"Transitioning Cyber Security to a Mission Risk Mindset" by Iain Dickson CSides June 2020

so our next talk tonight is in I just so you know the host may not amuse me Oh God we're being on the other side I think Sileo in was introducing Silvio for a comfy con right now but now Ann's presenting so ian is a data scientist who has fallen into the cyber profession he has previously worked as a cybersecurity research engineer and as a cyber threat intelligence technical lead for the Austrian government he is currently the cyber technical lead for Latos Australia leading cybersecurity projects across the organisation and he's also the founder and organizer of comfy con tonight he's going to talk to us about transitioning cyber security to a risk mission risk mindset also known

as why the new is M is that are so a little bit of controversy in this talk

[Laughter]

so hopefully you guys can see my screen can someone confirm they can see my screen fantastic all right good evening everyone I'm gonna say a couple of things to start off with one as many blue team people are I'm sure I I'm very tired it's been a very busy day as I'm sure your day has also been but in in in some ways it's been a good day because the Australian Government has just given me quite a good use case for the talk that I'm just about to give the other thing I'll say is I'm not a GRC governance risk and compliance person by trade I'm a technical so feel free to say that you don't agree

with something I'm always willing to hear but essentially what my talk today is about is to talk about the the new is n so the information security manual for those who aren't aware and what's change with it so to to go into some content so we'll start off with some definitions because we always need to make sure we're talking about the same thing for those who aren't aware we'll talk about what the information security manual actually is because I'm sure a lot of you who don't deal with federal government or state government aren't necessarily aware of it what's changed with it and why a risk management approach which is sort of what I'm hinting at here is is a bit better than

the previous approach which is more of a compliance approach and supporting that I've got a nice little allegory as discussed before I don't think I need to go through all this but yeah I've done a lot of stuff and I still do stuff it's probably accurate so for some definitions for anyone who's been to one of my talks before this slide will always be in it we start off by talking what what risk actually is so risk is a measure of the extent to which an entity is threatened by a potential circumstance or event so it's the potential for something bad to happen and within cyber security we talk about this as being a combination of threat

and vulnerability so threat is any circumstance or event with the potential to adversely impact organizational operations assets or individuals these are definitions from the NIST standard if anybody wants to see it I'm more than happy to send it to them but essentially when we talk about threat we generally talk about threat actors so we talk about groups of people who are targeting a certain grocer tynin a certain a certain network a certain system with a given intent for vulnerability we talk about a weakness you know that's pretty much a given one we I think the information security community has gotten variability quite well down and it's the threat piece that needs some work but hopefully I'll be highlighting

where that comes in in the next few slides some more definitions to risk management's we talked about what risk is but risk management is use that risk to determine what actions to take both on a network so in simple terms what control should I put in place on a network to defend the network now obviously we know that no network is going is unhackable but we decide based on some methodology what controls to implement and so risk management is a tool that you can use to decide what controls to implement so the nist risk management framework is a really good example and as you find out rather than invent the wheel the australians have taken that onboard a risk I know someone

who's accountable for a risk so traditionally this is your siz oh this is the system owner these are both terms that are defined in the information security manual as well every federal government agency is responsible for having a scissor it's responsible for having an it sir and it's responsible for having system owners finally accreditation so for those who haven't worked in a federal space or a state government space there is a process known as accreditation and this is the process of achieving approval to use the network it's not necessarily about just plugging everything in and making sure that everything will work you actually have to go through a very structured process to assess the network assess the

security controls of the network to gain what is known as authority to operate and then this one in here which is quite relevant for today and when I talk about thread act two tiers this is what I'm talking about so this is a great slide that Sam from some department of defense that's with an S in the US which talks about the different types of thread actors so we start from script kiddies non-malicious access on tier one and we go out to tier six and the way this diagram works as it shows you that as you go up the tiers the resources increase but the number of actors decreases the right-hand side also talks about how thread actors the defining

characteristics so tier 1 tier 2 they'll download something from the internet and use that tier 3 tier 4 they'll discover something that's a vulnerability in a system until 5 and tier 6 by actually create vulnerabilities and when I say full-spectrum they actually mean just using cyber but using espionage physical event effects and when they're actually using cyber we're also talking about kinetic effects which is quite an interesting role if if anybody's interested and I'd love to talk to them about so a bit of a tldr upfront because I know some people will want to know that and I just want to make clear so the new iam allows resourced organizations to exercise mature risk management approaches to enable their

business operations through careful selection of security controls couple of important points that resourced so we talk about security operations teams and one of the things that I hear in regards to taking on a risk management approaches we don't have enough people well arguably you don't have enough people because you don't have enough people it's not because you're using a risk management approach it's that you don't have the right people in the right place to do the right thing maturity there is an amount of making the model work for you understanding your environment understanding how you fit within a business process you know the organization's business processes sorry and how they work around you and then careful selection it's not a matter

of a checklist and if I can get anybody to walk away from this is if you use a checklist to say your network is secure you are probably lying to yourself or you're not actually getting a good security outcome so what is the I sent for those of you who work in again federal government state government potentially those who do business with them you've probably seen this document and you've probably read it cover-to-cover I know I have on a number of occasions it's a great read you should read through the Australian government information security manual made by AST and the ACS see important things aren't there it's the 19th of June 2020 right now and this was updated in 2020 in June

so this is the latest version now this is something that wasn't generally done previously and for those who are aware the is M was generally updated on a yearly or six monthly basis so this is one of the changes what is it that actually contained so it contains information on suggesting Charles for classified networks as well as dlm networks for those who don't know what a DLM is it's like a classification but light kind of thing it forms the basis to develop those security controls so it provides you a giant list of controls that you can then pick from and pick and choose and say I'm going to implement these controls on my network so it's a good guide so you do be able

to start developing the security around your network now the important thing is and I noticed some of these mentioned in the slack and I'll get to you later it doesn't contain every single control it's a list of controls that have been evaluated by ASD in a CSC it's not the be-all and end-all you always have that option to actually talk about to introduce other controls later on and you go through this process with the the documentation and then you your assess for accreditation by a member of what's called the I rap program so the there's a whole list of I rap Assessors if you've gone through this process you know it is but essentially they'll come

in they'll understand your system and the control you've put in place and say yep this is probably okay send it off to the next person and so the next person is actually the accreditation authority slash the risk owner for the organization Oh everyone's joining Seaside's the the accreditation authority risk owner of the organization is generally this is oh but basically that is where the buck stops that is the person who has a cannibal leader if something goes wrong on that network they are the person who has to accept the risk that that will go wrong important point and it's called out in the is em and I'm sure there's not many people who are affected by this unless

it's the top-secret network the risk is generally owned by someone within the organization if it's a top-secret network it's owned by director general ASD it's an interesting fact if you ever work on top-secret networks it also contains the essential 8 topic of the day the essentially it provides a baseline of controls now the important thing is it's a baseline of controls based on what ASD and a CSC think our likely right a Sdn a CSC may not know your environment in fact they probably don't they have made a judgement call of risk management call and that these are the controls you should be implementing in your environment the problem with this is it's it is a it is only a reporting

requirement for government agencies as far as I'm aware but at the moment it's become a pseudo compliance requirement people are being held to account for the essential aid and as you'll see later on sometimes the essentially controls don't make sense within an environment sometimes you can have particular systems particular ways of working that implementing the essentially controls will actually cause a problem with your business processes arguably it's also proven not to be working and this is a article that came out last week week before from IIT News talking about top 18 government agencies and if you can see the graph there's a very distinct lack of agencies compliance of those controls this is why I think we need a

different way of looking at things and unfortunately compliance is not really the answer with needs to start looking at these systems individually as they should be and start applying security controls that make sense for them and in my opinion that's what a Sdn a CSC did so what changed well very simply here's an old version of the a CSC oh sorry the the RSM so it says this document is not a compliance based standard and it says you need to pick your own risk management framework which is great now it then also lists underneath these are the controls so for example on an official protected secret or top secret network you should for those who've

studied systems engineering should is not a requirement it is a you can do this a Hipps is implemented on workstations now another requirement sorry another control says 1:03 for official protected secret top secret networks you must must means as Alan said in a call we had the other week must means you absolutely have to do this so a Hipps is implemented on high-value services she's authentication servers - main name servers web servers blah blah blah now there's a slight contradiction here it says it's not a compliance based standard but there are things you need to comply with okay I'm sure this has been commented on a number of times and in my opinion this is something this

is one of the reasons why this has changed but realistically you say your normal components based standard but you are a compliance based standard you must do these things so what did they do so this is November 2019 so this is let's have a look eight months ago all an eternity if you consider the way this year is gone this is what they've changed so using a risk management framework so the difference here is they've actually given you a risk management framework to use they've given you they're not giving you a choice in it which is arguably a good thing it means you don't have to sort of wonder which one to use and they've

chosen RMF which is a risk management framework that has been established by nist in the u.s. or the National Institute of Standards and Technology in the u.s. it has six steps you define the system you select the SCOOTER controls you implement them you assess them you authorize the system and you keep going and then you monitor the system sorry and then it loops Fran and it goes ranked and so they've defined this to make it easier to get into risk management but the other change they've made is they've removed the shoulds and musts so Hipps is implement on workstations no longer I should hips is implemented on high-value servers such as authentication service domain name

servers etc etc no longer a must so the question that gets asked does that mean you can now ignore the I sent no it doesn't mean you can ignore the I am the I ascend the way that it's next structured means that system there is an understanding from asdf CC that system owners are the only people who can adequately identify the risks and as we discussed before that is dependent on your threats and your vulnerabilities that your system has and to therefore implement the controls to defend those those risks or to mitigate those risks so rather than a blanket approach to security it puts the onus on government agencies to identify what is relevant to

them and as a bonus to the organization's it allows you to choose the controls that make sense for your organization based on those risks and threats that's the important point it doesn't mean you can just choose the easy ones it means you choose the ones that are relevant and not use the controls that are either too onerous or disabled business because the important thing as I'll say later on we as an as a as a group of people within an organization federal government state government what have you need to make sure that we're enabling the business in a secure fashion so why is this better risk management is the language of executives so risk is not it's not a it's not a

it's not a cyber only thing it applies to all of these things on this screen we talk about business risks we talk about financial risk we talk about safety protection control strategy analysis and of course cyber with the wonderful fund risk is something that leaders understand and even if you are doing a compliance approach I would have strongly suggest that you understand how risk works and how you can engage with risk to be able to provide that back to your managers but in this case because you're using a risk management approach engineers sorry not engineers managers and leaders understand what you're talking about you're engaging with risk and that's an important thing risk is not a bad thing we engage with

risk all the time this is about constructively engaging with risk and as I promised so here is my fun allegory to also highlight some more points so for those who are of a oil Air Force or RAAF or what have you bent this is the f-104 starfighter so this aircraft was designed by Kelly Johnson who if you don't know was the gentleman who invented the skunk works at Lockheed Martin that amazing place that all the aircraft engineers want to go to so it was invented in the 60s and 70s as a replacement to some of the aging aircraft that was within the US military after World War two it was designed to be what they call a

fair-weather fighter which means that it can basically take off during you know a normal day it can then land under a normal day if it was raining or if it's stormy it's probably less of a you not as able to do it and the story goes that the the German air force sorry the West German air force specifically we're looking to rebuild their their Luftwaffe during the 60s and 70s after it had been obviously decimated during World War two and they were looking for a new aircraft and the story is told through this it's an album actually by a gentleman called Robert Calvert who was in a band called Hawkwind during the 70s but the story

goes like this the salesman says yes it's a fair-weather fire you won't find anything better and the Germans say yes but that's great but we want bombing strafing assault battery interception ground support reconnaissance we want this thing to do everything basically and the salesman goes yeah that's fine we'll just make some modifications nothing could possibly go wrong and they ended up with the f-104 G G for Germany as they say in the in the album there was one slight problem the f-104 G what had the highest fatality rate of any modern aircraft so the f-104 in particular did not exactly have a great record I'll say that now but the f-104 G had an even worse record and that's

partly down to the fact that they tried to build too much into the aircraft at once the aircraft couldn't handle dealing with all the air the equipment all the different features and basically was quite difficult to fly and also you know it just would randomly crash the German Air Force and the pilots of the German air force used to call it the Widowmaker and so this allegory for me teaches a couple of different things so systems should and cannot be designed can every threat imaginable without using him impacting usability so this this aircraft was designed to counter any sort of threat it was designed to counter air it was designs canceled and it was designs do everything but the

problem was you ended up with an unusable system and this goes to the story we often tell a lot which is the most secure system is a system that's turned disconnected from the internet and thrown into a river you know it's the most secure system but it's also not actually a usable system a follow-on from that is cybersecurity is there to enable a business to do its work securely not to inhibit it so the point of cybersecurity is the businesses to function we are only here at the at the whim of the business the business needs to do what it does we need to secure the business that means whatever we do we need to make sure that the business is

secure and so linking back to my original statement a risk approach takes into account those relevant threats ie it understands in the aircraft what particular things the aircraft needs to be designed to do and not everything but the very specific things if the Germans are at the time had thought well we're actually going to be against tanks therefore we need to target this thing but we're not going to be against fighters therefore we don't need this thing they might have had a more successful aircraft and the vulnerabilities as well so less of less of mentioned in the aircraft analogy but within a cyber analogy you know there's no point putting a laughing if you don't

have any web applications like we know that that's a given let's take that a step further let's understand specifically what vulnerabilities are on our systems and therefore put the controls in only to defend against those vulnerabilities rather than putting controls in for the sake of putting controls in which arguably if we're being honest can happen a lot if you just implement the essential 8 or you use the old approach the RSM and in my opinion this is a big one mature risk management approaches provide better security outcomes and business outcomes so how many times have we been you know you might have put in a request I want to use a piece of software and the

automatic response pack is no no because of some reason because of oh it's not on our list or what-have-you mature as management strategies allow you to look at that application understand what it actually does what is it within the context of your environment how can it affect you it's really important to it that the problem I find with people who say you can't actually do this in real life it's not that the risk management piece is difficult but it's understanding your network that's difficult arguably that's something we need to do anyway we always need to understand what our network is because otherwise how do we defend it and again my argument there is well obviously the

current approach isn't working where we kind of know what's on our network and we just Chuck controls in for the sake of it let's try this new one thank you IT girl for also pointing out this risk management is also a process that keeps going on and on and on it's meant to be this thing where you know threat changes on a daily basis your threat can change from one day to another today is a great example of that today Linda Reynolds and Scott Morrison stood up and said there are threat actors targeting Australia you should use these two controls now for those who have been listening to the presentation and know me that's an important breakthrough

further the government that didn't say implement the essential 8 they said implement these two specific controls they said these two controls out of the essential like they're essentially controls for doesn't matter they're essentially controls that were told to be implemented to defend this threat that is exactly what this approach will give you at the end this approach will tell you this threat can be determined defended sorry defeated by these controls implement these controls because this threat is relevant to you in essence oh no the right security control in the wrong place for a fraud actor can make all the difference in the world it's not about just putting up patrols everywhere obviously we can't do

this like we don't have enough money we do have enough resources so pick your controls carefully and make sure that you can you understand your networking you understand your threats a few examples I wanted to include these because some people you know tell me that oh we've ascent implemented application whitelisting @courtney across our entire environment and I'll be brutally honest you have it's not possible if someone has a proper application whitelisting system across our environment without weird exceptions like you can run apps from this folder or you can run apps from this folder I'll buy a bit like I'm happy I'm happy to be proven wrong but most organizations do not have that level of control and so some really good

examples here the is M says you must patch within 48 hours which a lot of people complained about today for operating systems for those who work with industrial control systems you do not patch industrial control systems within 48 hours that is a no-no you will break the system if you don't do testing application whitelisting for software developers again I've never seen a solution that actually works well for software developers again the only solution that I've generally ever seen is you either give the software developers the ability to sign themselves in which case that kind of defeats the point of having signing or you whitelist a folder in which case again mint defeats the point of

application whitelisting macros for finance personnel I know of a number of different organizations that if you disabled macros in them the entire organization would stop that's the business process they've built so you find other controls to defend against those things av if you're a penetration tester I'm sure if you're a red team you've you've disabled AV on your system therefore you're not compliant with that control like that's that's the way it is so I've talked about where where things are right now with the item a couple of tips just to sort of help people who may be at that point but also need to be - what is the next step of this so risk as

I said earlier it's not this single thing risk is a it's a concept of lots of businesses applied to is applied to finance and so why do we treat cyber risk differently cyber risk is just another part of risk within an organization so realistically you should end up with this integrated risk management model the impacts of risk are calculated in the risk therefore you can compare a cyber risk versus a financial risk because they both have an impact on the business we shouldn't be treating them separately a great way of looking at this if you have worked in a military context or you've or you have the ability to see some sort of military doctrine is looking at military risk

management models and mission risk which is what I talked about at the beginning mission risk is understanding all the risks to my operation within a given area of operations they could be cyber risks they could be shooting risks they could be health risks they could be I don't have the logistics in this place so transition to that point where you understand what will stop you doing your mission what will stop you from achieving your goals at a bigger picture level rather than focusing down on the lower level because arguably cyber might not actually be the most important thing for you to consider and that's it I know this has probably rubbed a few people the wrong way and I am somewhat

apologetic but I'm not entirely apologetic I am one of those people I'm a techie I know that we should implement controls but I think the best option for the user is this sort of model moving forward so thank you very much for for listening and I know there's a few questions which I am trying to work out the answers to in the comments I've copied down some other questions there are a ton of questions I think question time for you maybe you can watch the slack because I'm pretty sure as you

yeah okay so as I ask the questions if people generate more questions from your answers yeah because I think I missed a question with Eleanor but the first question came from Dave Dave right at the side of your talk sure he said so how do we assess hardening options that are not mentioned in the is M good question so this is a problem this is an interesting one because so obviously not I'm gonna go on about it but obviously I work in a vendor space right and so the moment you mention a control that's not on the ice M I know there are some customers that go it's on the ice and we don't care so how do you actually prove

the value and realistically it goes back to that risk management approach so if you can demonstrate the value of how your technology or this hardening option defends against a given threat and the organization agrees that that's irrelevant threats of their systems then you should be good the problem I think in that space is not necessarily how do you demonstrate it it's how do you actually get to that conversation where you're having a risk management approach conversation in the first place now one of the things that came out of this I am and I was having lots of discussions at the time when this happened and the ccsl changes came out as well was you know

it's probably not a great move for small organizations and small government at the moment because they're not really at this level the longer-term picture is this will help to bring in those controls to understand how those controls to impact your systems so the next question was from Craig small he said how does the new Isum help implementers in a project before if my widget had a desktop and a name server I knew the former didn't really need it and the latter did I have a definite goal now what's my target who decides so realistically again this comes down to my statement about resourcing and so organizations generally have some form of vulnerability assessment team and so

that run nessus on the system so you understand the vulnerabilities on the organization the corollary to that is you need to actually have some kind of threat team so you need to understand the threats the organization the threats of the systems so so realistically in my opinion again you would go talk to your threat team you'd say okay I'm building this system it's gonna have these components it's gonna have this way of working who are the likely threats that are going to target that system if they have access to it also what data is stored in it because that's the important thing it's always about the outcome and they should be able to come back to you and say you know it's this

threat or it's this threat and these are the controls you put in place now I understand that most people don't have the resources for that so realistically in those circumstances you should try and do that research yourself so I understand what you're building understand the context of the organization you're building it for understand who's likely to target you and therefore implement those controls based on that there's a lot of open source intelligence information that allows you to you know mitre attack is a great example of something that nowadays has a great there's a database on the model tank webpage toast about all the um all the threat actors they can think of and that it tells you about all the

techniques they use and therefore it tells you how to defend against those techniques so you find out who's relevant to you you find the techniques you build the controls to defeat the techniques just mesmerized by all your discord chat by the way I think Benzies gave you ten out of ten actually maybe I'll turn that off I think Sylvia is gonna ask a question on oversight think to add to this as well but familiar with maybe doesn't take security as as importantly is that the organization tell you how do you mean sure sort of Poland you how can you have a motorcycle if they aren't implementing you know controls and mediations like previously you could just say well

networks unaccredited because yeah but even then like they would still run that because you would find some opera like again this is speaking from experience there would be an operational reason why their network had to continue or something else and and arguably the only way is to hold to hold people to account for these things I was listening to a presentation by a vendor the other week and they talked about the target breach in 2013 and the important thing about target breach was it was the first time that a CEO got fired because of a breach and I think there's a there's a lesson in there which is breaches are in our visible yes but if you don't do

everything you can to stop a breach then you should be held accountable ultimately until we see that accountability being held against people nothing's really going to change now there is the coral I keep saying that word but say it there is the opposite to that which is you did everything you could and you super hacked well that should be evidence through what you did there should be evidence through a clear chain of understanding of yet we found these threats we know these risks we did everything we could and something came out of nowhere so you have the pokerface evidence to join that and as I said until accountability comes in for these things it's it's not gonna change it

doesn't matter whether you have a compliance based approach where you say you must implement the essential eight because it doesn't work like we've seen the chance we know the AMA reports they keep coming out and they're saying you're not complying about compliant and people just shrug there was one more question from maybe he was asking he was asking do you think there's a scalability problem for expertise in this space I assume there's gonna be more expertise needed to assess those risks yes well yes but that's kind of a given let's be I'm very much of the opinion we need to sort of stop lying to ourselves about some of these things our socks and security teams are not resourced the way

they should be arguably we should have been doing things like vulnerability assessments thrown in towel before the eyes have changed however with the ice and changes it's just made it even more relevant realistically it's put the onus back on it's almost provided a carrot and a stick for these government organizations the carrot being okay you can choose your own controls now awesome the stick is you need to make sure you don't get hacked and you need to make you need to take the the the role of being the person who understands your systems and maybe that will work this approach has only been in for six months and and I'm seeing some changes but I I won't say

this is why I said at the beginning there's a resourcing problem so sorry you need to be well resourced the argument is we don't have enough people well the argument is we don't have enough people because we don't have enough people it's not because we're not doing a risk management approach we're doing a compliance approach it doesn't matter we still need more people we still need to fix that problem which is why we do things like C size which is why we do all these things to bring people on to try and get them interested to get them in the yeah and he sort of followed up with and should some sister some system along the

lines of SSL lab test be constructed by maybe a a steal a CSC to help system implementers self assess other than you don't think so nice because it's that's compliance yeah some tool is not going to understand the specifics of your environment it's not going to understand that you haven't implemented that control for a given reason I don't like as a maybe as a non-binding thing potentially but like to actually ensure they were getting good security outcomes it's got to be driven by humans unfortunately that's you know we have that problem and we have the resourcing problem well we have both but we can't I have to deal with it at this point I think maybes typing I don't know he's

commenting on that but why I'm waiting maybe do um do you have any questions oh mighty ones questions maybe you could jump into the to the slide they all want to talk a little bit more about say he did say good insight Thanks so there you go you've convinced him great all right thanks again and that's great to hear from you Norris thank you very much guys yeah right which brings us to our final I did get tall