One Day, One Angry CISO…
One afternoon, I received a call from my client who was the CISO of an F100 Financial institution. He said “I’m very upset. Our CSO is telling me that you’re being very difficult and jeopardizing the deadlines. You need to get down here IN PERSON.” Somewhere between his borderline rage and not having a relationship with him, there wasn’t an opening for discussion. That was that, and it didn’t take but a couple of minutes to receive a meeting invite from his executive assistant — for the next day.
A Little Background
However, it wasn’t a mystery, and I knew what this was about. I was actually hired out of the CISO’s budget but only ever met with him once, briefly. My role was a subject matter expert and strategist to design the company’s smart card issuance, crypto functions, and key management policy for InfoSec. Since the card also needed to open doors, I was directed to define integration while making sure that either group’s plans didn’t break the other’s. Unfortunately, this coincided with a global PACS, controller and reader infrastructure replacement that were being driven by new building construction, remodels, and fixed occupancy (move-in and relocation).
All of the infrastructure work on the IT side was done (CA, CMS, OSDP, profiles, etc.), as was limited production rollout and testing. The smart card was being completely funded by InfoSec. Therefore, the card was completely defined, and I just needed to work with physical security to ensure compatibility on its side (to open doors), which meant defining the data model, applications, keys, and masks. From there, I was to provide physical with these specs to ensure that its readers and systems would be correctly configured, order some test cards to do some testing before making a huge smart card order that would take months to receive.
The client’s integrator (one of the largest and most prominent in the industry) was advising the company to use a dual tech card and rely not on the secure high-frequency (HF) chip already slated to be incorporated, but a low-frequency (LF) chip. I had been explaining for weeks that LF is not only insecure but doesn’t even have security as part of its design — and this was a “security” project. Further, LF wasn’t needed since all sites were being converted. We’d been going around on this for weeks. Despite trying to engage the client in discussions, I was met with lack of interest, resistance, and divisiveness. The CSO trusted his integrator, and his patience with me was running thin.
An Even Angrier CSO
A week before I got the call from the CISO, I was onsite with the CSO and his entire extended team. This was a half-day, all-hands working session to solidify final commitments. I walked in on my own, seemingly the last one there, to a room of about 20 people ranging from corporate security to real estate, A&E, integrator, and HR. When it came time for the topics of readers and credentials, the integrator just started reading part numbers, which completely dismissed any of the issues that I had been raising.
They had a process in the meeting where there was a main person stating the final commit, and they would go around the room for comment or objections. When eyeballs came around to me, I couldn’t give it a pass. I explained how someone could easily gain access to executive offices, Data Center, and other high-risk areas. The CSO LOST it on me in front of everyone.
CSO (yelled): “Stop with this hacking nonsense. If it was possible or going to happen, I’d know about it. That’s why we have cameras.”
Me: “This sort of risk is a design-level flaw that can neither be fixed nor detected (and involves more than cloning).”
CSO: “It’s not like we’re Fort Knox or anything”.
Me: “As one of the largest caches of PII in the world, shouldn’t you be?”
The room went silent, no response, no one wanted to. It became clear to me that their issue was even more fundamental than ignorance to technical details or a disproportionate trust in their channel. Rather, it was that they had no definition of what security was supposed to achieve and their scope was only limited to certain physical assets and people.
The CISO Meeting
I planned to just tell the CISO the situation — after all I was really working on behalf of his interests. I’d mistakenly envisioned a one-on-one meeting, Instead, when I was escorted into his office by his assistant, he and the CSO were already seated at a side table. It began with the CISO venting at me about being uncooperative and jeopardizing their timelines, which lasted about 10 minutes, with occasional double-teaming from the CSO.
Feeling a little bit like a piñata, I waited for them to get it all out of their system. It became clear that the CISO hadn’t yet been informed as to what the root issues were. I countered that of course I don’t wish to be an impediment and that it’s really a very simple solution. As the CISO leaned in with interest, I asked if being resilient to having his assets and operations compromised based on new technology decisions was in scope. If it isn’t, and he accepts the risks, I’ll gladly get on board to fast-track their proposed design.
Getting a CISO to accept risks, particularly without details, doesn’t go over too well. He now wanted to know what the $%^ I was talking about. I proceeded to explain the impact — what an attacker could (and likely at some point would do) and that the issue was it wasn’t being recognized but rather met with denial. The CSO asserted that he trusts his integrator that this wasn’t true, that LF and their “special” format was secure enough, and that I didn’t know what I was talking about. The CISO was baffled, and he wanted to get to the bottom of it. With the CSO just trying to speak over anything I said, I just asked the CISO, “Can you hand me your badge, and I will give it right back to you.” Read here why format is obscurity and offers zero security.
It Was Going Nowhere, So I Hacked His Office
His office and existing badges hadn’t been converted from LF yet. Perplexed, he obliged. I already had my laptop open, so I took out my RF analysis tool, plugged it in, and launched command line. I didn’t say anything, neither did he; in fact, all that you could hear was about 5 seconds of keyboard pecking. I stood up, handed his card back to him, walked out of his office and shut the door behind me. I faintly heard a voice get cut off by the door shutting, probably asking what did I think I was doing. I waited a few moments for it to sink in that the door was closed, locked, and most importantly, that he had his card, and I had no way back in.
About 20 seconds later, they heard a beep, click, the door opened. I stood in his doorway and asked “Now, who wants to bet me $100 that I can’t get into your data center and leave with your HSM?” I’ll never forget the look on the CISO’s face — it went through phases of pale to red by the time he stopped looking at me and turned his attention to the CSO. As it turns out, the CISO has a degree in electrical engineering and asked if I could take a few moments to help him technically understand what was going on. I also showed him how I could mint, instead of cloning, and execute privileged escalation to completely pwn their card population without hacking any other cards or their systems. After about 10 minutes at the whiteboard, he now understood the problem. More importantly, he understood how it affected him, that it was needless, and he wasn’t about to sign off to accept risks associated with it.
Watching the CISO and CSO Battle It Out: Common Practice vs. Best Practices
Engaging the CISO, he began “It appears that Terry was doing everything I’d expect him to do. What am I missing?” At this point, the meeting transitioned from my being the subject to a spectator. Now, I’m never one for throwing anyone under the bus, but the CSO drove a showdown with no ammo.
The CSO slithered around, carefully twisting it into a budget shortfall where affording remediation that I was recommending was out of the question. Not the case, but it was all his ego he could muster instead of just sucking it up and moving on.
The CISO asked how much more it would cost, as the CSO struggled to come up with actual numbers. Once disclosed, the CISO responded: “I won’t allow my assets to be vulnerable. You now have budget to deal with this.” The CSO responded, “You don’t understand; the funds are beyond our budget.” The CISO again responded: “I’m under budget for the year, so I’m giving you the money to cover the shortfall to address all readers globally. It’s done, and please, continue to involve Terry as my proxy.” Things moved pretty quickly after that.
That was 10 years ago, and over the years variations of it have played out across multiple F500 clients of mine. Whether it’s about cards, crypto, design flaws of a control system, or a vulnerability in their software, the lessons remain constant:
- It’s far more effective to show them the problem than tell them.
- If they don’t understand the impact, few will make time or prioritize it.
- If they don’t own the impact or don’t want to, there’s nothing you can do.
- Move on instead of wasting energy or find the person who does.
- Always start an engagement by ensuring that all parties are on board with a transparent definition of “security improvement.” A “10” to CSO might be a “3” to a CISO. It even varies within each group that can stifle even the soundest analysis and recommendations.
Since my specialization is the convergence of cyber security between physical and InfoSec, I see this playing out in nearly all of my engagements these days. I see more involvement between the groups, the disparity between them and how reliance on relationships that don’t have the requisite expertise are becoming marginalized.
In the end, hackers don’t care about narratives, politics, or loyalties. They don’t adhere to policy, what you think they will or won’t do. CISOs understand this, which is why stakeholders that don’t will go the way of the dinosaur when the cyber comet strikes their organization in some form of integration task, audit, or random vulnerability brought to the attention of their peers that takes security seriously.