Skip to main content


Is the Fox Guarding the Hen House?

Is the Fox Guarding the Hen House?

Cybersecurity is a growing concern and should be considered a top risk for all businesses. Reading the news, there is no shortage of tragic data breach stories impacting businesses in nearly every industry. Typically, when problems become this widespread, a variety of companies will flock to the issue and attempt to provide solutions. This becomes problematic in two ways:

  1. A company with little to no experience tries to provide guidance on an issue they are not an expert in solving.
  2. When helping with an issue, a company has a conflict of interest with other services they provide.

You have likely heard the expression “Fox Guarding the Hen House.” This phrase describes the situation that occurs when someone takes on the role of supervising and protecting valuable things when they have a bias or conflict of interest with the valuables they are protecting. In cybersecurity, one example of this is when Managed Services Providers are responsible for both IT operational services AND the auditing and verification that shows how well the services are being performed.

There is surely a need for more technology companies to provide IT operational solutions, like managed firewalls, managed patch management solutions, and managed security controls for desktops. But when these businesses also provide IT Audits, Vulnerability Assessments, and Penetration Testing this becomes a conflict of interest. Would you expect them to provide unbiased results that point out their own shortcomings or mistakes in the solutions they are already selling you? Other departments have clear rules prohibiting this, one example would be a bookkeeper providing their own audit of the financials they manage. This likely will not have the intended unbiased result that you would expect. If you implement or perform a security control, you cannot independently, or without bias, verify if it's effective or adequate for good security.

Let’s take a deeper look at a few “Fox Guarding the Hen House” scenarios that SBS has seen.

Scenario One: The Truth Behind the 100% Patched Report

System vulnerabilities are a significant risk to our businesses. Cybercriminals constantly attempt to exploit them to gain access to systems and sensitive information. This is an ongoing and growing battle. In June of 2019, Microsoft alone released 88 software updates to fix security vulnerabilities. We need to monitor for these and other vulnerabilities associated with Adobe, Java, Chrome, or any of the software products utilized in your business. Because of this, audits on the effectiveness of patch management are essential. A common issue that SBS sees when auditing businesses where the IT vendor does the software patching occurs when the vendor provides the client an audit report stating patches are 100% (or some high percent) installed. This provides a false sense of security to the business. In cases like this, we have found hundreds, and even thousands, of unaddressed vulnerabilities in our independent vulnerability scanning results. One explanation for this is how the vendor defines “patched.” Maybe, in this case, it was 100% of patches approved by the vendor, not 100% of known patches. Reports that suggest 100% don’t provide decision makers at the business accurate information to make decisions and evaluate the effectiveness of their patch management program or the vendor performing the service.


Scenario Two: The Missing RDP

Another example of this conflict of interest is seen with managed firewall services. If the vendor who provides the operational support for the firewall also provides the audits regarding security weaknesses and external vulnerabilities, you may have trouble brewing. We have seen items scoped out of an audit because the vendor knows the issue exists, but they feel that the item is necessary to complete the services for the client.

One example of this intended oversight has been the Remote Desktop Protocol (RDP) that the vendor uses to remote into a system to manage it. These can get left out of the scope of the audit because the vendor feels that it’s a required service. However, the business has no knowledge of the RDP’s existence or the vulnerabilities it has, which places the business at risk. Businesses can’t make informed decisions about security or quality of service provided by a vendor when information is scoped out. With a little bit of work, vendors could redesign how they access the network and eliminate this scenario. This RDP example has taken center stage lately with Microsoft’s alert regarding BlueKeep , a Microsoft Windows vulnerability in RDP, that is so bad that both the NSA and Microsoft are releasing multiple public announcements. Microsoft is so concerned about BlueKeep, they have gone back and patched Windows XP, which has been end-of-life and unsupported for five years. This vulnerability has the potential to do what WannaCry ransomware did to businesses in 2017.


Scenario Three: Light Weight Audits or Insecurity in Audits

IT Auditing services must alert you to known vulnerabilities and provide you best practices to harden your systems and decrease the chances of a cyber incident. Besides measuring patching effectiveness or external vulnerabilities like the RDP example, there are other controls such as strong passwords, multifactor authentication, limited user permissions, and education on phishing emails that your business should consider to greatly improve security. Sometimes these controls create more work that isn’t income-producing for vendors and leads to the controls being deprioritized or scoped out of the audit by the vendor.


In summary, we don’t doubt these vendors likely provide great managed services. The risks come when they are also relied on to verify the effectiveness and comprehensiveness of the provided service. “The Fox Guarding the Hen House” might be effective in some situations, but there will always be an underlying conflict with what is best for the fox vs the chickens. Cybersecurity is a significant threat to the future success and sustainability of your business, invest in getting independent audits done to provide your management team and executives with an unbiased report regarding the effectiveness of security controls and to highlight a clear roadmap to improving cybersecurity preparedness.


Written by: Chad Knutson
Chief Operating Officer and CISO
SBS CyberSecurity, LLC

SBS Resources: 

  • {Service} Auditing: Be fully prepared and confident that the results of your annual regulatory exam will be successful. An audit completed by SBS goes beyond a simple checklist with a risk-based approach that reviews for compliance and adequacy. Learn more.
  • {Service} Network Security: SBS network security tests are tailored to the size and complexity of your organization, providing a personalized experience from start to finish. Working with an SBS network security engineer following our proven methodologies will ensure thorough and consistent testing results and a more secure network. Learn more.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Security Manager   Certified Banking Security Technology Professional

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, January 16, 2020
Categories: Blog