A PwnDefend Story – Day 7
It is a blur so far, I figured after the last place the grass would be greener, surely no one else has that many security challenges. I did some due diligence during the interview process, they seemed very confident about having certifications and that they took security seriously. hell, that should have set some red flags off but even the cynical sometimes hope that it is as someone says.
I have started to work myself around the board and I am making friends with people, my diary is filled with zoom calls and my notebook is already many pages deep.
You cannot make this stuff up though, day two and I’ve dealing with a business email compromise incident, the phishing page was not even in good English but then it only takes a second or so whilst in a meeting to not quite realise your running on autopilot so you cannot blame people. Hell, the branding was copied so we know it was a targeted phish. It would have been nice to at least had centralised logs for the team to analyse though.
Fail to Plan, Plan to Fail
The good thing at least is that the person phished was savvy and contacted the service desk instantly. It was lucky that we were in an introduction meeting, so we were all together. We got the account locked down almost instantly, but it was clear that there could have been a lot of debate about the course of action, I would normally have let it play out a bit more to see what the response planning and execution is like unsupported but no one want’s that on day two of a new role.
Human Centric Security
I have got a long list of activities and audits to conduct by straight away I can see that we are on the back foot and have some way to go, I have not got budget for a team, so I am going to need to make a virtual one. I am going to make everyone my team, that way they can help protect each other, at least that is the plan. I remember from my younger days, the security officer always said no to everyone, they always cast blame and generally made everyone upset, it got so bad that people just ignored him. I thought that was easy not to do and that everyone would just see the risks, sadly for me that is not the case but over the years I spent a lot of time with different departments to see how their priorities and making everything airtight just was not realistic, at least it is not if you do not have the right culture and working practises. The challenge here is going to be getting just enough of the foundations covered fast enough to avoid a major incident whilst we work on changing some behaviours.
Ok so it is now a digital board, but old habits die hard:
- Identity is key
- MFA is easy to say but harder to do in reality
- Protect the crown jewels
- Make everyone my team
- Prepare to fail, incidents will occur so let us make sure we are ready for them
- We cannot protect what I do not know about
- Good security is hard work, so we need people to help people not hinder them
- Remember not everyone has a tin foil hat – keep that webcam handy
- How do I make the board care? (plan some simulations, enough to make them see, not so much they get scared off!)
It seems dauting but I have already spoken to the head of HR and we are reviewing the onboarding process so we can make sure everyone at least gets off on the right foot. The hardest challenges are going to be the volume of changes plus the custom developed solutions. I must book a meeting in with the lead architect, no one like being told they did not design something right and there must be reasons for the lack of controls from what I have seen.
The green grass
So, the grass is not always greener, but I have just looked back and seen the challenges we have faced before, from global pandemics, to landing nuclear robots on mars, one thing is for sure, as long as I help people make small steps forward and introduce change that helps them stay safe on a daily basis, I am moving the needle in the right direction. I have got a team running a password audit tomorrow, I think I will save the coffee for another night, the grass might not be greener but at least there is still grass!