It must be a day that ends with “y” because there is a mega-breach. This time it is Equifax a giant, faceless, credit monster that eats data and spits out excuses. I will spare you the details of the Equifax breach as you can read about it here or here.
However, the details are familiar: millions of records, huge impact, easily exploited vulnerability, finger pointing…sigh.
Well…roll in the soap boxes. Time for us security professionals to commence with our ranting and raving:
“I told you so”
“If only Equifax had our next-generation kill-chain blind spot artificial intelligence machine learning blah blah blah.”
“This is another example of how my brilliant and obscure ideas about security are being ignored.” (Okay, I will admit to saying that at least once.)
“What the Equifax breach tells us about the state of security is…”
Another day, another breach, another round of posturing and pontificating.
But this time…yawn… I am not the only one who noticed the Banality of the Equifax Breach.
Equifax was like so many other breaches. It was not some super-ultra-deep-state hacker cabal…it was plain old laziness and lack of discipline on the part of Equifax. And people will talk this breach to death, and walk right back to their cubicles and continue to perpetuate these same problems.
This is outrage fatigue. That feeling of hopelessness that happens when repeated rounds of shocking news fail to change behaviors. This has become a common problem in the USA. Every day is another “unprecedented shocking moment” that results in no real change.
Maybe we are going about this the wrong way?
Remember back in the good old days of 2011 when a breach happened and everybody was suddenly talking about information security? It was exciting.
More specifically, people who controlled budgets were talking about information security. Breaches heightened awareness. Firewalls, anti-virus, penetration testing, and SQL Injection were no longer weird, arcane concepts that made CEOs roll their eyes. Hacking went from the server room to the Board Room. It was awesome!
And now, hacking is everywhere. From the flapping lips of Trump to the churning bowels of Reddit. Everybody is an uber-genius hacker. Everybody is outraged. Everybody is going to fix this…any moment now.
All this talk, and nothing. In a few short years, people have gone from (☉_☉) to ¯\_(ツ)_/¯ when it comes to breaches. They still talk about it, but the tone has changed.
Next Generation Meh
I have the fortune to meet and talk with a lot of leaders. In the past few years, I have heard a common refrain: “I am sick and tired of spending money on security, when it never works.” Leaders are frustrated with information security. Technology vendors make promises and rarely deliver.
Equifax is yet another example. Like so many mega-breached companies, they poured money into all those next-generation appliances. They hired all the big, important, expert gurus. They passed audits. They slapped themselves on their backs for their immense cleverness at defeating the hackers.
And yet none of it meant anything. Unpatched Apache servers, a simple thing to fix, were the culprit. And all that tech did nothing to stop the breach.
Breach with a Side of Malaise
Making matters worse…who the heck cares about another breach? Seriously what can any of us do about this? A CEO I know asked me today: “what are you doing to protect yourself from the Equifax breach?”
I answered honestly: “what CAN I do?”
While there is a chatbot that lets you sue Equifax, I suspect that is more for show than reality.
There really is nothing any of us can do. Once again negligent people, who are paid generous salaries, did not care about the security of our data. They were too busy proactively leveraging their synergies, attending another hacking-con, or getting another pitch from a VAR. They could not be bothered to actually secure anything.
The rest of us? What choices do we have here?
Oh sure, the lawyers will sue the daylights out of Equifax. In nine years there will be some judgement. None of us will see a dime. They will appeal and appeal until nobody cares any longer.
The people at Equifax will probably lose their jobs. Eh, so what. The shortage of skilled talent in information security is so high, they will be employed again soon.
The auditors who “passed” Equifax as secure and complaint, they probably have clients lined up out the door to buy their high-volume, low-cost, cut-rate, audits. When people have convinced yourself that “we got this security issue under control” no amount of data to the contrary will convince them otherwise.
We are in a new age. An age where outrage is meaningless. It does not motivate people to change. Outrage is junk food. We gobble up big greasy bags full of indignant outrage, smack our lips in satisfaction, and then flop down on the couch to drool. Each new breach is just another bag of junk. It tastes good, but makes us sick. And we line up like addicts to get the next bag.
In an age where outrage has no meaning, it serves no purpose. We must shift the focus to those we can trust, rather than those who wrong us. This is why so much of information security thinking is backwards. We obsess about the people who are out to get us. Yet, that does nothing to stop them. It makes us feel like we are doing something without actually accomplishing anything substantive.
I believe we need to focus on the people, products, and institutions we CAN trust. This is a small, and possibly dwindling, list. However, it shifts the focus to areas where we can make change. Rather than build castles to keep out the huns, we must be building communities of partners. Rather than spending money on more next-generation boxes of magic, we must focus on making the technologies we have do the work we need. Rather than focus on the institutions we cannot trust, let’s focus on the ones we can trust.
Be the Change
When you want to change behavior, you essentially have two ways to do that:
- Tell people to change
- Change yourself
In my experience, telling people to change, rarely works. It does not matter how true your facts are. People will believe what they want to believe.
However, when you make the change yourself, others will follow. I believe the companies that do have good security have a duty to share their good ideas and successes. Netflix, comes to mind here. They have built a number of cool security capabilities such as security monkey, scumblr, and stethoscope. Rather than horde it all for themselves, they shared it openly. It helped all of us. They made the changes, and then showed us the way.
Be the change you want to see in security. Do not give Equifax any more of your time, data, or attention. They have lost our trust. They need to re-earn it.
Now, stop projecting your outrage and go do what you know is right.
I disagree. Equifax should be heavily penalized for failing to patch. This was a weaponized exploit with a risk rating of 10 out of 10 (CVE-2017-5638). Perhaps if the financial penalty is high enough, others will take notice, and change their behavior, and get FAR more serious about patching immediately.