Grant Shih and Joe Marroquin discuss Menu of Services and Organizational Alignment on this episode of Executive Points of View:
1) What menu do you, as an executive, offer your internal customers?
2) What menu does your company provide to its end customers?
3) Making the internal shift to align internally for complete end-customer focus
Joe Marroquin recently had the opportunity to sit down with Professor Dennis Brown of Kennesaw State University on this special extended edition of Executive Points of View to speak about the longer-term impact of the Colonial Pipeline Ransomware attack to cybersecurity for critical infrastructures.
We are in the midst of a cybercrime wave. For many security professionals, it’s manifesting as an increase in sophisticated phishing activity. Others are becoming victims of ransomware. Still, others are seeing an increase in brute force attacks on their networks. Cybersecurity is quickly taking center stage in the c-suite and in boardrooms across the world. CISOs and cybersecurity professionals are busier than ever and they are looking for ways to organize their approach to dealing with the CISO function.
Think of the emotions that you would have if someone walked into your residence and took your most valued possessions? Your reaction is normal if you answered that you would feel angry, frustrated, victimized, or violated. Tell your story to some friends at your favorite Friday night restaurant and watch their reactions. Now, imagine that your friends leave the restaurant at 8:30 pm and head home, but you decide to stay behind. When you finally do leave, you leave alone and decide to take a shortcut through a darkened alley. You are accosted by a couple of thugs hiding behind a dumpster – you are beaten and they take your jewelry and purse with all your money, driver’s license, credit cards, and keys.
Because we are seldom confronted by a physical criminal, many of us in information security tend to forget the reality that behind every phishing e-mail, behind every ransomware attack, behind every brute force attack against our networks sits a criminal. Even a 16-year-old kid hacking into your network to see if he can is the equivalent of a very disrespectful trespasser jumping your fence and violently shaking your back door at 3 am to see if he can get in. We should never lose sight that we are in the business of not only safeguarding our company’s property but also dealing with criminals. Some of these people are very scary and they will hurt you.
In the 1970s, criminologists Marcus Felson and Lawrence Cohen developed Routine Activity Theory. What these two gentlemen began to notice is that crime tends to occur in clusters, like darkened alleys, late at night, in certain parts of town. Their theory was foundational in part because the theory extended our understanding of criminal activity beyond the offender and encompassed broader environmental factors. In time this theory gave rise to crime triangles, which are similar to the fire triangle.
A fire triangle presupposes that for a fire to exist, a source of fuel must be present, along with oxygen, and heat. The presence of fuel, oxygen, and heat creates the conditions which allow for the chemical reaction of fire to sustain itself. Deprive a fire of any one of these needed elements and the fire triangle collapses. Firefighters do this through a variety of tools. Water is favored because it is plentiful and takes away heat from a fire, causing it to extinguish. Sometimes firefighters use a special kind of foam that forms a barrier between the fuel and the atmosphere, depriving the fire of needed oxygen, needed for combustion.
Crime triangles operate in a similar fashion. In order for a crime to happen, three factors must be present: the victim, the criminal, and an opportunity. In the example at the beginning of the article, a crime occurred because a person decided to walk through a dark alley late at night where two criminals were present. The criminals and victims were present and the criminals had an opportunity to perpetrate a crime. The crime triangle formed.
If the victim had never taken the shortcut through the darkened alley, the victim would not have been present and the crime triangle would have been collapsed. The same would be true if a policeman guarded the alley and strong lighting illuminated the alley. In that case, the criminals would have been deprived of an opportunity to commit a crime. Finally, if a previous police roundup had arrested the criminals for other crimes, the criminals would not have been present in the alley to commit the crime.
The learning from using crime triangles was multifold. First, it moved us away from thinking only about criminals and forced us to think about our actions and about the environment conducive to crime: the opportunity. This allowed proactive policing to focus on factors that foster crime: the opportunity for crime, the presence of criminals with intent, and the behavior of victims.
In the context of being a corporate security officer, it’s sometimes useful to adopt proven tools that have worked well in the past. The crime triangle is an example of a good tool. Like crimefighters of the early 20th century who focused exclusively on the criminal, cybersecurity experts today tend to focus almost exclusively on vulnerabilities. A question that the author asks routinely at conferences is whether the authorities were called after a cybersecurity breach. It’s uncomfortable to hear that too many times the authorities are never contacted, even when there are direct ties to a US domestic criminal element.
Cybersecurity professionals many times fall into the misconception that a creator of viruses or phishing scams always hails from a faraway country and that focusing on eliminating vulnerabilities is the only approach to protecting from cybercrimes. The threat should merely be accepted. Cybercriminals walk among us. They could be sitting in the chair next to you at a security conference. Even if the cybercrime is international in nature, sharing it with local authorities can be helpful. US law enforcement does coordinate with multiple legal entities around the world and we do bring criminals to justice – even those in faraway lands.
If you suffer a cybercrime against your company, prudently encourage the officers of the company to share as much information as they can with the relevant authorities, in alignment with your company policy. It’s natural to feel shame or be worried about public exposure, so develop a plan that works for your company and that helps authorities bring bad actors to justice. Every cybercriminal that is arrested and prosecuted is one less targetting our enterprises.
On the other leg of the triangle, work to lower your company’s profile as much as possible. It’s natural to feel pride in the great success your company is enjoying, but don’t be overly prideful of your company or of your unique solutions. Many times corporate employees are too willing to share the particulars of their application or network landscape with vendors and third parties without considering that criminals could use that information to target the enterprise. Sometimes company executives require harsh NDAs with a vendor but go on to share very detailed company diagrams and publically boast at conferences of the very valuable information held by their companies, their long list of prestigious clients, or they tout the efficacy of their cybersecurity program – sometimes directly challenging criminals to target them. Share your business case with your qualified prospects and be guarded with everyone else. In other words, don’t lock your front door and leave your back door and windows wide open. And, whatever you do, don’t taunt the criminals – they can get in and they will, particularly if they are motivated.
If you haven’t already, please consider thinking of information security as a criminal matter. Behind every kid-hacker is a trespasser jumping your fence and testing your doors at 3 am to see if they’re locked. Someone who codes viruses is the same as a vandal who willingly takes a baseball bat to your mailbox. Behind every ransomware attack is a real criminal who is looking to take your property by force and fear. Behind every hack or phishing attack is a criminal who is attempting to steal your information or your customer’s valuable property. These are not good people. These are people you would not welcome into your home. These are people who should be prosecuted. It’s going to take all of us working together to control the wave of the cybercrime that we are experiencing:
In summary, do everything you can to eliminate as many vulnerabilities as possible. Lower your profile by not exposing your company’s information. If you see a crime or are a victim of a crime, share as much as you can with the local authorities so that the next innocent person who walks down a dark alley has less of a chance at becoming a victim. And, avoid walking down dark alleys at night.
References:
Cohen, Lawrence E.; Felson, Marcus (1979). “Social Change and Crime Rate Trends: A Routine Activity Approach”. American Sociological Review. doi:10.2307/2094589. JSTOR 2094589.
Lynch, James P. (1987). “Routine Activity and Victimization at Work”. Journal of Quantitative Criminology. doi:10.1007/BF01066832. JSTOR 23365566.
Pratt, Travis C.; Holtfreter, Kristy; Reisig, Michael D. (2010). “Routine Online Activity and Internet Fraud Targeting: Extending the Generality of Routine Activity Theory”. Journal of Research in Crime and Delinquency. doi:10.1177/0022427810365903.
About the Author:
Joe Marroquin is a CISO and cybersecurity professional. A former U.S. naval officer and combat veteran, Joe spent the last 25 years consulting for Fortune 500 and Global 50 corporations. A c-suite executive and board advisor, Joe is a published author and public speaker who writes and speaks on security and on the intersection of business and disruptive technologies.
You’re an airline pilot, responsible for 290 souls who are seated a few feet behind your cockpit door, enjoying a meal. You’re flying a state of the art Boeing 787 on a long-haul flight from San Francisco to Sydney. You’re cruising at 41,000 feet, flying over water, thousands of miles from the nearest land. You see storms looming out of the cockpit windows, the Intertropical Convergence Zone. Suddenly, most of your cockpit’s instrumentation lights go dark. You no longer have an indication of your altitude or airspeed. You don’t know the condition of your engines or other mechanical equipment. You don’t have communications with the outside world. You’re flying blind, at night, over water, far from shore, with a gigantic responsibility on your shoulders: 290 souls, your crew, a $300 million dollar aircraft, the reputation of your company, your colleagues, and maybe even the reputation of your country. Airline pilots are trained to deal with casualties midflight. They’re trained not to panic. They’re trained to follow their procedures in a structured and methodical fashion. Still, they’re human, and somewhere in the back of their minds, they understand the gravity of the situations they face and of their grave responsibilities.
The feeling that an airline pilot likely felt in the example above is akin to the feeling that any major corporate CIO/CTO would have if he or she were running the technology infrastructure for a multi-million dollar company who was forced to turn off his monitoring and alerting systems on short notice, as CISA recommended during the peak of the Solarwinds breach in December of 2020. These are the systems that are monitoring sometimes nationally critical services to customers, generating the revenue for the company that is needed for the payroll of thousands, and to satisfy investor obligations. Without alerting and monitoring, you’re blind to much of the key information that you require to keep your enterprise operating in a safe condition. Without alerting and monitoring, you lose the ability to see other threats.
Two items glaringly stood out from last year’s Solarwinds breach: 1) the vector of the attack, targeting an alerting and monitoring platform, and 2) the fact that Solarwinds is reported to have used a weak password on their update server, “Solarwinds123”.
At the risk of mixing metaphors, one of the first actions that the US military took during the invasion of Iraq in 1991 was to eliminate Saddam Hussein’s radar installations. Coalition military forces did not want Iraq to be able to see or target coalition aircraft. Similarly, a serious cyberthreat actor working to attack critical infrastructure would first intelligently seek to blind his opponents by denying them the use of endpoint management technologies and monitoring and alerting technologies.
The Solarwinds attack might have been a template for how future cyberwarfare, cyberespionage, and cybertheft attacks might begin. Information security professionals should be alert to the reality that threat actors might look to compromise the very tools that we use to protect our enterprises as a first step and as a precursor to a broader attack. The mechanism to protect from such attacks exist. Diversify your security portfolio; use network segmentation and leverage multiple tools and technologies so that if you have a breach in one, you still retain coverage in another. This of course comes at the added cost of complexity in the environment, the lack of centralization, as well as additional costs associated with having staff that must be trained in multiple products. So, the answer is easy but it doesn’t come without costs.
The second glaring issue that arose from the Solarwinds attack deals with compliance. Virtually every information security and compliance program standard like ISO27001, NIST, TPN, CMMC, SSAE18, TSC, etc. have a core component that deals with Access Control. Virtually every auditing and certification group will evaluate a company’s Access Control policy and its execution.
Solarwinds’ website states that their datacenters pass a SOC2 Type 2 audit:
Access to areas where systems, or system components, are installed or stored are segregated from general office and public areas. The cameras and alarms for each of these areas are centrally monitored 24×7 for suspicious activity, and the facilities are routinely patrolled by security guards. Servers have redundant internal and external power supplies. Data centers have backup power supplies, and can draw power from diesel generators and backup batteries. These data centers have completed a Service Organization Controls (SOC) 2 Type II audit and are SSAE16 accredited.
As a CISO responsible for information security and compliance for a global organization, I deliver SOC2 Type 2 reports so I understand the seriousness with which these audits are conducted, which are designed to provide a degree of assurance to the organization and give confidence to customers that our systems are being operated in the manner in which they were designed. Was the Solarwinds SOC2 current? Did the Solarwinds SOC2 cover the correct controls like access control?
Solarwinds also has a section on its website that addresses Access Control:
Access Controls – Role Based Access
Role based access controls are implemented for access to information systems. Processes and procedures are in place to address employees who are voluntarily or involuntarily terminated. Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis. Access control lists define the behavior of any user within our information systems, and security policies limit them to authorized behaviors.
Authentication and Authorization
We require that authorized users be provisioned with unique account IDs. Our password policy covers all applicable information systems, applications, and databases. Our password best practices enforce the use of complex passwords that include both alpha and numeric characters, which are deployed to protect against unauthorized use of passwords. Passwords are individually salted and hashed.
SolarWinds employees are granted a limited set of default permissions to access company resources, such as their email, and the corporate intranet. Employees are granted access to certain additional resources based on their specific job function. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as defined by our security guidelines. Approvals are managed by workflow tools that maintain audit records of changes.
The statement does not explicitly call out that passwords are changed on a regular basis but the statement does cover strong passwords. It seems like Solarwinds has a password policy and that their procedures are audited. So, what happened? Do they have an effective program that is auditing all of the areas needed or are the words on the Solarwinds website simply boilerplate?
Reports are that cybersecurity professionals had warned Solarwinds since 2019 of a known vulnerability of using simple passwords for the Solarwinds update server. As a CIO friend recently stated to me, “Was the convenience of access for an $85,000 a year engineer worth putting the entire company and the ecosystem of important customers that the company served at risk?” Did the engineers who use the simple password, themselves professionals, not recognize the significant risk to their actions? Were the engineers trained in best practices? How did this simple password control break so badly? Why was this shortfall never uncovered by their audits? Why did warnings of this vulnerability go unaddressed?
This brings us to our final topic: Third-Party Vendor Management. Solarwinds claims to have a SOC2 Type II report. How many of the customers who use Solarwinds actually obtain the SOC2 report and read it? Was the report even available to customers? How many customers asked probing questions for any gaps within the report?
Third-Party Vendor Management programs generally fall into Governance, Risk, and Compliance, but sadly most GRC departments are understaffed and overworked. Some departments leverage technology tools but many third-party vendor management programs quickly devolve into mindless questionnaire exercises that create busywork to gather answers to questions from our vendors but which do little to help us understand the true risk associated with a product or vendor. You buy a tool and you claim victory. Some of these programs give us a sense of comfort that we’re doing something, but the reality is that in many cases the back doors could be wide open and we would not even know it — that should not be acceptable to any CISO. In this case, the back door was wide open.
Solarwinds is a wake-up call and should represent a watershed moment for cybersecurity, compliance, and third-party vendor management. It merits more than a superficial reaction by the industry. First, the Solarwinds breach shows us the strategies and tactics that threat actors will likely employ in the future: target monitoring and infosec toolsets first, before launching other attacks. We must architect our security and monitoring solutions so that they are more resilient to these kinds of attacks: network segmentation, different toolsets from different vendors, backup plans for when a critical toolset is compromised, etc.
Second, the Solarwinds breach shows us the need to revisit our information security and compliance programs to gauge their effectiveness. It’s not good enough to pass an audit. Just because a program is audited does not mean that the correct controls are being evaluated or that adequate compensating controls are present. As cybersecurity and compliance professionals, it is not good enough for us to have programs “in name only”. It’s not good enough for us to put the boilerplate on our websites. We must continuously strive to make our environments better. No system is perfect, but we should demand excellence and continuous improvement every single day because there are very bad people out there who will take advantage if given even the smallest opportunity. We must have continuous improvement and excellence in our programs that elevate the bar on information security and compliance. As the threats evolve, so too must audit and compliance evolve.
Finally, Solarwinds should have us all revisit our third-party vendor management programs. If your organization uses Solarwinds and you or someone in your company never obtained the SOC2 Type II report and critically pored over it, looking for gaps, then you should ask yourself, “Why not?” The answer for most organizations is that their GRC departments are understaffed and overworked. At the end of the day, we can all blame Solarwinds for a breach, but the reality is that we all share some of the blame. When it comes to information security and compliance, the buck stops with the CISO, and it’s up to the CISO to make the case for the appropriate support to protect their enterprise.
About the Author:
Joe Marroquin is a CISO and cybersecurity professional. A former U.S. naval officer and combat veteran, Joe spent the last 25 years consulting for Fortune 500 and Global 50 corporations. A c-suite executive and board advisor, Joe is a published author and public speaker who writes and speaks on security and on the intersection of business and disruptive technologies.
Join us for an engaging panel discussion that explores the intersection of diversity, equity, inclusion, and leadership in today’s evolving workplace. Industry leaders and changemakers will share personal experiences, strategies for fostering inclusive environments, and insights on how diverse leadership drives innovation and organizational success. This session aims to inspire actionable change and empower attendees to become advocates for equity in their own spheres of influence.
In an age where data breaches and cyber threats are growing in scale and sophistication, protecting critical information is not just an IT concern—it’s a business imperative. This presentation explores the key principles of data security, the latest threat landscapes, and practical strategies organizations can implement to defend their most valuable digital assets. Learn how to identify vulnerabilities, enforce strong security policies, and build a resilient data protection framework that ensures compliance and earns stakeholder trust.