Its No Wonder Why Breaches Occur...

This is my personal experience in the Cybersecurity space and proof in practice as to why the security can be breached even in a company worth a $ 150 Billion with dedicated full blown SOC Capability. The idea of penning down this experience is to highlight how large enterprises tend to overlook their glitches causing breaches. Luckily there weren't any reported compromises during my tenure but as we all know - its just a matter in Time.

Disclaimer: The intention of this write up is to highlight only and only the security concerns and nothing else.

4 years ago; I was OPERATIONALLY engaged in a contract to deploy and manage 300 perimeter security devices to protect about 100 ICS Networks; yes, its Critical Infrastructure. When I got onboard, they gave me a picture of how they were doing it; with a POC which ran for a year, secured funding and managed all the procurement for another 6 months. Now it was time to execute. I got really charged; went through a full refresh on my Cybersecurity Domain knowledge - This is it...!!!

Upon joining; I reviewed the entire documentation of the project; the models to be deployed, Central Console to manage hardware devices, authentication mechanism, remote access of these perimeter devices, firmware versions and the ways and means to engage with stakeholders. Keep in mind every deployment at every site has to go through a strict change control procedure to account for the outage which is a 15 weeks process.

I got access to quite a few systems; all tested and all good. I also got a big excel file with data manually fed in 100 columns. THAT IS THE LIST OF PLACES WHERE WE HAVE TO DEPLOY THE SECURITY DEVICES. Out of curiosity; I inquired whether this is an extract from a Project Management Information System; PM said.... This is that system. You might want to go back and read the first line of this article. Yes, a $ 150 Billion company with excel as a PMIS. I felt as if I took a trip in a Time Machine, in just one 1 moment went 15 years back in Time and operated there for the rest of the duration of the project and below were few of the risks identified.

We were enabled with Office365 Ids and of course coupled with multi-factor authentication. I was also given access to a share-point site where all the project documents are maintained. Got few hiccups because: its a project in Critical Infrastructure; all the details of which including the design and architecture of the ICS Network along with Ip addresses and an access control list of 1000s of users in another excel. I reviewed the ACL and Access Control Model; I was hoping someone comes back inquiring this model's effectiveness. I couldn't sleep that night:

• Alert Type: Insider Threat
• Severity Level: High Risk
• Description of Risk: Anyone who has access to the project share-point can access/download the files from any computer on the internet without getting traced.

We had a presentation for all the stakeholders to review "How the Central Management Console works?" which manages all those 300 devices; everyone from SecOps and all device owners participated. Central console boasts of all Ip addresses of everything that passes through these devices and that was reviewed live. I freaked out when the presenter told us at the end that the 2 hr session was recorded and stored in the same share-point. I screamed my lungs out but later realized where I was in the hierarchy (beginning of 2nd para). The Insider Threat just got multiplied by a factor of X.

• Alert Type: Insider Threat
• Severity Level: High Risk
• Description of Risk: Production Asset information along with Ips, Ports, Protocols in a video format available for download on any computer on the internet without getting traced.

Some personnel who has the Device Approval Authority questioned the Access Control Model. Have you ever known a nightmare at mid-day. Here is how the model works: In One Line: The Authority has option to either approve or deny only at the time of processing the access request. What that means: once Approved; the authority has no control of revoking access for as long as the account is active in the network. Yes, its a one way access door. I reported it to PM earlier that its a Fundamental Design flaw; PM Said: "Yea, I Know". According to the IDAM team: That was never a requirement.

• Alert Type: Access Control violating Principle of Least Privilege
• Severity Level: High Risk
• Description of Risk: Only system admin can revoke access; same set of users continue to access assets across 100 locations; once access is approved; the users will continue to hold access till the account is terminated.

Throughout the Project - I had sleepless nights...

Though there are many more; I would just narrate one last. This one is Ultimate. The POC of the project almost ran for 1 year and been in deployment phase for another year, in total 2 years so far. The Project was in a Multi-vendor environment; overlapping the role-out of Office365, Multi-Factor Authentication. Please note all the contractors have 2 Ids: one of the parent company and the other one of the Contracting. With every deployment project is also rolling out MFA (along with its browser dependent issues). One fine day users started reporting their inability to access the assets and the number kept increasing. After spending countless hours reviewing project configurations; one of the counterparts in Enterprise IT were discussing a brand new roll out: "Windows Hello" without any information to our project. At this point we were still figuring out the solution w.r.t "Hello" and users started complaining again that they are unable to establish remote connectivity. We are able to quickly identify the changes in the Enterprise IT system and this time its the roll out of another VPN Service. Earlier the access is enabled via a process through a specific VPN Client. This is like a bird taking a dump on you when you are switching buildings in the middle of Board Meetings.

• Alert Type: Denial of Service
• Severity Level: High Risk
• Description of Risk: Over sight of Enterprise IT Governance to perform integrate risk management.

In a project of this magnitude involving 5 different teams of high technical/product caliber; there was only 1 person qualified in Systems Security & IT Best Practices whose screams were unheard because that person was deployed in the front-line operations.

Conclusion: Whenever possible, Organizations should leverage the industry knowledge and rely on best practices the professionals bring in because the Institutions out there do not certify people at random. It takes about years of relentless effort to accomplish professional certification.