IT Security is NOT Rocket Science

I have been boning up on breaches lately as part of my ongoing professional education, looking at root causes, process breakdowns, and the host of other issues that lead to the loss of sensitive data.

You know what I have realized? Most of the breaches in the last 10 years could have been thwarted or diminished greatly with the simplest of security controls….ouch.

I won’t name names, but some of the bigger recent breaches were not ‘sophisticated’ attacks. One was caused by poor password strength, another was due to loose management of credentials, yet another was just because someone errantly put a file up on a non-secure server with critical information, and there was even one where the victim was keeping the 3 digit codes from payment cards! (A big no-no if you follow PCI DSS 2.0 and 3.0 standards…a basic security posture tool when you handle payment cards.)

My favorite one right now is the case where a breach was detected, and was not acted on because the protocols and workflows to deal with the incident were not in place and regularly tested. This led to a slow response, and the slower you go from initiation of an attack to the time you thwart it the more you will pay for it, as they quickly realized.

I trust you are all following me so far here. I trust this is not too complicated.

Yet, if you read recent media reports you might be led to believe that every internet attack is sponsored by a rogue nation-state, or by the mafia, is well funded and there is no way to protect ourselves. People wringing their hands dripping sweat, taking nitro pills and needing bi-weekly counseling sessions. It’s a terrible thing to have the world against you.

Don’t get me wrong, there are some very capable bad-guys out there. We need to work together to protect our state and corporate secrets from these incredibly talented hacking groups. I believe that we should form coalitions, groups and networks to learn more and advance the craft to protect information and maintain dignity of our cyber-systems.

What I am saying is over 80% of the data loss we have seen over the last 10 years was preventable with just a little well-applied common sense and some smart investments. What I am also saying is it is simply not as complicated as we have all been led to believe.

What has gone wrong then, you might ask, as several major corporations, government institutions and non-profits have been breached in the last 10 years? Weren’t these were well-funded, strong organizations that spent literally millions on security?

How did we get to this ugly reality that from 2005 to November 2014, the total number of records exposed in breaches exceeds 673,293,959 records?

Now, the government is compelled to step in. The people are getting mighty irritated with all of this loss of data and they are letting Washington know about it. Legislators and regulators are now in the game, and that always ends well.

Welcome to the 2010’s.

So, in my musings and discussions with very smart people and extensive study on the subject, I have compiled this list of things that just might be contributing to the root of our cyber-security crisis. I don’t think this is a comprehensive list, just a list of things I think we should discuss. I would love to see your list or additions to my list.

‘Not Discussed’ Cause #1 - Assuming you have been watching TV, or up on social media, or even a paper newspaper, you will notice many recent breaches are being branded as a ‘sophisticated attacks’ or some such thing.

Has anyone considered this might be an effort to reduce liability for negligence?

I’m just saying.

When we security people gather around the water cooler to share notes, we all laugh at that word ‘sophisticated’. How was exploiting the use of the password, ‘password’ a sophisticated attack? We laugh not because we think it’s funny, mind you, but because we are amazed at how simple preventing it could have been. Plus, it’s a little funny.

Don’t believe it, most of these attacks were not sophisticated.

I encourage you to check me on this. Go look it up for yourself. You will be shocked how many breaches were because someone had PII (Personally Identifiable Information) on their hard disk or laptop that goes missing. Because the devices were not password protected and/or encrypted - a breach occurs and now we have to report it, notify victims, offer identity protection, do a ton of PR damage control, pay forensics professionals all which raise the cost of a breach to obscene levels.

Then we all see the news report “So and So Company Reports Sophisticated Attack, Probably a Nation-State” and we all freak out and turn catatonic not knowing it was because of an unsecured thumb-drive dropped out of Billy’s pocket and not because some group of mad professor level security hackers wanted some patient health info.

‘Not Discussed’ Cause #2 - The security program management process within most institutions is broken. That is, the appropriate level of leadership, priority and executive focus on making the best security investments at the best possible time is not deliberately approached and addressed.

One interesting metric to explore is the reduction of breach costs in companies that have an effective executive security officer, such as a CISO. You can find this type of info in spades if you check out The Ponemon Institute (www.ponemon.org) and their numerous studies on the subject.

My experience confirms that IT security is a full-time job, and having a competent team led by a competent leader tasked with identifying and managing your IT risk can pay big dividends.

I challenge you to ask your security team for their top risk/vulnerability identification and reduction plan. As a security professional, I can tell you with good certainty this is a litmus test for most organizations. If you are lucky, or blessed, you find out that your team is current on the biggest threats out there, and have counter-measures in place to keep you reasonably safe (in other words, you’ve made yourself a harder target.)

‘Not Discussed’ Cause #3 – The IT security and compliance industry itself breeds fear, uncertainty and doubt (FUD) to almost a frenzied level. Executives feel burned when they spend millions to comply with this standard or implement a new security capability only to find out some other simple thing brings the whole house down, like when some uninformed person puts unencrypted files up on Drop Box and someone else gets their Drop Box credentials steals the data.

When an incident like this occurs, every company in the market wants to sell the next big new security gadget, appliance, or service. Fear sells. However, fear won’t reduce risk, and as I have stated before, is not a good basis of decision-making.

A sound approach is to get to know your security posture relative to mature and proven standards as a first step, and put a continuous improvement plan in place to mature your security to a basic level as quickly as you can afford it.

It sounds simple, because it is.

‘Not Discussed’ Cause #4 – It’s very difficult for companies to justify big security investments. Why? Because the concept of a ‘defensive investment’ runs counter to our processes and understandings of ROI for marketing, sales, and investments that make or save money, or what I call ‘offensive investments’.

Getting to the real cost of poor security on your reputation alone is enough to justify most reasonable security investments in awareness, staff and technology. Yet, many do not calculate this into their decisions around security investment and view security only as a cost center.

Not complicated, right?

We have to think of security like basic hygiene: brushing your teeth everyday leads to less cavities. No one questions the need for toothpaste based on an ROI investment, we just all know that cavities suck so we invest in toothpaste and regular brushing to prevent them. We also didn’t have to be chemical scientists to understand how it all works. We just brush our teeth.

‘Not Discussed’ Cause #5 – Good security has the worst expense/boring ratio of almost any business investment. Almost gut-wrenchingly boring and gut-wrenchingly expensive.

Encryption is a mighty security weapon, for example. But it can be very expensive. It is also very boring. Very tedious and not sexy work to implement. Relative to investing in an exciting new product, or hiring a new sales team, encryption ranks up there with a root-canal on most people’s favorites list.

I get it.

However, investing in encryption is proving to be one of the best breach preventers and loss mitigations out there, so it’s important you know the state of your encryption capabilities and ensure they are being properly utilized.

You don’t need to be a cryptologist to do that.

So, to sum this all up, I would say the most common denominator in my list is the presence of fear. Fear in the media, fear in the industry, fear in the boardroom. Fear is the mind-killer, as we have seen recently and as we learned from Dune. (https://www.youtube.com/watch?v=kJsYKhEV6o0)

The way you can best overcome the fear is through knowledge.

So, to help you overcome your fear barrier and take a close look at the basics in your environment, I have a short list of what I find are the best starting points:

1. Know the location and security disposition of your sensitive data. I know, sounds simple. But when I look around the industry, and with clients, I remain surprised how many entities lack this basic insight. I have also found when doing this type of scrape of an environment, we always find insecure records and data within the first day of audit. Most of this data can be removed the same day. What you need to do with this data will become obvious once you know where it sits and what condition it is in.
2. Understand your security controls. What controls do you have in place? Are they effective? Asking these two questions gets you far in understanding your security posture. I also am a big supporter of standards. Not because standards make you safe, but because they get you thinking about the right things.
3. Awareness and training. I saw a recent study where over 50% of management didn’t even pay attention to security. Knowing what I know, and what Sony is finding out, I can tell you this should be the #1 focus of many companies and the only reason it’s like this is they just don’t know. Help them to know!
4. Get outside help. Pride will not help you in this endeavor. What I make sound simple took decades to learn. A good expert will help you align your perspective to focus on the right things at the right time.

I hope you enjoy this article. Please like it if you do.

I am interested in your perspective, so leave a comment and let’s discuss!

Steve Olson

AppSec Consulting

solson@appsecconsulting.com

www.appsecconsulting.com