benedetti68 - Fotolia
IT security is a bit of a strategy game, according to Brian Kelly, chief security officer at Rackspace.
Kelly first got involved in cyber security while working for the US government in the late 1980s and early 1990s, trying to figure out information warfare.
“Even though we didn’t really understand it, the government created an information warfare centre of excellence – a defence squadron, a hunt squadron and an offensive squadron,” he says.
From his experience as a seasoned security pro, rather than running scared, Kelly believes it is necessary to engage with the hackers in gameplay. Combating the hacker’s attack is analogous to playing a game with a joystick or an arm-wrestling match, he says.
“They will throw an attack at you. Hopefully, they won’t be successful. But they will go away for eight, 10, 12 or 15 minutes, recompile their hack and come at you again.
“And so you have to defend against the next wave of attack. If they are not successful, the hacker may attempt the attack a third time. So you get this view that there is someone on the other side of the world and you are just arm-wrestling with them.”
During an attack, he says, there is often an “A team” and “B team” of hackers. “The B team do the reconnaissance. They are noisy and sloppy. They are trying to map the network. Then there is a pause and, within an hour, the A team come in to arm-wrestle with you.”
Some organisations tempt hackers in with a honeypot, to catch them trying to break into a network. For Kelly, a reasonable strategy to thwart at attack is to tie up the B team, possibly leaving a few “cookies” for them to steal, and lead them to a place on the corporate network where their activities can easily be monitored and the security team can learn about the attack vectors being tried.
But fighting a determined A team hacker is tough and the IT security tools that the security teams rely on will start to fail, warns Kelly. “How adaptive are the tools, given that the attack can change within eight, 10, 12 or 15 minutes?” he says.
Little job security
While jostling with hackers may seem like gameplay, chief security officers have the shortest tenure of any c-level executive. On average, they tend to last about two years in a role.
But Kelly seems to be beating the odds and has been at Rackspace for more than two and a half years. “I think people still get fired for security flaws,” he says. “The chief information security officer is the classic fall guy. But I would be hard pressed to point to any one individual and say they are ultimately responsible. Security is a complicated business.”
Kelly sees the job of chief security officer as about making it as hard as possible for a hacker to break into the corporate IT system to steal data or cause damage. “We need to build the right plans,” he says. “Be practical and realistic, but an attack is going to happen, and you can’t just rely on a checklist when it does.”
Checklists miss the point
Among his pet peeves is the idea of incident response, which details actions that various people need to take in the event of a data breach or hacking attack. Experiences from his previous work at the Department of Homeland Security have convinced Kelly that no checklist can cover all possibilities.
“This stuff does not follow a checklist,” he says. “We used to train people to identify the desired outcome of an attack and recognise that there are multiple ways to get that outcome.” From a business continuity perspective, he says: “The most important part of the training is to know what can go wrong.”
For instance, he says, even a seemingly straightforward procedure, such as restoring a system image, can fail and a good investigator must be prepared for situations such as if the backup disc on which the image is stored fails or the power supply breaks or the image itself is somehow corrupted.
Kelly would like to think Rackspace would take a firm stand against a ransomware attack.
But he says: “There are cases where corporations have paid up because they knew they had got caught. Companies may be in a real jam. The data has not been backed up, it’s high-value data, there is a sense of urgency and the only way to recover the data is to pay up.
Read more about IT security
- What are the most effective types of security controls and end-user training approaches to dealing with phishing?
- Effective IT security boils down to user education. We find out how one company got on with testing its staff.
“But it is a risk. We also know of cases where companies have paid up and the hackers have not decrypted the data. So there is no guarantee you will get your data back. The more we play the game and pay the ransom, the higher the likelihood they will do it again.”
Kelly urges CEOs to ask the CSO questions about the worst-case scenarios the organisation currently faces, which may lead to security teams working differently.
As a general rule, he feels access management is poorly handled. “It is easy to grant access and we don’t put the time and effort into well-thought-out granular access,” he says. “Role-based access is part of this, but we should ask if it is really necessary to require access to do your job.”
Kelly adds: “The whole identity and access management world has been clunky and expensive. It’s like implementing ERP [enterprise resource planning] or CRM [customer relationship management]. They are highly complex, multimillion-dollar software packages. We have to come up with a much more effective way to manage all access.
“You hear all this chatter about advanced persistent threats and attacks with crazy names, but it’s the fundamentals that are really getting people.”
Poor awareness of phishing and insufficient access management controls are among the most common reasons for security breaches, says Kelly. “Why are people still running old, outdated protocols, have excessive network ports open and systems unpatched? You have to pay attention to good IT hygiene.”
Keep it simple
Kelly is not a fan of the stack of boxes needed to secure a modern datacentre. “Complexity is the enemy of security,” he says. “If we build out independent systems, we are asking for trouble. Is there a single management system? At Rackspace two years ago, the top four appliances in the racks were security appliances. The question is, how do you manage all this?
“It’s unsustainable. You cannot manage systems where each component does a piece of security. We have to rethink on a clean sheet of paper how to do security.”
Kelly believes the real opportunity is to have security at the application and user layer, which is the architecture used by Google. “There are little companies now starting up using microservices and only authenticate you for one service,” he says. “This will change the game. The network is dark to everyone.”
Kelly says governments must continue to invest heavily in cyber security and work with the private sector.
Computer Weekly spoke to Kelly soon after the Manchester terror attack. As Computer Weekly has reported today after the London Bridge attack, the prime minister, Theresa May, is looking at how to regulate the internet. Kelly is a strong believer in strong encryption.
“I often say, if we are really honest, very little security has worked reliably or effectively,” he says. “This is why we ended up with complexity. The exception is encryption, which has worked reliably. It is extremely important and to be effective, you can’t tinker with it, build backdoors and make exceptions.
“Security is all about trust. Once the trust is eroded, bad things happen. We have to get smarter tackling the bad guys.” ........................................................................................................... ..................................................................