December 9, 2014
I'm getting tired of the barrage of emails from security vendors saying that unless we implement some specific solution, "Target-like data breaches will continue into 2015." The implication is that only a cretin would fail to implement the pitched solution. I'm tempted to write back: "Would you be willing to indemnify my organization against data breach losses if we implement your solution?"
How did we get here?
It's way too simplistic to argue that IT is broken and it didn't used to be. The curmudgeons among us point back to the IBM, Burroughs, Sperry, and Control Data mainframes of old and revel in stories of near 100% uptime and near 0% security breaches. I was a young punk during the mainframe times, and here is what I know: They were (mostly) islands of computing. The people who had the knowledge or physical access to break into those systems were few and far between.
[Limiting data encryption to government use won't prevent bad things from happening. Read Why Outlawing Encryption is Wrong.]
Even during the heyday of modem access -- bulletin board systems, FidoNet, Tymnet, UUNET, and the like -- the art of war-dialing, whereby hackers identified computer targets by having a modem try one phone number after another, was hit and miss. And because it took up to a minute to initiate a call and seek a carrier tone, if you hit 60 phone numbers an hour, you were lucky.
As technology became more widespread, bored 13-year-olds with modems started virtual doorknob-rattling. A national conversation emerged: Were they pranksters ("Shall we play a game?") or were they criminals?
As computers and networking grew ubiquitous, moving from a techie village into the big city, bona fide cyber criminals, seizing on modern methods of breaking, entering, and theft, became far more of a problem than goofy teenagers. Science fiction author Larry Niven predicted that the invention of teleportation would cause a huge spike in crime, because criminals could prey on a much larger pool of victims from afar. The global Internet proves Niven right in the abstract, as anyone can now attempt to steal electronically from anyone, anywhere in the world.
Criminals can now rattle virtual doorknobs not once or twice a minute with their 300-baud modems, but dozens of times per second with TCP/IP packets. The use of automation means that all connected machines are at risk.
Meanwhile, as tech moved into the big city, all the popular kids started using it. It has become embedded into our economy. An FBI agent quipped to me over a decade ago that the best bank robbers used a keyboard, not a gun. He was right then, and he has become even more right now.
Even people you might expect to shy away from high tech (your aging parents, probably) are now embedded in the digital economy via mobile banking and all manner of e-commerce, all of which link to their bank accounts and credit cards.
Now add all of that to the technology treadmill, whereby today's gold standard device or app or cloud service is tomorrow's belly laugh, and it's easy to see an additional risk factor. If physical building materials and security methods changed as fast as virtual ones, the problem would be starkly apparent to everyone. Just wait for Google to invent teleportation and to put it into perpetual beta development, and you'll see.
This picture may look gloomy, but there's hope -- and a lot of hard work ahead.
Let me share my perspective as a fly on the wall of emergency operations centers and law enforcement for the last several decades. We can never eliminate the "bad guy" or natural disasters or health emergencies. We can only reduce them.
Police, fire, and emergency medical pros believe in risk minimization, not elimination. And they understand that incident prevention is much cheaper than emergency intervention, even if they still must plan to respond to emergencies. How can we apply this approach to IT security?
First, reduce suckerdom. If there's indeed a sucker born every minute, it's incumbent upon IT emergency responders to spend time and resources teaching those suckers to, well... suck less.
Don't bore people with death-by-PowerPoint and a soliloquy. Conduct interactive training sessions. Keep those training sessions as short as an Ignite talk, and emphasize discussion. Use a learning management system for self-paced instruction.
Appeal to self-interest by helping people secure their home computers. Have regular conversations. Make sure that employees view IT security drills as a partner activity, and possibly even as (gasp) fun, not as "gotcha" traps.
Second, start having risk management conversations with business partners at all stages of product lifecycle, from idea to decommissioning. Make it clear to other business leaders that IT can and will react, and can and will take precautions, but that security at its best is much more than the reactionary part.
It will have been a productive conversation when business leaders, not just IT pros, freak out when data isn't encrypted and plaintext passwords are stored in a network folder labeled "password." It will have been a productive conversation when business leaders wonder whether the security risk of ramping up the beta technology treadmill is justified by the potential benefits.
We need to have these conversations with line employees, and then we need to listen. We need to be sensitive when we're causing complexity for employees. Any emergency responder would explain to you that complexity causes bad outcomes. That's why 911 isn't 828-524-0911.
For example, it's typical for employees to complain about password changes being forced too frequently. It's a complaint about complexity. We ignore these complaints, because our auditor says so, and she says so because her checklist that was developed in 2006 says so. Except ignoring employees makes them roll their eyes, disengage, and be less likely to follow our (other) security advice, with security consequences. Maybe we should stand up to our auditors and explain that with 12-character passwords consisting of uppercase and lowercase letters, numbers, and symbols, we might not need to change them every 60 days, that we're causing needless complexity, which actually could increase risk.
Most breaches are traceable to a lack of security fundamentals among employees or IT pros. I believe that we can and will improve security fundamentals as our industry matures into its late adolescence.
I don't have all the answers, but I'm not backing down on this point: Don't believe in silver bullets. We're in this age of breaches for many complex reasons. A quick fix probably isn't a fix, and buying into one wastes time and money better spent elsewhere.
I'm not saying that new security products aren't useful. They may be. But it's a grave error to give into armchair-quarterback-inspired panic to focus on new toys instead of security fundamentals.
Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization's IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.
About the Author(s)
You May Also Like