End-user security requires a shift in corporate culture

An internal culture change can help organizations put end-user security on the front burner. If an organization only addresses security once a problem arises, it’s already too late. But it’s common for companies, especially startups, to overlook security because it can get in the way of productivity.  (TechTarget)

Organizations that take security seriously are the ones who make security a part of the every-day routine. Not because it is not important, but to ensure that the message of how important it is is driven home every day, multiple times a day. Too often security improvement efforts fail because it is treated as ‘special’ not ‘important.’ There is a difference, and those who recognize it are the ones who realize the benefits of investing in training, policy, and procedure. Aligning security incentives a’la performance incentives exploit the fact that we’re all human, and that’s a good thing.

Cybersecurity Through the Lens of Rock Climbing

I’ve been to a lot of kid’s sporting events in the last decade plus. They have their moments, but I think I speak for all parents who are not living vicariously through their child’s prowess on the field of play when I say there are a few dozen places you’d rather be than sitting on a cooler of orange slices and water bottles on a Saturday morning.

But since we’re fond of making sports a metaphor for so many other things in life — or is it the other way around — I thought I’d point out a couple of lessons that rock climbing (yes, they have competitions) teaches us in security.

Everything is harder than it looks. When my son started rock climbing he was all about using his arms, with predictable results. It wasn’t until he realized the importance of using all four limbs that he really started to have success. There is no shortage of recommendations or guidance or frameworks that one can use to help secure an enterprise, but if it was as easy as installing anti-virus, telling the CEO there are bad guys out there, and checking boxes on a list, my SF86 wouldn’t be in Beijing.

There is a significant difference between practice and real life. Climbing gyms have all sorts of different configurations on their walls, but they cannot always replicate what you’ll find in the wild. Sometimes, there isn’t a convenient hand- or foot-hold to get you over the top. Sometimes you hit a dead end and have to find another way around. In security maybe that’s a corporate policy (or raison d’etre). Maybe its a regulation or even a physical constraint. Regardless, you need to be prepared to take a long, winding route to your goal, or accept that what needs doing is one crag too far.

You need strength in your core and at the extremities. Having a strong grip is great, but without a high level of strength and mobility in your abdomen, shoulders, and hips, you will find it very hard to get up and out of tight spots. Better security requires a range of talents, tools, and methods. You’ve got to work on them all, and in a coordinated fashion with the rest of the organization, to succeed.

Energy drains quickly. A given bouldering problem may be both vertical and horizontal. The distance traversed may not be long, but crawling on all fours, upside-down, is not a party. Trying to achieve security goals can be equally challenging and exhausting. You’re always the person who says, ‘no’. You’re always fighting for resources, and respect. You’re always the scapegoat. At some point everyone asks, “why bother?”

No one gets through the hard stuff the first time. Everyone who makes going through a high V-rated route look easy only does so because they fell on their backsides more often than they reached the top. They make it look easy because they know what doesn’t work. Senior practitioners, successful CISOs, they all failed a lot before they won.

Breaches Forever!

The computer security industry is not stopping breaches. Not for lack of trying, but if you’re familiar with the myth of Sisyphus, such efforts are the definition of pointless. If this sounds strange coming from a computer security person, it shouldn’t. I’m not here to blow smoke up your fourth point of contact; I’m hear to point out that the impetus for progress is not going to come from anything a bunch of nerds conjure up.

The arguments that spring up whenever there is an epic breach are predictable and can be broken down into two major themes:

    1. Everyone in the victim company is an idiot. If they just employed people like me and my friends, this never would have happened.
    2. Securing data on an enterprise scale is hard. The idea that there is one or a hundred things that could have been done to prevent this disaster dismisses the complexity of what’s involved in protecting an “enterprise” and not “my basement lab.”

Now, the argument over whether or not the C-levels of Equifax were equipped — intellectually or materially — has been made, but the result doesn’t matter. Day to day the dynamic in corporations around the world is the same. The world’s greatest CISO still has to fight for budget, human resources, technical equipment and software, etc. The CFO still has to balance budgets and attempt (futile as it may be in security) to assess if the CISO’s requests produce a sufficient ROI, etc. The CEO really only cares about making his numbers in a fashion that keeps him out of jail.

There is no requirement for a secure enterprise. There is a requirement to have an enterprise that is secure enough to maintain compliance with applicable laws and that enables effective business operations.

Did Equifax do wrong? From what we can tell via publicly available information they did things, to varying degrees of effectiveness, and with questionable timing. They could have done a better job, but Equifax is just like every corporation in that security is something they have to comply with; profit is why they get up in the morning.

Breaches, regardless of their size or the sensitivity of the data involved, have become so commonplace that they are no longer automatically considered problematic. A breach alone is no longer justification for a lawsuit. Increasingly you have to show actual damages to have standing. Credit card number compromised? The bank makes you whole and happily issues you a new card. Medical data compromised? Insurance fraud is readily solved by a rate increase you hardly notice. Intimate details of your life lost to a foreign adversary? Well I guess the Forbidden City really is at this point.

And life goes on.

Breaches are a part of our way of life. By and large they do not impact our lives enough (or enough lives) to merit the kind of attention they get. As a friend recently pointed out, we are now living in a “post-authentication” world: so much data about us has been lost/stolen that anyone can be anyone else for a length of time. There is no point in trying to keep your personal information personal because it’s all effectively public, and has been for some time. Many times over.

The idea that this breach, or any breach hereafter, is going to be ‘the one’ that mobilizes the populace to a degree that they’re willing to do what is necessary to achieve political/legal change is wishful thinking. An angry mob, to the extent that anyone outside of the usual privacy/security community is going to get off their couch, is no substitute for the well-funded and organized industry lobbying effort.

I’m not saying it’s right, I’m saying that’s how it’s always played out, and there is no indication history is not going to repeat itself.

The Equifax Breach is Not Special

The hue and cry over the Equifax hack has subsided to a dull roar. We’ve passed the stage of ‘initial reports,’ which are usually wrong, and are firmly in armchair cybersecurity pundit mode. ‘What did Equifax executives know and when did they know it?’ inquiring minds want to know, among other things of varying relevance. All of this is de rigeur for massive breaches, along with a few other things…

First, there is more to the breach than meets the eye. This means some things won’t be as bad as initially thought, some things will be horribly worse. Today’s villains will end up looking like martyrs and everyone who seems competent will be remembered as buffoons…or maybe not. It doesn’t matter. What matters is that everyone could have done everything right and they’re still just gears in a corporate machine working off of imperfect information, under impossible deadlines, without enough funding, and without the right human resources. You know: the same problems we all have.

The leadership team of Equifax is not better or worse than any other company. This means both behavior and capabilities and actions. Much has been made about the academic qualifications of the firm’s CISO, but it’s much ado about nothing. Experian isn’t her first job in security, and her previous positions were not for outfits that were slack about security. Let’s also remember that Equifax is not in the security business, so their primary concern was never going to be security.

Equifax will still be in business a year from now. Pick a major breach at a publicly traded company. Go back as far as you like. How many of those companies are still in business? How many of them have stock prices that are the same or better as they were just before the breach? I’ll save you some time: None that I can find have gone bankrupt and their stock prices are doing just fine, thankyouverymuch. If things hold true to form they’ll suffer no long-term impact. I’m so confident about this I’m actually buying Equifax stock.

This will not be the breach event that brings about change or reform.Remember the Target breach? Home Depot? TJ Maxx? OPM? Remember how those were the breaches that were supposed to change everything? Remember how breaches stopped, executives went to jail and paid stiff fines, and everything was right with the world? This breach is no different, and there is nothing to indicate the result will be different.

Finally, nobody cares. Not enough anyway, and not for long. Security people care because of myriad reasons. Individuals care because they’re afraid of being impersonated or defrauded. Lawmakers care because their constituents care and because being outraged on behalf of the little people makes for good passive campaigning. But let me tell you what is going to happen:

  • Some other security drama is going to pop up in a couple of weeks and all the angry nerds will channel their anger in that direction because nothing helps improve security than snarky hot takes on social media.
  • Individual citizens are going to realize that most if not everything lost in this breach has been lost a dozen times before. Even if this is the time they get ripped off, banks and retailers will make them whole.
  • Lawmakers will move on to the next crisis du jour because constituents have stopped pestering them about Equifax, and the data broker/credit rating industry lobbyists will have spent a sufficient amount of money on donations, scotch, cigars, and steaks to convince the honorable gentleman from the back 40 that the industry can regulate and take care of itself.

The Equifax breach is not special. It’s just like every other breach that preceded it, and it is almost assuredly going to be another data point that supports the template for the one that follows it. Security is not the issue we think it is, and it will never be until the consequences are high enough.

David Axe lays the smack down

From West Point to the Pentagon
Leavenworth and back down

Seven years after the launch of Wikipedia – the user-edited online encyclopedia that brought the “open source” concept to the masses – the U.S. Army is still playing catch-up. The Army’s idea of harnessing the ‘net is to launch isolated websites, put generals in charge and lock everything behind passwords, while banning popular open-source civilian websites.

[…]

Galvin advises patience. “Our leaders are getting comfortable working in that [collaborative] environment,” he says. And that means Army wikis aren’t far off. But even if they arrived tomorrow, they’d still be seven years late.

Goldwater-Nichols for suits

From Inside the Pentagon (subscription required):

Bush administration officials are preparing an executive order for the president’s signature that calls for sweeping changes in educational programs and career development for the federal workforce so professionals in each agency with a national security mission can learn how to better work across organizational lines when tackling 21st-century threats, according to sources and documents.

The gist is they’re trying to create of a uniform set of standards that will allow for the migration/rotation of  practitioners across the various national security-related agencies.

The original seed for this effort was to be the NDU, but apparently that idea has been (wisely) scratched in order to create a “consortium” of government institutions from which aspiring national security advisors and undersecretaries can gain the requisite knowledge. A smarter move: develop and promulgate a core curriculum and take the NSA Center of Academic Excellence approach. You’re never going to have enough slots at any single institution to fill the demand (it is cut-throat enough already trying to get a civilian slot to a service school), so spread the effort out as widely as you can.  Besides, who would you prefer: someone educated at MIT or someone subjected to the military education system?

Even if supply and demand issues are sorted out, the planners and implementers of this effort need to take a long hard look at similar efforts and what makes them fail. I’m speaking of the Intelligence Community Officer Program, which has gone through a couple of iterations and still isn’t what is could/should be.

Signing up for the program is easy; getting into the requisite classes and then convincing your respective hierarchy to cut you loose for the necessary rotation assignment is another thing entirely. Even if everything works out like a charm, there is precious little chance that your home agency will put your newfound skills and experience to good use (which is why so many participants opt to stay with their adopted agency).

All in all a good idea, but there are lot of potholes on the road they’re about to travel down.

Post Holiday Wrap-Up

You’ve probably already seen and
forgotten, but some tidbits that caught my eye as I have been trying to
catch up with developments over the last two weeks:

That’s it! No more looking back (until the next vacation) . . .