Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

Why do people (or companies) take risks?

By

It’s a dangerous world, and yet there’s a spate of recent studies showing that people and companies continue to take risks with their cybersecurity.   The truth is that we all have to take risks – there is no such thing as complete safety.  The question is, how do we decide what risk to take?

All too often the answer is that we take risks by default – without an explicit decision, and accept the status quo simply by inaction.  As individuals, folks fail to use password managers, or click on links in email.  Corporations may not implement good security instrumentation and analytics.  And both individuals and companies fail to apply patches in a timely manner.  Most often that’s due to a lack of awareness or budget, or an unwillingness to make tradeoffs between usability, cost and security.  There’s a joke among fire protection vendors that the best time to talk to a potential customer is when the building across the street just burned down.  From a cybersecurity perspective, while it’s not quite Dresden after the allied bombing, big chunks of the city are in ashes, and yet the inertia continues.

I recently wrote a post suggesting that folks ask ‘why’ when their toaster asks for internet access.  That’s a plea to assess risk and actually make a decision; to not just accept risks by default.   That requires augmenting our desire to manage risk with good supporting processes including creating a culture of risk awareness and authority, establishing a clear risk workflow, and most importantly, building a security program that responds with ‘how’ instead of ‘no’.

Risk awareness begins with identifying data owners for the critical information – someone who has business responsibility (legal, regulatory, ethical) for the assets in our organization.  A Chief Risk Officer can help identify those owners, and collaborates with them on decisions, but often doesn’t have the business acumen necessary to fully evaluate tradeoffs.  From there, risk awareness has to permeate the organization, down to individual staff and developers.  To paraphrase Ian Malcom in Michael Chrichton’s Jurassic Park, everyone needs to stop focusing on if we could, and start asking if we should.  That’s a mentality shift that our security professionals can help folks make, if we provide proper support.

Key to that support is having an established process to identify stakeholders and owners, and how to evaluate the risk and benefit, and make the decisions.  That process needs to accommodate situations where there are no clear owners or lines of authority – I’ve seen cases where inertia reasserts itself when it becomes difficult to figure out who to ask.  We have to have a default path, and an overall process that returns answers promptly.  Getting risk answers must be easy.

Those answers should very rarely be ‘no’.  This is something that security folks, particularly those from a compliance background, really struggle with.  We have to avoid making snap judgements based our innate low risk tolerance or assumptions about budgets (and willinginess to spend them).  Here’s a great example:   The users have a need to share files security outside the company.  The security team says ‘no’ to box, dropbox, or one drive – either because of a lack of perceived control, or because they make an assumption that the business won’t fund a corporate account.  So folks ignore the policy, and we have hundreds or thousands of users accessing box, dropbox, google docs, or one drive – because they have to do it to run the business.  The better option is to respond ‘yes, and here’s how to do it safely, and how much it costs’.  Better yet, we should provide several options and costs for the users to choose from (including the cost of a breach!).  Business stakeholders generally make smart decisions when presented with reasonable options, and are much better at following – and finding money to support – policies they helped craft.

So that’s our duty – create a risk culture, help raise and expose the risk, then present options and facts.  At that point the business, not security, makes the decision.  For a profession full of control freaks, that can be hard to do (it took me years to really learn it) .  It’s even harder when they make what the we believe is a bad choice, because we know we’ll still get blamed if there’s an incident, or at least have to clean it up (I sometimes think the CISSP logo should be a mucking shovel).  As an aside, that’s why a key part of the process is good, written documentation with formal signoffs.

As long as we make sure it’s a fully informed choice, we can go home, and sleep well at night.  After all, we don’t own risk.  We own risk awareness.

Just ask “Why?”

By

Today we’re constantly asked to make decisions that have security and privacy implications.  Most of the time these are individually innocuous, but collectively they present significant risk.  All too often, we simply click yes, plug in the cable, share the wifi password, or give up personal information.  Instead, before even asking if it’s secure, ask “Why?”

Here’s some examples:

  • Why does my refrigerator, dishwasher, vacuum cleaner, lightbulbs, or child’s teddy bear need an internet connection?
  • Why does the social media site need my real birthday or current location?
  • Why does the doctor’s office need my SSN (unless you use Medicare)?
  • Why does the retailer need my email address for a receipt?
  • Why does that website have 42 trackers (seriously, just saw that today)?
  • Why does that app need access to my microphone, contacts, or music library?
  • Why does my TV need an internet connection? Why does it have a microphone?
  • Why do I want that technology vendor listening/watching everything I do at home?
  • Why should I always use my primary email address for sites that aren’t important?
  • Why does my bank need my mother’s maiden name?

For many of those, the answer is: to provide some functionality I desire and in exchange the company can exploit and sell my personal information.  For others, it’s inertia (like the Doctor with SSN), or poor security question design (like mother’s maiden name).

 

We all have different tradeoff points – I essentially answer no to them all (or give false information – or a junk email address), others may say yes across the board.   Of course, once you decide it’s worth the tradefoff, before you actually do, then the ‘is it secure’ question needs to be answered.  One quick thought on that – if it can’t be patched, it’s not secure.

So the next time a waffle iron, toothbrush, or coffee maker asks for your wifi password, stop a moment and ask ‘why’, then make a conscious decision about the tradeoffs.

Rotten Apples: Mac Anti-malware

By

(c) Depositphotos / eggheadphoto

Macs get Malware.  There, let the flames begin.  There’s still an impression that Macs are somehow immune and you don’t need any sort of protection.  While it’s true that viruses are very rare, malware (i.e. anything I don’t want running on my system) is quite common.  So what’s the state of Mac Antimalware these days?

Back when I ran windows, buying antimalware software was a no-brainer.  But the mac has been different – there’s far less malware, the OS is harder to infect (though Windows 10 closed a lot of the gap), and Apple does a decent job with XProtect of killing the truly malicious software that’s been discovered.  If you remove Java and Flash (you should) and stay off the seedy side of the Internet, your risk of infection is pretty low.

Yet in the past month, I’ve removed malware from two of my friends’ macs.  One was a bit out of date (and had several infections) but the other was current and fully patched.  In both cases it was a form of adware – something that monitored all internet traffic, phoned home, and inserted ads on web pages.  At least one appears to have been installed from a malicious phishing link, but the others infection path wasn’t clear.  After removing it, they both asked me about installing antimalware software, and that’s a challenge.

Over the past year I’ve been searching for a solution that would provide key features:

  • Antiphishing (privacy friendly URL filter)
  • Antimalware (including adware)
  • Stable
  • Low overhead
  • Proactive updates before Apple updates break things with new releases
  • Priced based on the risk (i.e. lower than Windows – but don’t expect free)
  • No spyware/adware/etc

Unfortunately, in my search, I’ve yet to find a package that does it all.  I looked at nearly every vendor, including Norton, Kaspersky, Bitdefender, Intego, Trend Micro, Sophos, ESET and Malwarebytes among others.

None of them provided privacy-friendly anti-phishing.  All did a pretty good job at antimalware, but only some covered adware.  Most caused stability and performance impacts that weren’t acceptable.  Some were good at being current, others were really bad.  The best were overpriced for the risk, and a number of free ones had things that made me wonder about privacy.  There were a couple I didn’t even look at let alone install (not listed above), as they are nearly malicious in their own right and require nuking the machine from orbit to remove.

In the end, I picked an updated version of my old standby – and the one I used to remove the adware: Malwarebytes.  They’ve recently added real-time protection/prevention capabilities, which is a big boost.  On the mac, I think it’s moderately overpriced versus the risk and functionality, but not grossly so.   A privacy friendly URL filter remains a wish-list item.  For the threat that I see, which is primarily adware, it’s the most optimal overall solution for personal or small business use.