Throughout the past several years, there has been an exponential increase in both the number and veracity of cybersecurity incidents. In recent weeks, data breaches from Quora, Amazon, Dell, Marriott, and others drew opinions from every corner of the globe. I might be able to guess what you are thinking: “Here goes another piece on how bad things are.” Quite the opposite—I think things are not nearly as bad as they seem. When we take a moment to measure the gains, we see signs of tremendous progress:
Two years ago, only 21 of the top 100 sites utilized HTTPS; that number is now at 79.
10% more organizations reported containing incidents in less than 24 hours.
64% of incidents are now detected internally.
Cybersecurity spending is expected to sustain a 12-15% annual growth.
Average dwell time decreased by 25% in the past 5 years.
We still have work to do, but it is undeniable that we are miles ahead of where we were as recently as five years ago. Despite this, there has been an increasing number of articles, tweets, and posts taking a near-crazed stance toward cybersecurity and the overall IT landscape.
There is no disputing how important of an issue these topics are and the attention they deserve to receive. Despite the progress noted above, we still see individuals and organizations alike maintain a stunningly apathetic attitude toward cybersecurity. For example, Marriott appears to have failed on multiple levels, beginning with its evaluation of the Starwood enterprise and the development of its incident response processes, combined with a healthy topping of poor visibility into their own environment—the latter of which I am sure we can all relate to. To be clear, the Marriott breach is a huge issue and will likely have sweeping implications both for the brand and our industry.
In the days following the incident disclosure, how did we react though? The usual experts Jake Williams and Troy Hunt did their typical Nobel Prize-worthy work, but many others abandoned common sense entirely. Before any important details had surfaced, there were calls for the CISO to be fired, predictions of massive Marriott stock drops, and a wide variety of Chicken–Little style commentary on the dangers of the internet. Why do we do this, and is it helping?
The cybersecurity industry has long been plagued by a lack of awareness among enterprise users, business executives, and the general public. Many industry veterans and cybersecurity godfathers have fought for decades to help users and businesses better understand how the internet is leveraged to negatively impact their personal lives and operations.
Although this battle for awareness will never end, we have made enough progress that we now face a relatively new problem: Keeping these same people believing they have a chance at security. We have seen a rash of “thought leaders” and “experts” speak about the gaps in security controls while either imploring the benefits of an impractical solution or never offering a solution at all. These individuals might believe they are increasing overall awareness when they are usually only spreading additional fear and confusion.
Between the constant stream of data breach headlines, predictions of a security apocalypse, and vague warnings of threats everywhere, many are becoming understandably numb to cybersecurity as a whole. This leads to exclusion from important conversations, abandonment of existing security controls, or a combination of the two. Let’s take a look at a few relevant examples:
Two-Factor Authentication
Perfectly highlighting this scenario is the data leak from Voxox (formerly Telcentris). During this leak, a Kibana front-end served up a fully parsed, easily searchable database of SMS messages that contained a variety of 2FA codes and other personal information. Although this leak is indisputably concerning, it was used to promote the immediate abandonment of SMS 2FA.
Passwords are not going anywhere anytime soon; Troy Hunt has already covered this perfectly so I’ll save the space here (if you haven’t read it, you should). As with anything, SMS 2FA is not a silver bullet, and is far from a perfect solution. However, it is an easily implemented and managed solution that provides ample reinforcement to a simple username and password. This type of 2FA still provides an out-of-band hurdle to overcome, which exceeds the skill of many script kiddies and renders the majority of users not worth the added trouble.
The cybersecurity industry continues to plead with massive organizations—full of sensitive user data—to use any form of true 2FA (ID.me, Netflix, Groupon, Tesla, Visa Checkout, Walmart, Target, etc.). User adoption of 2FA has also seen slow growth, as most organizations implement it as an optional security feature.
When we rail against SMS 2FA, we are eroding user adoption of the concept behind 2FA. Most users will not purchase a hard token, and many do not understand or have support for soft-token technology. The result is a confused or helpless user who no longer understands why they are going to the extra trouble of SMS 2FA and will likely disable it altogether.
Bring Your Own Device and Internet of Things
BYOD and IoT devices will be an expected part of most large enterprises sooner rather than later. Millennial’s may have championed the idea of technology as a commodity, but Generation Z will be the first to realize its true potential. As such, the average user has become accustomed to internet-connected “smart” devices and business executives have seen the productivity, quality, and automation gains from embedded technology.
We can also acknowledge that the IoT landscape specifically is a mess, which will likely get much worse before it gets better. Throughout the evolution of this budding industry, it is important security remains at the forefront of the conversation. When the reaction to IoT and BYOD becomes hyperbolic it undermines the credibility of the industry and reinforces the ‘stick in the mud’ stereotype commonly associated with our profession. This dangerous assumption can often lead to exclusion or disengagement from tactical and strategy planning decisions, at the detriment of the organizational security posture.
Cloud Adoptions
The other day, I saw this post on LinkedIn about the rapid growth in Amazon Web Services (AWS), and how it is now offering services that directly compete with some of its existing cloud customers. I have declined to name the individual writer as it is not the point of this article, nor would it bring any added value. But, as you can see, this individual used the news as an opportunity to rail against cloud providers and how they use their cloud to steal from other organizations. This individual combined his “wake up” plea with advice to host everything internally, effectively setting the technology clock back to 2005.
This type of hyperbole displays—near perfectly—the issue at hand. Cloud technology has been a massive boon to both business growth and individual productivity. Most startups and small businesses cannot afford to host everything on-premise; users love the convenience cloud solutions offer; and Chromebooks have been a step forward for both lightweight and secure computing.
Assuming everyone took this advice and abandoned all cloud services, it is unlikely they have the technology or security resources (let alone knowledge) to properly implement such a solution; leaving their posture even further degraded. The more probable outcome is they will continue with their cloud strategies and probably disregard the advice of security personnel who subscribe to this type of rhetoric.
Let’s Try Something Else
I propose a different approach: Let’s change the communication structure surrounding cybersecurity incidents, risks, and threats.
“Perfect is the enemy of progress” – Winston Churchill
We have become increasingly caught up on how security should be done that we lost sight of regular improvement. It is important to remember that business operations is the goal of organizations; in most cases that is not cybersecurity. We must approach every conversation from a business operations perspective and work our way to a security control from there.
The same applies to users. Users do not care inherently about cybersecurity; they care about accomplishing what they want to do. In effect, user’s business operations are to use technology to make their lives more convenient, enjoyable, and productive. If we fail to tie a security control back to support of a core operation, we will lose that battle every time. Let’s instead start by understanding what the process accomplishes and why it must be completed. This additional insight allows us to understand what controls would have a significant impact both on the process and the organization. Blending this knowledge, we can evaluate and present security controls that are an improvement from the current organizational state. This cyclical process continues in perpetuity and makes for a progressive, dynamic, and more secure overall IT environment.
As this cycle continues through multiple rotations, it becomes important to recognize existing progress and be realistic about the current state. Every time we exaggerate a risk, it reduces the number of people who will pay attention to us when it really counts. Conversely, when we provide a logical evaluation of the current state, while encouraging positive behavior, it promotes improved decision-making and consistent improvement.
Nothing truly great has ever been accomplished overnight, and cybersecurity is no different. Instead of planting our feet firmly in the ground we must instead push for an improvement from yesterday. Although this will often require us to compromise from what we know is better—accepting good-enough solutions—it improves the overall security posture of the organization and promotes continued inclusion in the decision process.
Perfect security doesn’t exist, and it never will
The business operations landscape is undergoing a tremendous transformation through the widespread adoption of Managed Service Providers (MSPs), the continued expansion of IoT, and the general commoditization of IT. The way we conduct operations today was science fiction material not too long ago. It is imperative we continue to cement and expand our role in the conversations about these implementations by providing a security perspective that supports business operations, not hinders them.
The next time there is a splashy breach headline (tomorrow?), or a business leader has a new IT idea, let’s all take a deep breath and think about what good approaches might look like. The days of the “No Culture” in cybersecurity needs to end. We must focus on partnering with businesses and users to provide practical security solutions, pragmatic advice, and a level-headed voice of reason.
We can start by asking ourselves: Is this a net gain for the overall security posture? If so, this might be time to accept an incremental victory and prepare to fight for a better solution on the next go-round.
Commenti