11 August 2016

Time for Boards to Call Bullsh*t

Anne-Marie Chun

Ted Schlein talks about boards finding security assessments that work

How boards can find security assessments that actually work and acquire companies they know are secure

What pisses boards off the most? “Bullsh*t,” says Ted Schlein, Kleiner Perkins Caufield & Byers partner and Synack board member.

At BlackHat last week, Synack hosted a small group of CISOs for an intimate discussion on how to talk to their boards about security. Leading the discussion was a panel featuring Ted Schlein, current board member at Synack, as well as at 40+ other companies over his career, wearing the hat of a board member and former security executive. Adding the perspective of the CISO were Michael Coates, Trust & Security Officer at Twitter, and Simon Gibson, CISO at Gigamon (formerly Bloomberg).

One thing was clear in this discussion: being a CISO is challenging work, day in and day out. CISOs’ scope of responsibility is steadily expanding to include not only information security, but also the broader security risk of the company and the health of the bottom line. As a result, one of the biggest mistakes a CISO can make is failing to acknowledge that risk exists. Addressing the CISOs in the room, Schlein pointed out, “You all know you can’t claim the company is secure. It can’t be done… the question truly is, when you get exploited, will it matter? And how much does it matter?”

[bctt tweet=”Over the past few decades, security risk has evolved from a matter of “if” to “when” and, now, to “how much.””]

Unlike financial risk, which boards systematically measure, security risk is difficult to quantify due to the fact that “the rate at which technology changes, the rate at which attacks happen, the rate at which people interact with systems is so dynamic” remarked Gibson. Boards now recognize that breaches are inevitable, but as last week’s discussion highlighted, they must now address how much damage a breach can do and what they can do to mitigate against that risk. “That was a seminal moment when the CEO of Target got fired,” shared Ted. “It set a direct correlation between some security issue and the termination of a successful CEO of a successful public company. The board had to make that decision.”

[bctt tweet=”Minimizing security risk has now become part and parcel of a board’s duty to the company and to shareholders.”]

One piece of good news for the CISO: a breach today requires a response from more than only the CISO. Damage to operations, data security, and/or the brand affects everyone on the executive team and the board. Furthermore, minimizing security risk has now become part and parcel of a board’s duty to the company and to shareholders. However, the challenge then becomes getting a clear understanding of an organization’s security risk and the appropriate mitigation plan. As Coates pointed out, companies do not exist in a static, binary state of “breached” and “not breached.” Today’s adversary is constantly evolving and adapting to new solutions, and the only way to beat a cybercriminal is to implement an equally dynamic solution. Leadership teams should not only assess the current status of their enterprise security at a point in time, but also perform continuous monitoring of their IT assets to find future vulnerabilities before the cybercriminals can find them.

For boards, this process is particularly important when assessing a potential merger or acquisition. Each enterprise has a unique set of software development processes and standards, and all buyers should be aware of vulnerabilities or coding differences in the acquirees’ systems before integrating them into their own architectures. Not only should the buyer be aware of any and all risk that it is acquiring, but also the merging of two enterprises’ code bases will inevitably lead to new vulnerabilities, extending the parent organization’s attack surface.

Too often, an acquirer does not learn of an acquiree’s vulnerabilities until it has already acquired the company. Though security testing is often a part of the due diligence process, it is not uncommon for these tests to only cover 1-3% of applications. Exhibit A? Yahoo.

Just one week after the acquisition of Yahoo was announced, a cybercriminal by the name of Peace put 200 million Yahoo account credentials up for sale for $1,813 on the dark web. It is suspected that the Yahoo account IDs currently for sale on the dark web date back to 2012. However, for Yahoo’s new parent organization this breach nevertheless requires the board to incur the cost of a loss of users’ trust, the potential repercussions of other cybercriminals hacking into accounts that have maintained the same password since 2012, and a new security assessment to ensure all past and present vulnerabilities have been patched effectively.

Yahoo’s Case for M&A Security

As is the case for most digital companies today, this was only one of Yahoo’s several security breaches over the last few years.

In 2012, Yahoo Voices, a product of Yahoo’s 2010 Associated Content acquisition, was breached to the tune of 450,000 accounts. Yahoo followed this attack with the announcement of an open bug bounty program several months later. However, not only has this program yielded fewer than 1 in 5 qualified vulnerabilities, but it also has not fixed the problem. A few months after the launch of this program, Yahoo users became exposed to malware through Yahoo advertisements. Later that month, some Yahoo users’ accounts were compromised in a third-party database. Just in the last three months alone, Yahoo has suffered three separate security incidents, including stolen accounts, a suspected state-sponsored attack, and the most recent sale of Yahoo account IDs on the dark web.

The Limitations of the Status Quo

Open bug bounty programs do uncover many vulnerabilities within a company, but they usually don’t constitute a complete vulnerability assessment. The repeated Yahoo breaches show that these programs still leave a company exposed to a significant amount of security risk due to:

  • Noise: Only 19% of the vulnerabilities discovered through Yahoo’s bug bounty program qualified for a payout, according to SecurityWeek, leading the rest of the vulns to create a lot of noise through which security teams waste time sifting.
  • Lack of Trust: Any hacker can participate in open bug bounty programs, and quantity certainly does not mean quality. Bug bounty programs can go south if an aggressive hacker threatens to exploit the vulnerability he/she discovers if he/she is not paid or paid more.
  • No Follow-Through: Open bug bounty programs can reveal vulnerabilities, but they don’t ensure that these vulns are patched effectively. Synack experience has shown that 14% of patches are not effective the first time around, and an adversary only has to find one of those vulnerabilities to get in.

A Need for Deeper Diligence

As Coates explained to Synack’s room full of CISOs, every security program has room to develop and mature. Boards and management teams that are considering acquisitions should consider how they can deepen their due diligence around security risk. At the very least, these companies should require a thorough vulnerability assessment and penetration test of their target before closing the deal. However, to go one step further, they should mandate that the integrated organization undergo continuous scanning of the IT enterprise to not only identify vulnerabilities at a point in time, but also effectively reduce the number of breaches in the future.

When considering vulnerability assessment and penetration testing alternatives, boards and management should look for the following:

  • Actionable Intelligence: A vulnerability report should minimize the noise and prioritize the vulnerabilities that are most likely to be exploitable.
  • Hacker Vetting & Trust: It is difficult to find truly expert security researchers in today’s talent-strapped market. Management should seek vulnerability assessments that offer both a diversity of researcher perspectives, but also a thorough vetting process, that yields both quality and quantity in its ethical hacker team and vulnerability reports.
  • Managed Service: Look to hire a team that offers security as a service, including vetting and verification of all reported vulnerabilities and managed payouts. Managed solutions can augment in-house security teams and help focus their attention on the vulnerabilities with the greatest exploitation potential.
  • Comprehensive Coverage: Evolving adversaries necessitate evolving defenses and constant vigilance. Machine-supported solutions with continuous, automated discovery provide comprehensive coverage of a company’s IT assets and reduce the chances of adversaries finding a new backdoor into a system.
  • Mitigation & Remediation: A vulnerability assessment only improves an organization’s security if it leads to an effective solution. A strong security solution will offer end-to-end support throughout the vulnerability lifecycle: from discovery and reporting to mitigation and remediation support that includes patch verification for ensured patch effectiveness.

As Schlein reminded us last week, no company today is 100% secure. The threat from cybercriminals is too great. Boards and management teams must recognize this fact and understand how to minimize this security risk as much as possible. Outdated legacy solutions are no longer cutting it. A modern, evolving adversary requires an innovative, dynamic solution that offers both security and actionable, effective results that serve the unique needs of each enterprise. Don’t let your company believe that you are secure – dig deeper, don’t settle, and don’t be afraid to call bullsh*t.