Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

It’s 2019 and we know better

By

(c) Depositphotos / MichalLudwiczak

Over the past few weeks I’ve run across, either personally or via press, case after case of companies with poor security practices.  These aren’t small shops like Bob’s Bait and eCommerce site, rather big brand name organizations that have sophisticated security practices.  So why do these things continue to happen?

Let me walk through some examples first.  A fairly large regional credit union asked me to submit some paperwork for a mortgage loan….via email.   I reached out to the security department, introduced myself, let them know of the request, and they had those instructions removed from the site that day. Took the situation very seriously, and I still would do business with them.

A major bank decided, without a request, or authorization, to start sending email notifications of credit card payment’s being due, including last four of the account, balance due, and credit limit, all of which are sensitive.  This is the same company that continually does a soft pull of credit scores to put on the bills – again, it’s opt-out instead of opt-in.  I reached out through their public contact info, heard no response, and closed my account a week later.

Press reports this week talk about a large telco provider that uses a default PIN on accounts of 0000 to ‘secure’ them.  They are ‘working on it’.  Fortunately that line of business has widespread competition, but in other areas they have monopoly control.  I could probably cite dozens of reports of common default credentials.

There was another report of a social media site exploiting user information for profit, via a free analytics kit embedded into applications.  Why anyone is surprised is beyond me.  There’s no such thing as a free puppy, or social media site.

A number of password management software vendors badly muffed the PR response to the recent report of credential harvesting from direct memory attacks.  Technically they’re right – the machine has to be compromised for the attack to work, but from a PR standpoint it’s a bad situation.  They build their company on trust, and customers feel as if that’s been broken.  I still use the software, but then again, I’d read the security paper, so this wasn’t a surprise to me.

An ecommerce site reported a loss of credit card information when their shopping cart software – which was out of date – was hacked.  There’s a new thunderbolt attack that can dump memory.   Companies continue to produce public computers where people can enter sensitive information (think hotel business centers and all those tablets in the airport).  And there’s dozens of companies, including some of the world’s largest brokerage firms, still relying on mother’s maiden name, last four of SSN, or other easily discoverable/guessed alternate authentication schemes.

In many cases, to paraphrase Ian Malcom from Jurassic Park , these companies are focused more on how they ‘could’ rather than if they ‘should’.  I’m sure that some marketing person thought it would be cool to proactively provide credit scores, balances, and credit limits, and didn’t bother to ask anyone in the security or privacy departments if they should – or how to do it safely. The telco provider, I’m sure, made that decision by the support and account people who were more worried about account recovery challenges than account takeover attacks.  They are paid on minimizing call center costs, so optimized for their own interests over that of the customers.

Both those tie with previous articles, from having the CISO report to the CEO or CRO instead of the CIO – so that they are a peer of the business, rather than subordinate to a service organization, to pushing not just internal security awareness, but also productsecurity awareness throughout the business. But even when training occurs, without a formal multi-stakeholder risk management workflow, people will focus only on their immediate scope.

The most insidious reason though is inertia.  They’ve asked for mother’s maiden name since the beginning of time, and continue to do so because no on pushes change.  They don’t patch criticial vulnerabilities, because ‘the system works’.  They don’t upgrade to the new OS because it requires a hardware refresh.  In some cases, like hardware, that may be a valid business decision (though I’d argue it’s a reflection many times of poor prior planning – like the Windows 7 desupport date.  Not a secret!), but most of the time no formal decision was made.

Changing the reporting structure is a major undertaking, and something for CEO’s to consider. Building a risk management workflow across stakeholders would be a good initiative for COO’s.  CISO’s can provide a conduit for ‘bad behavior escalation’. CRO’s can expand the requirements for product security and privacy training.  For everyone else, there is something we all can, and should do, especially as security professionals.

Speak up.

If the company we work for is doing something legacy, dumb, risky, or thoughtless, we have a duty to escalate and try to effect change.  There’s no excuse for these bad practices to continue in 2019.  Better that it’s driven internally and proactively, than in response to new legislation or worse, to a breach.

Entering the era of pervasive security

By

(c) Depositfiles / katacarix

I often open a keynote presentation by noting that organizations are undergoing a fundamental shift in security strategy – moving from compliance focused, to a risk based approach. That’s still ongoing, even for large and sophisticated organizations there is still a gravity towards ‘doing it for the audit’, rather than ‘doing it because there’s risk’.  Yet there’s another transformation on the horizon that most businesses are ill-prepared to address: we’re headed towards an era of pervasive security.

Compliance provides a floor for a security program – it’s the basic minimum that needs to be in place to pass an audit, but it does not mean that you’re secure.  Nearly every large breach in the past few years was compliant and had passed audits.  Yet they all were breached.  That realization is one reason that most security programs have been moving towards business risk – to provide a more effective security program that reflect the real-world threats facing them.

Now that sounds great, and it accurately reflects reality; after all, we can’t secure everything. Limited resources – people, money, time, technology – mean that we have to prioritize and focus our efforts on those portions of the program with the greatest return.  And the bad guys know it.

That’s the fundamental difference between security incidents and IT failures or natural disasters.  Often parallels are drawn between those, and programs and plans are drawn up based on system outages or tornados.  That’s fine to a point, but we have active adversaries working against us – attacking our systems, looking for weak points to gain a foothold.  One CISO recently said that what keeps him up at night are the low-risk systems.  Because there’s little security around them, and they talk to his high risk systems.

That’s why we need to enter the era of pervasive security.  The good news is that pervasive security, for most organizations today, begins with basic blocking and tackling.  Patching systems, scanning for vulnerabilities, threat feeds, encryption, securing identities – especially privileged users, and having good visibility into what’s happening on systems and across the network all contribute to building that platform.  But there’s the largest challenge of all, and ironically it’s IT and product development. We’re continuing to build insecure products and systems.

It needs to be a mindset baked into our DevOps workflow (DevSecOps!).  Engineers, developers, business analysts, UI designers, DBA’s, all need to have a secure thinking mindset – thinking about how things break isn’t enough.  The whole organization needs to think about how things can be broken Pervasive security by design – hardening systems against attack, making them resilient when they are attacked, and recoverable when they are compromised will require a fundamental shift in how we build and deploy systems – and funding to go along with it.  That’s not an easy shift, and will take both willpower and investment from the CEO and board level down.

Compliance isn’t going away – especially if there is a breach, not being compliant is brand-damaging (even if it wasn’t related to the breach itself).  Risk focus won’t either – it’ll help us prioritize where we deploy resources, and will continue to be the language as we communicate with business stakeholders and the board.  But those conversations will change; pervasive security will be the new normal for successful businesses in the next decade.

How much should you spend on security?

By

(c) Dreamstime / Mosich.com

I regularly get asked by new CISOs for information – benchmarks – on how much organizations like theirs should spend on security.  That’s a deceptively simple question, and while there’s plenty of surveys that you can reference, none of them provide more than a rough starting point – there’s just too many variables.

The classic measure, ALE=ARO*SLE, is a nice fiction when it comes to cybersecurity.  Sure, we all learned it for the CISSP exam – Annual loss expectancy equals annual rate of occurrence times single loss expectancy.  Put simply, if there’s 100 houses in your neighborhood, and 10 burn down a year, that’s a 10% ARO.  If it costs $100K to rebuild the house (we’re ignoring the land and possessions here), then the single loss expectancy is $100k. Multiply and we get $10K per year, so spending up to that amount on fire prevention makes sense.   Over simplified, but you get the gist.

When it comes to a breach, things break down.  Looking at SLE first, there’s hard costs (fines and settlements, and cost of response), soft costs (brand damage).  So far so good – we can calculate the former with a fair degree of accuracy, especially with GDPR and the new California and Colorado legislation.  Soft costs are more difficult, and there’s some argument to be made that they’re much lower than most studies would claim.  Target, Home Depot, Anthem, Equifax, and all the rest may have taken a short term hit, but lasting brand damage has been hard to find, let alone calculate.  Still, for arguments sake, let’s stipulate that we can get to some reasonable semblance of a number.

Where things break down is on probability – annual rate of occurrence.  These concepts came from risk management techniques used to price insurance and similar financial vehicles.  We have a decent historical knowledge of the frequency and severity of accidents, fires, floods, hurricanes and so forth.  While any given event may be an unexpected black swan to an individual, at a population level, the actuarial data is quite sound.

But cybersecurity isn’t there yet.  We’re just at the beginning of the storm and most events are still a black swan even at the population level.  Sure we all know that we’re targets, but our sample size isn’t large enough to do broad analysis that we can leverage.  That’s because unlike all of the other categories, with cyber we have active adversaries working against us.  And remember, they only have to get lucky once.  We have to be perfect – one failure and we lose.  Put it another way, to paraphrase my favorite Jedi Master – It’s data loss, or loss not.  There is no loss partial.

So are we out of luck? Not quite.  There are some things that can guide us.  First, there’s two baselines – audit and hygiene. Spend what it takes to pass the audit.  At the same time, there’s general things that every organizations should be doing today and would be considered negligent if they don’t.  Encrypting laptops, having a firewall, patching quickly, and so forth are more or less in that category.  Call it security hygiene.

Next, it’s time to do that data classification project you’ve been putting off.  Yep it’s hard, but you need at least a rough idea of where your crown jewels (close the door) and critical (expensive to lose) data are located.  Of course, you might need to really think about what those are before going to look (it’s not always what you think).  From that you can do rough calculations about cost of loss, and take what are called ‘commercially reasonable measures’ to protect the information. That’s a fuzzy concept, but there’s usually enough of an idea (and enough work to be done) that it’ll keep you busy for a couple of budget cycles.

Third, is awareness. Do you really know what’s going on in your environment.  Do you have good instrumentation sensors that tell you what’s going on, and can you collect and process that to detect anomalies?  SIEM is one part of it, but security intelligence goes much deeper. Once you have it of course, you need to be able to take action on it, but that’s another topic.

Next is the most amorphous one of all.  I commented recently on a post on LinkedIn, and noted that I essentially presume that all of my personal information is already gone.  I still try to protect it of course, but I can’t avoid doing business with companies that have either poor security practices, or have lost it to active attack (one doesn’t always imply the other) – mainly because I can’t control where my data goes.  That fox left the henhouse when my college professors posted grades by SSN outside their offices, and it’s only gotten worse from there.

So what do I mean by the amorphous one?  It’s the ethical and moral aspect.  How would you want your information protected?  Or your parents?  Or your kids? Ironically some of the best protected data (credit cards) is the least damaging to the person if it’s exposed. Losing a card number is annoying. Losing an SSN is a much bigger deal, but that has already happened for essentially everyone.  Losing medical records, well, that’s a whole different story. Ask any security professional in your organization and they’ll have a pretty good idea if you’re doing a reasonable job protecting information or not.

Last, is the reality check. How much can we afford to spend and stay in business?   How much can we not afford to spend and stay in business?

Put all those together and we have a decent working model to determine our security budgets.  It takes auditors and accountants, technicians and data analysts, attorneys and regulators.  But in the end, it takes a mirror – when we look into it, are we confident we’re doing the right thing for our shareholders and our customers (or products if you’re a data broker)?