Operational Technology cyber risks is a growing problem for organisations in the manufacturing, infrastructure, energy, resources and logistics industries. The increased adoption of digital technologies to drive productivity and increased connectivity with suppliers and customers have resulted in a growing digital footprint and associated cyber threat across the operations value chain. We will analyse practical steps organisations can take across mitigation and insurance, and explain how to address key exposures and stakeholder needs.

About Speaker

Anthony drives WTW risk and analytics service in Australasia to help clients across their full journey of improving cyber risk awareness. He has a deep understanding of the quantification and financial impacts caused by cyber events. He has triaged major cyber claims and coordinated the incident response and management of over 400 cyber incidents. 

Rob is an experienced cyber security leader who has held senior executive leadership positions where he has built and run information security capability across multiple industry sectors. He has been highly engaged with industry bodies including Australian Information Security Association (AISA) and the Information Systems Audit and Control Association (ISACA).

Keynote (Recorded)

CISO burnout is a serious issue and through this discussion, we try to find out the impact of this issue on organizations and individuals. The CISO role is operation intensive and gruelling. In most cases CISOs remain in an organisation for about 1 to 2 years. The role is related to high stress levels and unrealistic organisational expectations. A study showed 90% of them were willing to take a pay cut for better work life balance. The problem is further compounded with connected devices and pandemic on board.

A study noted - Average tenure of a CISO is just 26 months due to high stress and burnout. The vast majority of interviewed CISO executives (88%) report high levels of stress, a third report stress-caused physical health issues, half report mental health issues.

CISOs are, on average, working 11 more hours than they’re contracted to work each week, with 10% working 20 to 24 hours extra a week. CISO Role increased strain impacts tenure of CISO, lower engagement with other executives, less capacity to drive his/her team. Crucial areas like hiring, customer communication, professional development get hindered and ignored. 

• CISOs are overstretched (CISOs are, on average, working 11 more hours than they’re contracted to work each week)
• The staffing shortage and skill gap makes it harder, CISOs have to manage operations
• The ever-increasing threat landscape and solution landscape makes it harder to keep up and evolve infrastructure accordingly
• CISO Role increased strain impacts tenure of CISO, lower engagement with other executives, less capacity to drive his/her team. Crucial areas like hiring, customer communication, professional development get hindered and ignored

Our upcoming panel discussion on 'The Challenge Of CISO Burnout' is Friday, February 25, at 11:30 AM ET (8:30 AM PT). Register Here To Join

Causes Of Burnout

A CISO role need juggling of many hats. They need a strong technical background, understanding of organization goals and need to be strong communicators and have good leadership skills

They are often responsible for : 

• Driving cybersecurity strategy
• Managing reporting, security infrastructure
• Understanding legal and regulatory considerations

Unrealictic Expectations Of Foolproof Security

An organization needs strong security procedures and detection mechanisms. However, there is no foolproofing. 
Cybersecurity has become an area of interest of board of directors since security breaches are directly related to brand image loss and customer loss (not mentioning the finanacial implication that can be huge). And the CISO often becomes the scapegoat.

A Few Possible Solution Areas

• Cybersecurity Maturity Assessment. This gives a relative idea of where an organization's security weakness and strengths stand
• Frequent testing
• Frequent (if possible real time) attack surface testing
• Dark web assessment. This allows to be aware of any leaked data or sensitive data in the dark web
• Communicate clearly during stress. This allows for the CISO and the security team to discuss their issues. Management can allow for more relaxed times and breaks in the schedule to make the long hours efficient and not stressful
• Oragnizational culture shift : have realistic expectations (have acceptable levels of risk), encourage efficient working over longer hours & more
• Bump up and contribute towards security skill training. The talent shortae is reeking

References

• https://www.isaca.org/resources/news-and-trends/industry-news/2020/understanding-and-addressing-ciso-burnout
• https://www.forbes.com/sites/forbestechcouncil/2020/04/07/i-was-a-ciso-for-six-years-heres-why-burnout-is-such-a-problem/?sh=557f2d105ac2
• https://www.techtarget.com/searchsecurity/feature/CISO-position-burnout-causes-high-churn-rate
• https://www.scmagazine.com/perspective/leadership/burnout-has-reached-crisis-levels-but-cisos-have-the-power-to-address-it
• https://www.raconteur.net/c-suite/cio/stop-ciso-burnout/
• https://fieldeffect.com/blog/five-tips-prevent-ciso-burnout/
• https://www.zdnet.com/article/average-tenure-of-a-ciso-is-just-26-months-due-to-high-stress-and-burnout/
• https://www.darkreading.com/careers-and-people/the-ciso-as-sustaining-force-helping-infosec-staff-beat-burnout

Our upcoming panel discussion on 'The Challenge Of CISO Burnout' is Friday, February 25, at 11:30 AM ET (8:30 AM PT).

In this panel, industry experts discuss the growing need for 'The challenge of CISO burnout'. CISO is an operation extensive role, it gets harder with the rapid evolving vulnerability and solution landscape along with industry-specific skill-gap. CISO Role increased strain impacts tenure of CISO, lower engagement with other executives, less capacity to drive his/her team. Crucial areas like hiring, customer communication, professional development get hindered and ignored

 Can't make it to the live discussion ? You can still register to get the on-demand link post discussion. 

>> Register Here To Join

We're talking about the latest Java-based vulnerability CVE-2021-44228. Recently, a critical Zero-day vulnerability has been found in log4j which permits Remote Code Execution (RCE) allowing the attackers to get remote access. The Vulnerability got a severity score of 10 out of 10 and several national cybersecurity agencies, including CISA, NCSC and others have issued warnings and emphasized that organizations must “discover unknown instances of Log4j” in addition to patching.

CVE-2021-44228 impacts any organization using Apache Log4j framework including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and others.

>> Discover log4j exposure (by FireCompass)

 About The Log4j vulnerability :  

According to the National Vulnerability Database, “Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.” An attacker can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. However, this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

The Impact of Log4j vulnerability:

Just to put it in perspective, the scan result of Maven Central by Google's Open Source Insights Team, found that almost 8% of packages in the repo have at least one version that is affected by the log4j vulnerability.

Within a week of the exposure of the vulnerability, more than 1 million attacks were attempted and more than 44% of corporate networks worldwide were targeted. And this is just the beginning - the worst of the cyber attacks may actually be months into the future since sophisticated attackers normally create a backdoor, steal credentials and try to bypass security tools and wait for the right time to strike. The nation state-backed hacking groups are also spotted attempting to leverage Log4j.

>> Discover log4j exposure (by FireCompass)

How to Protect : 

CISA recommends all organizations upgrade to log4j version 2.15.0 or complete their appropriate vendor recommended mitigation along with the following steps:

1. Enumerate any external facing devices that have log4j installed*
   *Note: Check for platforms that can hunt Log4j vulnerabilities in both known & shadow IT assets
2. Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
3. Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.

>> Discover log4j exposure (by FireCompass)

Some Important Updates : 

You can try to determine whether your organization's products with Log4j are vulnerable by following the chart below:

While we are writing this article, the Apache Software Foundation has released a patch for a third vulnerability in Log4j. Version 2.17.0 of the software was released on December 17 after issues were discovered with the previous release (2.16). Apache said that 2.16 does not always protect from infinite recursion in lookup evaluation and is vulnerable to CVE-2021-45105, a denial of service vulnerability.

Important Resources:

• Log4j Affected Software Database (Github): https://github.com/cisagov/log4j-affected-db
• log4j RCE Exploitation Detection (Github): https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
• CVE-2021-44228-Log4Shell-Hashes: https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes
  Apache Log4j Update: https://logging.apache.org/log4j/2.x/security.html
• FireCompass Log4j Hunting Playbook: https://info.cisoplatform.com/log4j-playbook