There Are No ‘Miracle Cures’ in Security

Never join a ride share with a clown college, and never take your health advice from network news. “The surprising secret to firming up your stomach and thighs—in your sleep!” And, “Up next: the everyday item in your glove compartment to fight cancer.” Let’s not forget the commercials: “This product has been clinically proven in a double blind study to eliminate body fat just by taking three pills a day. It’s as simple as that!”

Notwithstanding the misdirection employed by the threadbare claims “clinically proven” and “in a double blind study”, you’re bound to run across dozens, if not hundreds, of miracle cures for everything from excess weight to restless leg syndrome. It’s easy to blame the pharmaceutical companies and manufacturers of over the counter meds, but the real blame lays on the consumers; us, the general populace.

What the marketing departments have tapped into are our weaknesses: the fact that we want to indulge our hedonism, yet be absolved in one act of contrition, one that we swallow rather than recite. The reality is a good percentage of the privileged world don’t want to take responsibility for our own health, to watch our diets, get a reasonable level of exercise, and avoid risky and unnecessary activities like smoking and drinking liquid sugar dispensed in pull-tab cans.

Which is all fine: we’re all endowed with free will. But instead of consoling ourselves with terms like “health care”, let’s call it what it really is: illness treatment.

I’ve made the point before:

The health care industry is a lot like the security industry: no one wants to have to call on either, and we often wait until it’s too late to invest in both health care and information security.

3 Ways to Develop Healthy Security Habits

Investing means more than allocating budget and spending money on technology: it’s a commitment of time and human resources. Sure, you can buy a treadmill, but you have to develop the habit to actually suit up and use it. Regularly.

Any organization with a moderately mature security model has already invested in a decent toolbox. Everyone needs a hammer, some screwdrivers, a wrench and pliers, a saw; in security we stock firewalls, anti-virus, IDS/IPSes, identity and access management, encryption, and specialized implements like database access monitoring and log management. Often we hire the experts who know how to wield those tools, but you can’t outsource exercise; the organization needs to make a commitment to a program and to work our security muscles.

See, buying the equipment then going in for a yearly check-up isn’t care, it’s one percent intention, but mostly detection. In information security we have a responsibility to our organization, our customers, our shareholders; complacency and hope is irresponsible. And despite our free will as individuals, I’d argue we have a responsibility to our friends and family on a personal level to care for our own well-being.

So what does eat consciously and exercise mean in terms of information security?

Let’s start by enumerating some bad habits:

• Kids naturally have the energy and will to exercise. They’re growing muscle, bone, and filling up their brains. At some point that growth slows down and we eventually notice the middle age paunch. It’s hard to get into the habit of regular exercise, particularly when most of us have desk jobs and have become accustomed to inactivity without repercussions because of the grace period afforded in our 20s. Building out an information infrastructure is fun and engaging, the geek equivalent of schoolyard dodgeball and monkey bars. But once the environment is in place, including the security controls, the enthusiasm disappears and we only grudgingly exercise the heavy lifting muscles of architecture.
• Installing technology and crossing your fingers that it will be the panacea to thwart attackers is like eating bran cereal in the morning to stave off colon cancer. Hey, that’s what the handsome newscaster prescribed. Or eating a low fat diet. But then add good fatty oils and nuts. Oh, and eat less meat and more vegetables. Pasta was good, then carbs became bad. And meat became “protein”. It’s pretty clear by the mixed messages that reductionist nutritional health recommendations aren’t the answer. The research is still indefinite, the advice biased by special interests, and frankly, there is no one answer. In his book, In Defense of Food, Michael Pollen says it best: “Eat food. Not too much. Mostly plants.” That takes effort, though. The security technology industry makes the same promises of magic protection in a 1U form factor, the pill that allays all your security concerns, and it suffers from the same fallacies as dietary advice.
• The caricature of the beer bellied, middle aged man spending half of his waking hours watching TV, feet up in a matted orange recliner, with and unbroken trail of food stains crossing from one arm to the other over his greying undershirt, is giving way to teens and thirty-somethings alike playing video games or immersed in social networking. The common theme is isolation. Even when out in public, we shut ourselves off from the throngs in a cocoon of music or inane banter provided by the ubiquitous mobile device and pumped directly into our earholes through standard issue white wires. All the while texting obsessively. The argument is that social networking, texting, and mobile phones are the opposite of isolation; however; my experience is most of it is banal, and there’s precious little deep discussion going on.

The first two habits obviously relate to exercise and diet. The last concerns building a community and intellectual growth through knowledge sharing. Ironically, the list itself is guilty of reductionism of a far more complicated system, both of biology/sociology and information technology and security.

3 Suggestions to Build a New Information Security Regimen

In this section I want to share with you three associated suggestions to build a new information security regimen, if you will. Neither the problem set nor the tips below are meant to be all-inclusive; there is no single, prescriptive pill to cure everyone’s security ailment. But sometimes a push all you need, the picture of a 400 pound shirtless guy stuck to your fridge door, for inspiration.

1. Don’t succumb to a sedentary security posture.

Set and forget is not a security strategy. Most networks resemble a New England farmhouse: the main house was built, and maybe a barn. Over time covered woodsheds became all the rage, cars came along and garages were built, then the whole mess of structures connected. The hodgepodge introduces structural and security weaknesses. As your information infrastructure evolves, you have to consider ripping it all out and rebuilding. This means creating new segments to house data with like classification, moving applications from system to system to separate PII and ePHI from data that’s not sensitive, and tearing out assets in favor of replacements in the cloud.

Yes, these activities have the potential to disrupt business operations, but so does a compromise. And it’s better to have the luxury of coordinating the remodeling and planning for contingencies than to have to recover from an unexpected system infestation. And almost certainly less costly.A side benefit is a dynamic infrastructure is it’s more difficult to attack, particularly if the campaign consists of a lengthy intelligence gathering and tooling phase, components of what we think of as APTs. A fluid environment isn’t guaranteed to thwart attackers—as with skeet shooting, you can lead the target—but one aspect of the game is to make it harder for the perpetrators to succeed. A complementary activity is to add honeynets, fully exposed to the internet as well as nestled among your operational assets, to provide early warning and to act as tar pits.

2. Eat your vegetables.

Maintain living security policies and practices. It’s easy to get dinner and soft drinks from a fast food drive-through; it’s much more effort to chop a mess of vegetables and wash pots and pans. But the eventual high cholesterol, diabetes, and host of other health problems that result from a high fat, sugar, sodium, and calorie diet often result in a shortened life expectancy, emotional stress, weakened physical state, and expensive treatments.

There are too few of us in information security who relish creating security policies and procedures, incident response plans, and meaningful metrics. Of the enterprises who’ve taken the time to plan, I rarely run across those who review it more than once a year and incorporate it into their workflow. Most places take a wrapped in styrofoam approach, which is to say the contents aren’t carefully selected for quality—locally grown, seasonal, and varied—but rather to deliver something with haste that may not suit the nutritional needs of its consumer. Eat it once and forget about it. Yet security is experiential, requiring constant vigilance and care to make sure it stays in tune with the business goals and risk strategy.

3. Be a student and a leader.

Take a class, attend a conference, join a peer group. It’s easy to fall into the habit of just following security news and blogs, but real knowledge starts to flow when two or more smart people get together, be they neurosurgeons discussing new grafting techniques, musicians jamming, or infosec geeks dissecting the latest exploit. Security isn’t a job description, it’s an inherent skill, a passion. Some people are good at sports, others at statistics. Security experts are constantly exploring, hacking: looking for the weaknesses in the keyless entry system that came with your new car or the latest Android app you just downloaded. And you want to share. Partly to start a dialog, and partly to help others avoid being victims. Maybe its your siblings, your parents, your friends. We’ve all been asked to help clean up some malware on a personal computer, and in the process you’ve tweaked their browser a bit to improve security, knowing all the while that the next infection is inevitable, but maybe you just delayed it a week or a month. When you have no formal authority, progress is measured in small victories and gradual improvement.

But as a security professional you have an obligation to imbue all hands with security awareness. That has to be more than just an annual reading of the policy and clicking on a button labeled Agree situated beneath an ominous legal statement that’s incomprehensible to those being compelled to abide by it, yet heaping every morsel of responsibility on the well meaning, everyday user. Security awareness programs should be interesting to all and tested on an ongoing basis. Feed the information in small doses and in a regular cadence; send phishing emails regularly and reward those who report them, perhaps by earning access to social networking sites—but don’t penalize users for falling for them; incorporate physical security into the program, which may have a more tangible connection to many non-technical users (show them how easy it is to pick a lock, sprinkle USB drives in the parking lot to see who plugs them in, have a friend at another company tailgate into your facility.)

Living a healthy life requires making the right choices constantly—what to eat, getting out for a walk five time a week, keeping your wits sharp—and so does infosec.

Even so, bad things will happen: appendicitis or a successful spear phishing attack. Sometimes misfortune happens in the pursuit of goodness: a twisted ankle while jogging, a vulnerability in the application firewall. But you have medical insurance, an incident response plan, and both are up to date, right?

Ironically, information security is not binary. There’s no such thing as “secure”. The goal is survivability, not sanctity.