Authored by: Chris, Geek at Attivo Networks – Earlier this week, Tony and I got the opportunity to hang out on a webinar discussing the state of Information Security, from a hacker’s perspective, and numerous influencing aspects around it. Here are some of the thoughts and takeaways, AND if you have time, here’s the link to the on-line version (yea, sorry, it’s a link, click it OR Google the show from BrightTALK’s site if you don’t trust me!)
Check out the recording here.
A little background to get you thinking:
- There are somewhere between four or five billion people plugged into the internet right now, and the rest of the world is influenced by it in some way—whether they know it or not. We (the geeks) hold the keys to the kingdom, and we’re NOT really up to the task.
- There are millions of applications and billions of data points to consider when planning the future. The landscape of attack surfaces available to threat actors continues to evolve faster than the security industry can react. It’s time for the industry to get our heads out of the sand, collaborate with ALL those around us, and take action.
Assume You Have Already Been Breached
What we’ve been doing has failed! Totally, utterly, and with no exceptions. Apologies for the bluntness and drama, but it has, when you look at what we spend vs. what we keep losing, we should be thoroughly ashamed of our track record. We need to accept the fact that it’s impossible to stop adversaries from getting into a network—it just isn’t going to happen. Once you’ve accepted that, you just have to decide what to do about it. Look at it this way: a home alarm won’t stop a burglar from breaking into your house, but if it goes off and scares them away before they can take anything valuable, it’s done its job.
Prevention vs. Remediation
Thousands of years ago, we built walls around cities, countries, and fortifications. Why did we stop? Well, because they just aren’t that effective in the long term. For over 4000 years we’ve tried to demonstrate that, but unfortunately, an awful lot of corporations have misplaced trust in the modern digital “walls,” and the security stacks they have built around them. We don’t need more firewalls, arguably what you have would work IF it was integrated correctly into a well-managed stack AND someone paid attention to the output, was able to continually manage the situation, etc. Remember the Maginot Line? That’s basically what we’re dealing with here. Looked pretty, but kinda useless.
So, stop looking at the reactive side of the world, the technologies we’ve been focused on have not done well by us these last 20-30 years, why do we expect change? Start to focus efforts more on the proactive, predictive, detection and deception side of the world.
Consumer Education is Key
Too many breaches and too many attack vectors are human-based. What have we forgotten to do, yep, train the human in something other than a “once a year to keep the auditors happy” mentality? When was the last time we took time to FOCUS on the humans that work with or for us? When did we help them keep their friends, families, kids, and parents safe online? When was the last time we HELPED them understand the reason their email is used against them, or the monthly reminders to help them spot scams throughout the year?. Too many organizations don’t do a good enough job of helping their employees learn in an effective manner (punitive NOT being the right answer). Simply getting people to ask “another question” would cut down on fraud considerably. The rallying cry from our industry of “Don’t Click Shit” needs to be followed with HOW do users know the difference between good and bad?
People Learn from Experience
As humans, we learn through experience. As kids, we were taught that the stove is hot, and the kettle will burn…but for many of us, we HAD to experience it to understand it. Unfortunately, this is also the way that many organizations approach security…they’ll listen, nod their head and go about their normal business UNTIL something happens…then, and only then they’ll come back and learn (and blame us for not telling them!) How DO we change this human behavior and not let it bleed to the world of business? Passwords are a great example—how many people use the same password for a whole bunch of different websites? People have been taught it’s not safe, that the attackers will try YOUR password on 100-200 different sites to gain additional information…but people do it anyway because it’s easy. Chances are, folks won’t stop unless (or until) all the information is compromised. Finding a way to change these very human habits and attitudes is key.
Industry Cooperation and Collaboration Matters
The future is a shared responsibility among all of us in the industry. We need to band together with a diverse set of opinions and perspectives and work with our peers both within and outside of our own verticals in order to drive the security industry forward and learn from each other. Only when the finger-pointing stops and cooperation begins can we move toward a safer, more secure world. Consider this a rallying cry for initiatives such as DevSecOps, Tinkerer groups, BSides conferences and other focuses that aim to bring more than just security folks together. My challenge to you is, the next time you go to a conference BRING someone from outside our industry with you.
‘all for now