Awake at Night CISOs
by

By Dr. Thomas P. Keenan, FCIPS, I.S.P., ITCP in collaboration with Ron Murch, I.S.P., IPCP – both with the University of Calgary.

What happens when you put a dozen of Canada’s leading Chief Information Security Officers into a (virtual) room for a frank discussion of their biggest challenges?

In a session led by Derek Manky, Chief of Security Insights, FortiGuard Labs (Fortinet’s threat research and intelligence division), and moderated by Bobby Singh, CTO and CISO for the TMX Group, problems were raised, examples were given, questions asked, and answers proposed. For privacy reasons the people and companies attending, aside from the presenters, are omitted here. A recording of the session is available exclusively to CIO Association members here.

IDENTITY. was a key concept raised by Manky, who noted that it wasn’t such a big thing 20 years ago. “In the last ten years, we saw identity going from stolen credit card information to things like health records which have an even higher value on the Dark Web.”

However, identity and access management work both ways – the “Bad Guys” have to ”validate” both their targets and their customers to have credibility for their scams. And, the “Good Guys” are constantly trying to identify the real identities of the “Bad Guys” to catch them.

“The bad guys even have affiliate programs,” he laughed. “At Fortinet, we are also trying to find the identities of the cybercriminals.” He says, “they’ve had some success, uncovering one crime organization with four different groups totalling 46 employees, who were running 409 scams, romance scams, but the biggest thing was payment diversion fraud. They were intercepting accounts payable invoices and forging SWIFT bank codes. They were able to steal about $61 million over three months.”

Are security services companies like Fortinet obligated to go to law enforcement if a client contacts them? Manky said no, though they have worked with Interpol on cases and have succeeded in getting arrests and prosecution.

THEM VERSUS US. The bad guys are driven by two main motivations, money and reputation among their peers. They have all sorts of tools at their disposal to thwart our defences. “It’s very cheap for cybercriminals to do things like spoof IP addresses, changing them 5 or 10 seconds later. So blocking by IP addresses doesn’t work anymore.” He advocates a much more active approach and notes that “I don’t think there’s ever going to be a silver bullet.” Nor will there be a one size fits all approach. The cloud has certainly further complicated identity management. Manky mentioned that he’s on an INTERPOL working group on cybercrime and that inter-agency co-operation is becoming even more important.

COVID-19. Allowing people to work from home was always a challenge, even more so in a crisis – and especially during the COVID-19 crisis, because companies had to transition to remote workforces so quickly. “We’re always at a disadvantage since cybercriminals can adapt quickly.” In fact, there are reports of how quickly they pivoted when COVID-19 struck, taking advantage of the fact that people were working from home and could be more susceptible to a bogus “please send a wire transfer today” email that looks like it’s from the boss. It’s kind of BYOD to the max since some people are using computers at home that are shared with other family members, who may not practice good cyber-hygiene. Telework makes the need for multi-factor authentication even more critical.

One attendee noted that his company has “sped up our project to get rid of our VPN,” moving instead to SaaS. There was a consensus that the job of the CISO is getting more and more complex – and cybersecurity is now also being better recognized at the Board of Directors level as a critical element of business risk that merits deliberate attention, funding, and management.

ARTIFICIAL INTELLIGENCE. We’re seeing criminals now using AI tools to target their spearphishing campaigns, and also doing more voice phishing. “To respond we’re developing playbooks at Fortinet,” says Manky, “focusing on the attribution of the cybercriminals, right down to their handles, phone numbers, etc.” In response to a question about whether there will ever be a purely technical solution to cybersecurity, Manky opined “I don’t think there’s ever going to be a silver bullet. There will always people involved, but there are often gaps that we can find and try to plug.”

GETTING HELP. One attendee asked if using social media logins in the business context made sense, and the answer was a resounding “No!” You need to keep identity and access management under your company’s control. Third-party solutions all bring their issues, especially when integrating them with legacy software, and other organizations’ and jurisdictions’ security and identity frameworks, etc. One attendee said that “Once you buy a solution, it’s expensive, it’s complex and you still have to customize. If you do it yourself, you have to manage it.” There’s no escape from the truth that “security is hard work” and probably needs a larger share of the company’s IT budget and risk management attention to be successful.

One clear thing is that frank discussions like this, which in the past might have been over a cup of coffee or something stronger, in person, are more vital than ever. We’re all more alike than different in terms of our challenges and solutions, and sharing wisdom is the only way we will get through this, even in an age of COVID-19.

The next discussion is scheduled for May 29 and will continue the discussion into various aspects of Identity.