It is that reflective time of year when every IT security blog publishes their top ten list of new technologies, great ideas, or other attempts at profound prophecy. Not wanting to seem left out of the running, Anitian has a list of ten things that we should stop doing in 2014.
10. Accepting a Broken Status Quo
Process serves the business, not the other way around. The status quo is often a vulnerability in and of itself. Attackers and malware rely on bad practices or weak controls remaining in place. This year, take the time to revisit all those reports, reviews, meetings, controls to confirm their usefulness. Make a commitment to have a clear “value statement” for every security control. If a control or practice does not provide tangible value (like reducing risk), then throw it away and get a new one that does.
9. Complaining About Vulnerabilities
It is always easier to complain about vulnerabilities, then fix them. Break that cycle in 2014. Squash the complainers and make a commitment to patch and fix problems. Complainers consume resources without producing results. Vulnerabilities are a fact of life. Not a single vulnerability in the history of the universe was ever patched as a result of people complaining about their existance.
8. Saying No
If the default answer of your security team is “no”, then it is time to say no to saying no. Shooting down every new idea, application, or service because it might be insecure is itself a sign of insecurity. Security teams need to enable the business and find ways to say yes. There is a reasonably secure way to do anything. Just because you do not know that way, does not mean it does not exist.
7. Conducting Useless Penetration Tests
If your penetration test report is a print out from Nessus or Nexpose, you did not get a penetration test. Real tests involve analysis from a skilled tester who performs a risk assessment on the vulnerabilities as well as validating their existence. The problem is that these basic scans deliver a skewed view of security. They can make your environment seem better (or worse) than it really is.
In 2014, make a commitment to get a real penetration test that validates the effectiveness of security controls. Incidentally, PCI 3.0 is also going to require honest penetration testing in 2015, so you might as well get started now.
6. Getting Checkbox Assessments
Are you dumping data into some cloud compliance portal only to have it promptly checked off from some distant, uninvolved assessor? How about an on-site assessment where the auditor never talks to anybody, or does not seem to understand how basic security controls function? These are probably checkbox assessments, and they are more than just a waste of money, they are dangerous.
Checkbox assessments not only deliver a false sense of security, they also reinforce the idea among employees that lying and cheating is an acceptable business practice. This translates into low-trust, low-security environments where people are conditioned to be deceptive.
If you want to build a culture of excellence, it begins with being honest to yourself about your strengths and weaknesses, and that starts with honest assessments from skilled analysts.
5. Deploying Security Controls in Monitor-Only Mode
So, you spent a gazillion dollars on that “Next-Generation” security device and yet it spends its time passively sniffing for bad stuff, unable to stop anything. If you cannot trust the security technologies you buy, then why are you buying them?
The whole point of in-line, high-performance security technologies is that they can stop bad stuff before it can do bad things. If you are not blocking, then it nullifies the core value of the technology. Sure, knowing that you had an attack is nice, but that is after the fact. Moreover, monitoring for intrusions without blocking creates a tremendous amount of administrative overhead. You need somebody to investigate all those intrusions now, which is a massive job, even for a small network.
While it is true that no device can block everything, it is still better to have obviously bad stuff blocked. This allows you to focus on the less-obvious bad stuff that is slipping through. Make this year the year you stop merely monitoring for attacks, and start actively blocking them.
4. Saying “Big Data”
Big data no longer means an actual large quantity of data. It has become a meaningless buzzword to convey “impressiveness” to technology buyers. Sales people use it as a key word to remind you that if you want to be a big boy, with all the big toys, then you need big data to embiggen your big security program. It is time to send big data off to the buzzword graveyard along with “cyber” and “next-generation.”
3. Being a Security Jerk
Fear, uncertainty, and doubt (FUD) has been a lingering problem in information security since the dawn of the industry. Most practitioners are quick to dismiss FUD. However, lately the FUD-o-philes are embracing a new tactic to get people to listen to them: name calling. Some security people have mistakenly assumed that the way to get end users to take security seriously is to indignantly call them idiots. Recently, I watched a well-known security guru spend 45 minutes on a stage defiantly proclaiming how stupid end users are and how “they just don’t get it!” He whined incessantly about how nobody listens to his sage security advice.
I wonder why his co-workers ignore him?
Nobody likes the arrogant know-it-all in the room. If you want people to adopt good security practices, you have to be able to persuade them. If you want to persuade them, you need to get them to think it was their idea to follow those good practices. That means being a good example, having a positive attitude, praising people for accomplishments, and setting clear expectations.
An indignant, holier-than-thou attitude about security is the fastest way to become marginalized, ignored, and ultimately criticized.
2. Whining about the NSA
Wait, you mean to tell me that the government is…gasp…spying on us? NO WAY! The big NSA leaks this year have to be the most pointlessly exaggerated problem of our modern post-irony era. What did you expect when we all joyously cheered the creation of gigantic government security agencies back in the early 2000s? They were going focus their massive budgets on getting cats out of trees?
We created this, and now we are all angry that it is out of control, but nobody wants to stop it. We all want our own privacy, but do not want anybody else to have privacy. Sorry, but it does not work that way. Either you want protection or you do not.
However, whining about the NSA is a symptom of a more problematic disease that rounds out this list.
1. Schizoid Security
We love security, but we hate it. We tell people security is a top priority, and then immediately whine about how the controls are too restrictive and demand they be shut off. We love safe airplanes, but hate the TSA people who are begrudgingly trying to keep them safe. We are obsessed with protecting ourselves with “stand your ground” laws and effortless access to weapons, but then hate it when people abuse those rights to cause harm.
Such is the schizophrenic nature of security (in the USA): we love it until it gets in our way, they we hate it with the white-hot intensity of a thousand suns. This contradiction is demolishing trust. The less we trust, the less able we are to trust when we need to. If you cannot trust anybody or anything, then everything is a potential enemy. Where does that leave us? It leaves us in a persistent and paralyzing state of fear.
This “trust nothing, trust nobody” mentality is also breeding new attitudes toward security. As the industry spends increasingly more effort on publicizing attacks and breaches, it creates an inevitability perception that nothing works and attackers can never be stopped, which is simply not true.
Into this vacuum has rushed a new way to sell us something: security analytics. If you cannot trust anything or anybody, then you need a “big data” engine keep tabs on everything, everywhere, all the time. The Security Analytics market begins with the assumption that everything you have is, at some level, broken. The only way to spot an attack is to crunch gigatons of data in the hope that somewhere in the haystack you will find your needle.
If this sounds familiar, this is exactly what the NSA does to find terrorists: sift through data to find suspicious actors.
Let’s make 2014 the year we fess up and admit we like spying and that security is important. Let’s stop turning off controls when they get in the way. Let’s embrace emerging analysis technologies and let them fill the gap between what we can trust, and areas where we are still building trust.
Lastly, let’s learn how to trust. Trust is the currency, fuel, and energy of security. Without it, we cannot function. Information security is not about destroying trust, it is about having methods that ensure trust and empower it. Consider this next time somebody tells you to trust nobody. If you really cannot trust anybody, or anything, then you can never be secure.
Anitian – Intelligent Information Security. For more information please visit www.anitian.com