CISO Says...“Leverage the full potential of evil user stories!”

Chris van den Hooven

Chris van den Hooven

Senior Security Consultant

June 15, 2020 at 11:15

My colleague Anne Oikarinen has written a blog or two about secure software development and how to incorporate ‘Evil user stories’. The idea is that you envision how an evil user could misuse the system you are developing and, subsequently, you mitigate your code. From a CISO perspective, it makes more sense to analyze and take things a step further: How would an evil person compromise the company? How would he commit fraud? How would he go about stealing goods or money? How would he abuse your organization’s vulnerabilities?

Experience teaches us that your own colleagues know your vulnerabilities best. The employees in the finance department know all about financial processes. They know the checks, the balances and the flaws. Warehouse workers know what is in store, what it is worth, and how it could disappear. They will never tell, however - and no one will ever be able to take advantage. Vulnerabilities will remain hidden, unless you ask.

Technically speaking, none of this has to do with information and/or information security. However - since just about everything a company does is reflected or stored in some database these days, most of it will be related to an IT component. Vulnerabilities may exist because of incomplete separation of duties in an ERP system, because of poor authentication measures, because of improper authorizations, … the list is endless.

 

Ocean's 11 movie poster

So how do you convince your staff to tell you?

I draw inspiration from Bruce Schneier in this regard. A few years ago, he organized a ‘Movie-plot threat contest’ [1]. He wrote an essay [2] on the topic ‘Movie-plot threats’ and argued that movie-plots are much too specific to be useful in real life security. He didn’t think much of existing plots at the time and invited his newsletter/blog audience to come up with superior alternatives. Hundreds of ideas were submitted. At that time, we were running a security awareness campaign at the company where I was employed, and, inspired by Bruce’s initiative, I suggested to launch an employee-contest of our own: to create a movie-plot on how to steal from the company - and get away with it.

The plotting contest idea was adopted and formally announced. We even formed an official jury with representation from Security, Compliance, Finance and the Board.  Our expectations were not very high. After all - there had been very few incidents and the company had decent security.

And the winner is…

When the plot submissions started pouring in, we were shocked by a few of them. Could these plots actually take place? We verified - and the answer shocked us even more. We had never guessed, because the vulnerabilities disclosed in the plots did not appear on any risk inventory within the company. But they turned out to be very real, and very possible.

As a consequence, we were unable to announce the winning movie-plot. Instead, we organized for urgent mitigating actions. Staff took notice and the exercise brought forth increased levels of curiosity and interest in security internally.  it was a very valuable experience, as we were not only notified of - we also gained valuable insight in very serious vulnerabilities. At the same time – the contest and outcome served as a very powerful awareness action, leading to improved overall security mindfulness on the work floor, as well as at board level.

Inspired to organize for your own contest yet? I have added some plotting suggestions below to this post. Leverage evil user stories and plots to expose hidden weak spots and vulnerabilities. And please invite me to join your jury!

Plotting tips

  • ‘Script’ an attack on the company: tell a compelling story;
  • Central to the story is that the attacker profits financially - The aim of the attack is not to bring down the company;
  • The plot needs to be realistic and feasible (highly likely to succeed)
  • The use and incorporation of internal access to information, processes and systems is allowed (the attacker can be an insider)
  • The plot can never be shared or made public.

Sources:
[1] https://www.schneier.com/blog/archives/2006/04/announcing_movi.html
[2] https://www.wired.com/2005/09/terrorists-dont-do-movie-plots-2/

Click here to read more CISO Says... blog posts.

Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.

Related blogs