It is that time of year to reflect upon the accomplishments (or failures) of the year and think about next year. One of the exercises we do at Anitian from time to time is “Start/Stop/Stay” – that is, what are the things we need to start doing, the things we need to stop doing, and those we should keep doing?
2014 was a busy year for IT security. From Shellshock to Sony, the hacks were fast and furious. As such, this year there is an ample supply of things that need to start, stop, or stay.
The Sony hack has revealed a not-so-dirty-little-secret about attacks – panic leads to dumb decisions. Sony’s decision to pull, then not-pull, then sort-of-pull the movie The Interview because North Korea hacked them is profoundly stupid. Thanks Sony, you just let the hackers win and show how effective hacking can be. That will only encourage more of the same.
It turns out the movie was stupid, North Korea probably did not even conduct the attack, and George Clooney is sensitive. Great. That surely was worthy of all those news cycles.
The lesson here for the rest of us is simple: do not make big decisions in the heat of the moment. There is no need to cave in to attacks. The best post-attack response is to admit the attack, commit resources to cleaning up the mess, and then implement sustainable controls to prevent the attacks in the future.
Start: Embracing the Cloud
For the past few years, most security people have been wary of the cloud. There were a lot of reasons the cloud was not quite ready for secure hosting. However, hosting in the cloud is now preferable from a security perspective. Cloud vendors, particularly Amazon AWS, are integrating security controls directly into their offerings. Also, security vendors like Fortinet and Palo Alto offer a wide selection of cloud-based security controls.
Cloud providers manage their infrastructure with greater diligence than most IT departments can. Amazon deserves special kudos for handling a massive update of their infrastructure with little to no noticeable downtime in September (more). Considering how many Internet-centric companies are now run at AWS or Azure, it is clear that these environments have finally matured.
Make 2015 the year you dump the hardware and move to the cloud. It is no longer just a place for hipster start-ups who care less about security.
Stay: Vulnerability Advertising
In the past, when new vulnerabilities were uncovered information about them was unceremoniously posted to blogs, forums and dense, technically-oriented advisory sites. It would take weeks or months for important vulnerability data to disseminate out to the masses, thus granting attackers precious time to exploit them.
This year saw the release of two very significant vulnerabilities: Shellshock and Heartbleed. The mere fact that we can refer to these with a single, catchy word and gain instant recognition is evidence of how successful vulnerability advertising campaigns were. Vulnerabilities now have their own PR campaigns, and this is a good thing.
In April 2014 when Heartbleed was announced, the news spread very rapidly. Vendors quickly released patches and everybody was talking about it. Even the traditional news media, which routinely bungles IT security reporting, was talking about Heartbleed. Heatbleed even had its own catchy logo, a stylized drippy heart icon which only helped create a common language for this vulnerability.
A few months later, Shellshock was announced with similar marketing efforts. Shellshock picked up cracking egg logo and even a theme song (Shellshock from New Order).
While some IT security people may be rolling their eyes at the union of advertising and vulnerability research, the fact is, this enhanced public relations effort really paid off. People paid attention to these vulnerabilities and reacted to them quickly. It is difficult to quantify the impact this vulnerability advertising had, but there is no denying how quickly news about these vulnerabilities spread.
While the logos and theme music might seem cheesy, they create a language that people can easily understand. This concept, simplifying security language, is also driving other trends in IT security as well. Anitian, for example, has embraced this concept in our RiskNow, Rapid Risk Assessment technique.
IT security needs to relate with the masses better. These advertising efforts are very helpful and we hope to see more of this in 2015.
Stop: Making Excuses
2014 had an abundance of companies and people making excuses. Target, JP Morgan Chase, Staples, and Home Depot all had long lists of reasons why their protections failed. Couple this with the epidemic of complaining and whining in IT, and it is amazing the Internet even works.
For 2015, the time has come to stop complaining. Nobody has the resources they need. That is no excuse to sit there like a lump and refuse to secure anything. If you have a team of whiny IT people who produce excuses rather than answers, fire them remorselessly and hire people who produce results.
Start: Risk Assessment
If there is one big takeaway from all the attacks of 2014, it is how poorly companies manage risk. Target and Home Depot remain poignant examples of this. When the dust settled, we learned that Target was ignoring alerts and Home Depot had antiquated security controls. Sony, however, really gets the golden turd for allowing attackers to essentially own their entire business. For all the resources these large companies have, they displayed a startling lack of risk awareness.
For 2015, businesses must start to assess and understand the threats they face. This information must go beyond the IT department and get into the boardroom. That means (some) IT people need to put on suits and start talking like business people. They cannot spew buzzwords they picked up at the last RSA conference and expect leaders to understand them (see our Communicating Risk to Executive Leaders blog entry). Moreover, new security controls need to be tied directly to risk reduction strategy. That leads us to the next issue for this year.
Stay: Security Analytics
2014 saw the emergence of a new and promising class of technology: Security Analytics. The sophisticated data and behavior analysis of these products has great promise to deliver the “digital Sherlock Holmes” we desperately need. Start-ups like ThreatStream, Cylance, Crowd Strike, Cyphort, and Hexis are joining established players like IBM, BlueCoat, RSA, and Palo Alto Networks to field advanced breach detection and data analytic tools. 2015 could see a maturation (as well as consolidation) in this space. For more on Security Analytics, check out our three-part research paper (Part 1) (Part 2) (Part 3).
While we have been skeptical of cyberwar for many years, 2014 saw the first indications that cyberwar is a real, credible threat. For 2015 that means organizations that handle intellectual property that has global value need to seriously consider the threat of state-sponsored attacks.
Stop: Checkbox Compliance
Another lesson from the big hacks of 2014 was the poor state of PCI compliance. Its astounding that companies like Target and Home Depot can claim PCI compliance with such egregious security holes. However, the big revelation is how poorly PCI auditors are doing. We wrote about this in a blog entry earlier this year (here).
For 2015, it is time to stop checking off boxes and hiring discount auditors and face the reality of compliance. Just because compliance does not equal security does not mean it is okay to cut corners meeting requirements.
Reading IT security news is often similar to watching angry homeowners curse raccoons for tipping over garbage cans: futile outrage. You are not going to change the nature of raccoons any more than you are going to dissuade hackers from taking advantage of weak security.
The Chinese are hacking America! Yeah, so what? The North Koreans hacked Sony! Yeah, so what? SSL has a huge vulnerability! Yeah, so what? These may be real, credible threats but frothing about them solves nothing.
Outrage is only useful if it promotes action. The fact that the Chinese (allegedly) fund hacking groups should compel you to build a strong, sustainable security program. Loud-mouthed “gurus” screaming about Chinese hacking protects nothing and just encourages more hacking. On the other hand, a well managed next-generation firewall, as well as consistent patch and system configuration management programs, can stop Chinese hackers.
Furthermore, the more sensational a claim is, the more proof it requires. Could the Chinese knock out our power grid? It might be plausible, but that does not mean it is likely or even desirable.
For 2015, turn all that outrage into action. Let’s stop shaking our fists impotently at the mischievous raccoons and focus on keeping our garbage locked up.
Stay: SANS 20 Critical Controls
While it is not a perfect list, the SANS 20 Critical Controls is a very good framework for IT security controls. Unlike CobIT or NIST, the SANS framework is actually attainable for an average IT department.
For 2015, use this list as a basic benchmark for evaluating your security program, if you are not already doing so. However, watch out for the metrics. Many of these are unrealistic for an average IT shop.
Start: Asking Why
I have a note on my monitor at work that says: questions beat answers. It is a reminder to keep seeking truth. It also is a reminder that people only really grow and learn when they have to find their own answers.
IT security needs the freedom to ask why. Why do we do this? Why are we not doing better? Why did we select this vendor? Why are avoiding the problem? “Why” is a powerful tool to find truth. If your company culture suppresses “why” questions, then you have a very serious security vulnerability. One that no patch or appliance can fix.
For 2015, respect the “why”. The process of seeking truth will reveal more truths along the way. All those “whys” may result in not only uncovering the truth, but also foster some real growth and learning.
Stay: Brian Krebs
Mr. Krebs is one of the best things for IT security. His blog keeps us playing our best game, if for no other reason than we never want to be the subject of one of his posts.
Have a great 2015 everybody!