you can do, based on what we’ve seen happen in the real world.
5. Sweep it Under the Rug
It may be tempting to just quietly file that report away because you think it might tarnish your reputation or because, “that only happens to other companies.” Maybe you would prefer to fix the findings with minimal political overhead. Here’s the problem. The report you received is a bona-fide disclosure of risk. When it landed in your inbox, all level of plausible deniability left the building. If you do anything less than boldly embrace it, and the company is breached, you are going to be in a rough spot with tough questions to answer. By owning the problem, you can own the resolution. Let that be the focus.
4. Play the “Blame Game”
It is easy in the world of corporate culture to get bogged down in political maneuvering. A corporate leadership role requires a certain level of posturing, but there are few things less productive than finger pointing. The fact that you were against rolling out the vulnerable application or platform that was compromised may carry weight in your inner circle of colleagues, but your stockholders only want to know their investment has underlying value and that effective leadership is at the helm. It’s helpful to acknowledge mistakes and learn from them, but keep the emphasis on moving forward.
3. Cling to Penny Wise and Pound Foolish Remediations
The findings in the assessment report are not a checklist to be ticked off and call it a day. Yes, of course they should be fixed, but it’s critical to understand that a penetration test is opportunistic. The findings that are presented are probably not the only significant exposure. Look at the bigger story that they tell and formulate remediations at a systemic level. Were all the findings related to applications? If so, the problem probably is not the applications but more likely with their development and deployment. Yes, fix the symptom, but do not neglect the underlying problems that led to it.
2. Rain Down Fire and Wrath
We see this far too often. A phishing email is sent out, and an employee clicks on the link, which then becomes the bridgehead for a compromise. When the report is delivered, specific individuals are identified as the source of the compromise and are promptly fired. That is absolutely the wrong course of action. Look at it this way. Once they understand the ramifications of their action, that person is the most secure person in the company at that moment. It’s likely that they will continue to operate under a heightened level of vigilance and will be the last person to click on a suspicious link in the future. Replacing them with someone who has not learned that lesson, simply presses the reset button for future phishing attacks. Help them understand the attack and how their actions contributed, and they may become a power advocate among their peers for better security.
1. Silo Solutions
Would a capable attacker limit themselves to a single application, network, or technology? The answer, of course, is that they would not. Lateral movement is a huge component of privilege escalation. It’s important to scrutinize specific elements of any environment. We conduct assessments regularly against a single application or system, but what we always try to underscore is that rarely are attacks vertical. Rather, the attack chain tends to zigzag across technologies and business units within an organization. Just because you tested and remediated a specific web application does not mean that the app no longer presents a risk. It means that the direct exposure created by the app has been mitigated. Maybe there is another vulnerable application running on the same server that can be used as a point of compromise?The point is that attackers do not silo their efforts, so don’t silo your defenses.
Your Decisions Make the Difference
Fortunately, these observations are more the exceptions than the rule, but they do happen. And they happen in surprising large and mature organizations. Most of these mistakes can be attributed to a knee-jerk moment of self-preservation. When our lizard brain steps in, sometimes we don’t make the best decisions for our career.The best way to avoid these pitfalls is to never put yourself in that situation in the first place. Yes, some pentests are horrific. In leadership, it’s not how you fall. It’s how you rise above.
A security assessment is not a chance for someone to make you look bad. It’s a learning exercise. Embrace it and use it for a platform from which to build positive change..
Raxis CTO, Brian Tant