Security Armchair Quarterbacks: Go Away - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // CIO Insights & Innovation
Commentary
12/9/2014
11:40 AM
Connect Directly
LinkedIn
Twitter
RSS
50%
50%

Security Armchair Quarterbacks: Go Away

Cyber criminals will never go away. Instead of looking for a silver bullet, be proactive, interactive, and focus on reducing risk.

I'm getting tired of the barrage of emails from security vendors saying that unless we implement some specific solution, "Target-like data breaches will continue into 2015." The implication is that only a cretin would fail to implement the pitched solution. I'm tempted to write back: "Would you be willing to indemnify my organization against data breach losses if we implement your solution?"

How did we get here?

It's way too simplistic to argue that IT is broken and it didn't used to be. The curmudgeons among us point back to the IBM, Burroughs, Sperry, and Control Data mainframes of old and revel in stories of near 100% uptime and near 0% security breaches. I was a young punk during the mainframe times, and here is what I know: They were (mostly) islands of computing. The people who had the knowledge or physical access to break into those systems were few and far between.

[Limiting data encryption to government use won't prevent bad things from happening. Read Why Outlawing Encryption is Wrong.]

Even during the heyday of modem access -- bulletin board systems, FidoNet, Tymnet, UUNET, and the like -- the art of war-dialing, whereby hackers identified computer targets by having a modem try one phone number after another, was hit and miss. And because it took up to a minute to initiate a call and seek a carrier tone, if you hit 60 phone numbers an hour, you were lucky.

As technology became more widespread, bored 13-year-olds with modems started virtual doorknob-rattling. A national conversation emerged: Were they pranksters ("Shall we play a game?") or were they criminals?

As computers and networking grew ubiquitous, moving from a techie village into the big city, bona fide cyber criminals, seizing on modern methods of breaking, entering, and theft, became far more of a problem than goofy teenagers. Science fiction author Larry Niven predicted that the invention of teleportation would cause a huge spike in crime, because criminals could prey on a much larger pool of victims from afar. The global Internet proves Niven right in the abstract, as anyone can now attempt to steal electronically from anyone, anywhere in the world.

Criminals can now rattle virtual doorknobs not once or twice a minute with their 300-baud modems, but dozens of times per second with TCP/IP packets. The use of automation means that all connected machines are at risk.

Meanwhile, as tech moved into the big city, all the popular kids started using it. It has become embedded into our economy. An FBI agent quipped to me over a decade ago that the best bank robbers used a keyboard, not a gun. He was right then, and he has become even more right now.

Even people you might expect to shy away from high tech (your aging parents, probably) are now embedded in the digital economy via mobile banking and all manner of e-commerce, all of which link to their bank accounts and credit cards.

Now add all of that to the technology treadmill, whereby today's gold standard device or app or cloud service is tomorrow's belly laugh, and it's easy to see an additional risk factor. If physical building materials and security methods changed as fast as virtual ones, the problem would be starkly apparent to everyone. Just wait for Google to invent teleportation and to put it into perpetual beta development, and you'll see.

First-responder perspective
This picture may look gloomy, but there's hope -- and a lot of hard work ahead.

Let me share my perspective as a fly on the wall of emergency operations centers and law enforcement for the last several decades. We can never eliminate the "bad guy" or natural disasters or health emergencies. We can only reduce them.

Police, fire, and emergency medical pros believe in risk minimization, not elimination. And they understand that incident prevention is much cheaper than emergency intervention, even if they still must plan to respond to emergencies. How can we apply this approach to IT security?

First, reduce suckerdom. If there's indeed a sucker born every minute, it's incumbent upon IT emergency responders to spend time and resources teaching those suckers to, well... suck less.

Don't bore people with death-by-PowerPoint and a soliloquy. Conduct interactive training sessions. Keep those training sessions as short as an Ignite talk, and emphasize discussion. Use a learning management system for self-paced instruction.

Appeal to self-interest by helping people secure their home computers. Have regular conversations. Make sure that employees view IT security drills as a partner activity, and possibly even as (gasp) fun, not as "gotcha" traps.

Second, start having risk management conversations with business partners at all stages of product lifecycle, from idea to decommissioning. Make it clear to other business leaders that IT can and will react, and can and will take precautions, but that security at its best is much more than the reactionary part.

It will have been a productive conversation when business leaders, not just IT pros, freak out when data isn't encrypted and plaintext passwords are stored in a network folder labeled "password." It will have been a productive conversation when business leaders wonder whether the security risk of ramping up the beta technology treadmill is justified by the potential benefits.

We need to have these conversations with line employees, and then we need to listen. We need to be sensitive when we're causing complexity for employees. Any emergency responder would explain to you that complexity causes bad outcomes. That's why 911 isn't 828-524-0911.

For example, it's typical for employees to complain about password changes being forced too frequently. It's a complaint about complexity. We ignore these complaints, because our auditor says so, and she says so because her checklist that was developed in 2006 says so. Except ignoring employees makes them roll their eyes, disengage, and be less likely to follow our (other) security advice, with security consequences. Maybe we should stand up to our auditors and explain that with 12-character passwords consisting of uppercase and lowercase letters, numbers, and symbols, we might not need to change them every 60 days, that we're causing needless complexity, which actually could increase risk.

Most breaches are traceable to a lack of security fundamentals among employees or IT pros. I believe that we can and will improve security fundamentals as our industry matures into its late adolescence.

I don't have all the answers, but I'm not backing down on this point: Don't believe in silver bullets. We're in this age of breaches for many complex reasons. A quick fix probably isn't a fix, and buying into one wastes time and money better spent elsewhere.

I'm not saying that new security products aren't useful. They may be. But it's a grave error to give into armchair-quarterback-inspired panic to focus on new toys instead of security fundamentals.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization's IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Jonathan Feldman is Chief Information Officer for the City of Asheville, North Carolina, where his business background and work as an InformationWeek columnist have helped him to innovate in government through better practices in business technology, process, and human ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
12/10/2014 | 7:55:14 PM
Re: Breaches often reflect a lack of fundamentals
I'm not one to lend to the credence of another product solving IT security issues. But I do think there is something to be said about some new innovations helping to fix some of these issues. 

I do think, for example, that biometric measures can really help improve user security. And increasing the amount of encryption across all networks should be a big help, too. 
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Apprentice
12/10/2014 | 7:27:58 AM
Practicality is at a premium
Rrefreshing post. I find the most successful cyber defense operations are the ones that are the most practical, often eschewing tooling in favor of just having good, solid data on where there risks are and how they'll prepare for/respond to an event. Those organizations that can tell me exactly where theyre most vulnerable, what the likely vectors are and how it will effect the business if theyre hit in specific ways are already above grabbing low-hanging solutions fruit and trendy impulse buys. 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
12/9/2014 | 12:44:11 PM
Breaches often reflect a lack of fundamentals
Excellent discussion about where organizations need to begin to get to better security. "Most breaches are traceable to a lack of security fundamentals among employees or IT pros." Well said. The explanation, after it happens, will more likely be simple than complex. It was a sophisticated breach at Target, but still fairly simple. 
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll