Equifax, SEC, & Now Deloitte: Organizations Must Employ Offensive Security

In light of the recent data breach at Equifax I'm composing some thoughts in two posts.  The first post discusses the weaknesses in employing partial security solutions. This second post discusses why organizations must employ offensive security to stay ahead.

Hot off the Equifax news, last week we heard about a breach of the SEC EDGAR reporting system, and announced yesterday, Deloitte's private communications.  Organizations must start to think like would be attackers.

Offensive security is a school of thought, where a proactive approach is taken to computer security.  When people typically think of security, the first thing that comes to mind are traditional/defensive approaches: e.g. patching systems, strong passwords, employing firewalls, etc.  While defensive measures are essential, an offensive security approach focuses on penetration testing and thinking like an attacker, with a goal of finding weaknesses in your own organization's systems and software.

The Equifax / SEC / Deloitte breaches highlight the dirty secret of many large organizations:  they are virtual sitting ducks, a vulnerability away from complete compromise and data theft.  Organizations must start to build out their tech staff to include white-hat penetration testing teams, whose sole job is to hack internal systems and expose vulnerabilities to hold the rest of the IT and/or software development staff accountable.  These teams should include highly skilled and well compensated individuals, and be embraced at the highest level of the C-suite and board room.

In my work, I have stressed and carried out an offensive approach for years.  When new systems are being architected, a focus on security is a must; but once a system is in production, the work doesn't stop.  New attack vectors are uncovered by researchers each year, and internal processes and code can always be improved.  And, vulnerabilities are found - internally - and patched before they have been discovered by a remote threat.  It's this process, combined with defensive tools, that helps one stay ahead.

Internal hacker teams should not be seen as a threat to IT/software staff. Within a healthy corporate culture, accountability should not be a threat.  When Hacker A discovers a vulnerability authored by Developer B, what should follow is a teaching/learning experience.  When Hacker B finds flaws with a system managed by IT Staffer C, a teaching/learning experience should follow.

Organizations need to rethink their IT and software hiring practices and include people with penetration testing and offensive security skill sets, and set up a culture to reward the process.

In the coming months, there will certainly be pressure from shareholders and within industry to put a greater focus on security, which could be the silver lining of these recent high-profile breaches.  However, I fear that many organizations will get this wrong.  When under pressure, the tendency is to make announcements about adding staff.  Yes, but not if it's the wrong type of staff.  I'll discuss that last point more in a future post.

Posted: Sep 26, 2017