Cyber threats continuously evolve, and those firms that take a reactionary approach and relying on a standard cyber-security checklist likely will be attractive targets for hackers, according to Jerry Perullo, the chief information security officer at the Intercontinental Exchange

A hacked organization’s initial response is often to throw money at the problem, hire consultants, and implement a draconian security model that affects productivity, he noted during an interview on the ICE House podcast.

“The problem of bad controls is that they get torn down,” said Perullo. “You get a lot of exceptions and over-securing is a lack of securing at the end of the day.”

Security teams should be more like startup incubators where the staff challenges pre-set ideas and try to develop better ways to secure access to enterprise and its data.

When reviewing user accounts and passwords, Perullo’s team sought to find a more secure method than the standard model of an eight-character password that includes a sprinkling of capitals and special characters and has been in use for more than 20 years.

The team wanted to lengthen account passwords to 15 characters and omit the complexity of including special characters. They tossed all of the necessary calculations on to the whiteboard and the math held, according to Perullo.

“Then the National Institute of Standards and Technology released an updated standard that said that length was king,” he said. “You can get rid of that stuff as long as you look and block out commonly used passwords.”

The team tested the new password format against its internally developed Kraken engine that attempts to crack the passwords of all ICE user accounts daily and found the new format was secure. Kraken’s success rate also dropped steadily over the 90 days it to ICE to deploy its new security policy.

“Having that machine that constantly red teaming us has exposed a lot of other things around cleaning up accounts, visibility, and looking across acquisitions and geographies,” said Perullo.

Implementing a red team strategy, in which an internal team acts as an adversary, as well as security information shared amongst the industry also helps ICE develop a threat matrix based on the likelihood of an attack and its potential impact on the business.
“There is nothing more important than being close to the business and understanding the business and partnering with the business to understand what the impact would be,” he added.

Perullo also noted that having a red team deliver its findings to the IT team improves productivity when they can provide a video of a hacker trying to hack an exploit rather than giving a list of security-related tasks without context.

“People will get up and go out of the room to fix it,” he said. “There is no more back-and-forth.”