Rahul Tyagi, Co-Founder, Lucideus is a successful entrepreneur and leads the training initiative for one of the most promising home grown enterprise cybersecurity platforms (that piqued the interest of John Chambers). However, he remains a hacker at heart, albeit a good one. Tyagi, who was a part of 2018 Fortune Magazine’s 40under40 India, is counted among the top whitehat hackers in India and can claim to have found critical vulnerabilities on websites of Intel, Sony, HP, Discovery Networks, TED and many more.
Letting the hacker in him take over, Tyagi gives an insight into how hackers work and how CISOs can take a leaf out of it to create a more credible defense.
(Note: Going forward in the blog, many times cybercriminals have been referred to as hackers.)
Advantage Cybercriminals Have Over CISOs
- Hackers today are highly organized, have bosses and big budgets just like any organized industry. With cyber becoming a key element of corporate and political espionage and international wars, hackers now have backing from business houses and enjoy government sponsorship.
- Hackers today are well prepared, doing their research and due diligence just like a VC firm wanting to invest in a corporate. They carry out simulation of the attacks and do analysis that if they put this attack in the market as per the overall scenario of the organization they are targeting then what will be the success ratio.
- Hackers don’t need approvals to do anything, making them nimbler and enabling much faster decision-making and conversion of ideas/plans to action even as CISOs wait for approvals for investing in their next cybersecurity solution.
- A hacker needs to find just a small error in the technology, code, server, etc. to penetrate into the system, whereas a CISO has to secure 100% of the tech stack and take charge of the end-to-end.
- Looking at the stats – whether its Cosmos Bank or Mauritius Bank – one has hardly seen any convictions till date. It’s a profitable business with a high success ratio, sometimes even better than a startup. The ‘low risk and high rewards’ proposition ends up attracting some of the best and smartest minds around.
Shun the ‘Checklists’ Driven Approach
Traditionally CISOs have had an extremely lateral and one-dimensional view of vulnerabilities and information security. They are very compliance or check-in the-box driven while taking care of the VAPT, etc. Which means that for everything they look at, they look for a checklist. It can be controlled library, doing a scan or compliance standard. It’s about checking off the tick marks in the checklist. While the actual hacker view of the way they look at the risk that is there is missing in most of the CISOs.
On the other hand, a cybercriminal will go after anything that he gets and doesn’t follow any process or checklist to attack. He will go on and scan all the external facing assets. He will not go with centos first or patches server in the latest versions, but there will be one server running a wrong version and he will go all in after that.
Therefore, the one-dimensional approach that CISOs have been traditionally following doesn’t work anymore.
Get Your Asset Inventory in Place
CISOs need to shift their attention from traditional way of looking at the attacks to looking at them from the point of view of a hacker and reverse engineer the entire process.
The solution is to look at the picture holistically. Checklists are very important. I am not saying they are not. But, you have to see the holistic picture and then prioritize. Like if a hacker wants to get you, he will for sure get in from the weakest link not after going after every server which you got.
So, the first thing that CISOs need to do is check their asset inventory and categorize it with respect to the risk factors. More often than not organizations don’t have their inventory set up in a proper manner. Not many CISOs know the entire asset inventory they have along with which assets are less critically important and which are more critically important.
Hence, get started with getting a prioritized list of the asset inventory and then start penetrating them using your vendors or in-house team – mapping of your critical assets vs. mapping of failing controls. Marry them together and you will get risk quantification.
There is No Patch for Human Stupidity
More than technology, it’s the people that are the problem. While there is patch for technology, there is no patch for human stupidity. You might be putting in hundreds of crores into the hardware and software, but the person sitting there could be the weakest link.
Almost 92% of attacks happen in the organization not because of a technological failure but because of human failure. It could be as simple as some person in the finance team opening a suspicious PDF, which is undetectable and sending the entire data to the command and control centre. Or, someone who had shared his drive over Wi-Fi within the office because the USB was disabled and then forgot to turn off the sharing, thus, unintentionally exposing the drive on a public Wi-Fi network at the airport or café. Or, it could even be an employee picking up and plugging into his computer a USB drive found in the office parking lot.
I particularly recall a red teaming exercise we were doing for a company, wherein I went to an HR staff member and told her that I wanted to apply for a job and gave her a pen drive to access my CV. This pen drive had a payload specially developed by us that can bypass almost all anti virus. As soon as she plugged the pen drive, we got control of her computer and from there of the entire network and most of the company’s data.
Therefore, CISOs need to invest not only in the technology stack, but also the people and build very strong people, process and technology.
Get into the Hacker’s Mind
It’s time for CISOs to get into the hacker’s mind and understand his way of thinking. Hackers have perfected innovative ways of bypassing the security defenses built by the CISOs. For instance, while many companies have removable device policy that doesn’t allow plugging in pen drives, the reality is that it can be bypassed. Hackers can use pen drives, which when plugged in are read as an HID device, i.e. Human Interface Device, like a mouse and keyboard. Thus, bypassing the policy. Very few companies actually have a policy in such a way that it detects or checks the signature of the HID device when someone plugs any external device.
Usually, if one looks at the policies that CISOs make, they don’t invent those. Rather they just follow the compliance and standards. Hackers can read that also. CISOs have to get into the mind of a hacker and think what would a hacker do and what possible innovative ways he can deploy of breaching into the systems. And, then work out the defenses from there. They have to understand what they are dealing with. The mantra is to pay attention to details and granularities that might otherwise have got ignored.