Help, I need your opinion

Picasso · ‎02-16-2021

Hello,

My name is Paul. This is my first post here. I have come because I am the CISO for a county government and big wigs at the state are pressuring me hard to do something I think is a terrible idea from a security standpoint and right now, I have no one else in my corner. I just wanted to see if other security professionals see the same problems I do, or if I am just overreacting. So here is the scenario... the state is moving towards a new system for the 911 call centers. They have contracted a private company to do security assessments of all of the networks hosting 911 call centers... which I understand. My problem is that the result of this will be the aggregation of the network architecture and vulnerabilities of all of the 911 call centers in the state in the same place. I have offered to spend days with anyone they send reviewing our security practices. I have offered the results of other security assessments we have done as long as they are not uploaded to the repository. But they will not budge and they are now starting to make threats that may end up costing me my job. Before I surrender to protect my job or stick to my guns to do what I believe is the right thing, I would like some alternate viewpoints from other CISSPs out there. Thank you for your time and your thoughts.

Paul

tmekelburg1 · ‎02-16-2021

I wouldn't call this an overreaction but rather into the due diligence category to protect the County. I'd only be comfortable doing this if I could see the risk analysis or third-party risk assessment the State conducted on the Private Company. I'm assuming they have to meet certain security standards to be a vendor for the State because in mine they do.

Picasso · ‎02-16-2021

I appreciate your response... and I understand where you are coming from, but to me, the solarwinds hack changed everything. I am not looking at this from the standpoint of how do I check all of the boxes I need to in order to say I did the right thing. I am looking at this from the standpoint that, no matter how big your are, how much to spend on cyber security, or how good your policy is, safety cannot be guaranteed. Now in most cases, I understand risks have to be accepted. But I think this case is unique because of how dangerous the information could be if it fell into the wrong hands. One 911 call center or 10... maybe not so big a deal. But the vulnerabilities all of the 911 call centers for the whole state in one place? I'm not ok with that.

tmekelburg1 · ‎02-16-2021

I appreciate how much you care and your passion to keep data safe!

I only see this working out if you can talk directly with the State CIO/CISO to voice your concerns. I'd also try and find out what their plans are with the data. How long do you need it? How will it be disposed of? Will we be notified of the disposal?

Hopefully others will weigh in shortly.

Edit: Possibly reaching out to other County CISOs and trying to get them to question this strategy as well before just handing over the data.

denbesten · ‎02-16-2021

Although I agree that aggregation and dissemination of vulnerability reports creates a risk, I think the more defensible position would be about securing the repository and perhaps implementing different levels of access (e.g. politicians need summaries and remediation costs for "everything", whereas techies need details and remediation steps for "their" systems).

I also think it important to identify who "owns" the asset to figure out who gets access to its vulnerability data. Fundamentally, it is the system "owner" that gets to make the final decision (although with "expert" advise). If the State provides the system and pays its bills, denying them access to an assessment of their asset seems like a losing battle.

Also, don't forget about the dollars that assessments bring to remediation budgets.

CISOScott · ‎02-16-2021

So my thoughts are these:

1) Vulnerability assessments, pen tests, etc. are a snapshot in time. It is how vulnerable you were at that moment.

2) If your bosses want to do this and you have voiced your opinion about it and they still want to continue, then that is their choice and their prerogative. I would document their risk acceptance of storing the results in one place and then move hard on fixing the vulnerabilities. Remember, as the system owners they have the choice to accept any risk. Your job as the CISO is to inform them and then document that they knew the risks and accepted them.

3) If they refuse to sign any risk acceptance documents, then work hard on the remediation. Do not let them just hand this off to IT to remediate. You need to take charge and hold Plans of Actions and Milestone (POA&M) meetings. Assign tasks to people or teams to remediate it and track completion. Hold progress meetings to ensure it is not being forgotten about.

4) If you are worried about your county's data being intermingled with others then do what you can to make sure your county's vulnerabilities get fixed. Remember, those assessments are just a snapshot in time and if you fix the vulnerabilities then they hold no danger for you (or at least a mitigated degree of danger).

You have voiced your opinion and now is the time to move on. As a CISO myself, I would not risk my career over this. I would give them the data and then make sure it was no longer accurate for the vulnerabilities with my systems.

Also consider this. If they see the same problem throughout all counties, then they should be able to get more resources to fix it faster and maybe cheaper than if they do one county at a time. You may not be seeing the big picture and they may have more data than you know but they need it all, to come up with an enterprise or statewide solution.

rslade · ‎02-16-2021

> Picasso (Viewer) posted a new topic in Governance, Risk, Compliance on

> My problem is that the result of this will be the aggregation of
> the network architecture and vulnerabilities of all of the 911 call centers in
> the state in the same place.

Well, on the one hand, you could see it as a single point of failure.

On the other hand, a lot of people like the position of "put all your eggs in one
basket--and then guard that basket."

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

Steve-Wilme · ‎02-17-2021

The problem you're describing could be more of a DR / business continuity issue. It may be worth identifying anyone working in that area at a state level and advising of the continuity risk. Ultimately, as @CISOScott suggested you may be facing a situation in which the decision has already been made and your warnings begin to be perceived as a blocker to change. Allowing that perception to continue would not be a good thing, so you'd need to follow risk management practice and ask for formal acceptance of the risk, rather than allow yourself to get put in the politically inconvenient category.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

Early_Adopter · ‎02-17-2021

I’d just add that if there’s a worry about the data going walkies, it’s generally affecting all the uploaders,aggregation is a concern, and the provider isn’t meeting requirements you might consider specifying some (perhaps obnoxious) DRM as a required compensating control, with MFA to access the data and positive review of access logs as a requirement. Classification as Diana points out can then be somewhat enforced, with different views for different groups.

CraginS · ‎02-17-2021

@Early_Adopter wrote:
... the provider isn’t meeting requirements you might consider specifying some (perhaps obnoxious) DRM as a required compensating control, with MFA to access the data and positive review of access logs as a requirement. Classification as Diana points out can then be somewhat enforced, with different views for different groups.

@Picasso

Another aspect: if any of the networks are managed under contract by external providers, the results of the audit are likely intellectual property of the provider, and cannot be maintained by the country gounverment except under specific legal or contractual requirements. And that information control would definitely have to be part of the "get out of jail" test and intrusion agreements between the audit company and the provider, agreements that the county is not a primary participant in.

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts