“The definition of insanity is doing the same thing over and over and expecting different results.” – Albert Einstein
Is it possible that there are companies that deserve to experience a security incident?
Some may call this unproductive thinking, but it seems that some businesses are exposing themselves to repeat attack due to how incidents are being handled. Here are some examples of recent and common behaviors that are putting businesses at undue risk:
- Victims of cybercrime are not reporting their incidents. This lack of reporting may on the surface appear to protect the victimized organization, but that notion is short-sighted. By keeping the details of the attack and attackers private, we cannot learn from the event. This lack of detailed information about events makes it much harder to prevent, detect and correct them when they occur again. Our inability or unwillingness to share information becomes a critical weakness when fighting cybercrime – this is especially common among small businesses. Knowledge is power.
- Victims of cybercrime are settling out of court. Believing that they’re saving their reputations and wallets, victimized organizations avoid prosecution of attackers or malicious employees. Without prosecution, bad people never become criminals, and they simply move on to their next victim. Background checks against bad people are useless unless they have a criminal record, and criminal records don’t exist without prosecution. The same bad employee could end up working for the victimized company again and again if they were determined and understood how easy identity theft was.
- Victims of cybercrime aren’t collecting or using event evidence to strengthen their security programs. Actionable intelligence is the equivalent of sights on a handgun, without these you’re chances of hitting your target become much, much lower. Security devices – firewalls, intrusion prevention, monitoring, anti-malware – record mountains of activity data during a security incident. Leveraging this information can help ensure that you’re less vulnerable to the same attack again.
As human beings we are programmed for self-preservation, these reflexes have helped us survive for millennia. However, it is these same survival reflexes that cause us to trade long-term pain for short-term gain. It takes considerably more thought and patience to factor the complex network of cause and effect relationships into our security decisions, but the juice can be worth the squeeze.
And as a bonus, Einstein wouldn’t have you committed.
Early Christians were an organized bunch.
While other religions were floundering in banal castings of “good” and “evil”, Catholics were taking things to a whole ‘nother level. Although they didn’t become popular until the early 14th century, the 7 Deadly Sins proved to be a useful tool for theologians of the time. With such a variety of vices from which to choose, clergymen could condemn miscreants for anything from excesses to laziness. Who would have guessed that these same labels would have information security applications thousands of years later?
Now, I feel that I should clarify one point. While I did go to Sunday School as a child, I am not a religious individual. In fact, the last time I stepped foot into a church I was there to admire the architecture. My next visit should be along the lines of a bake sale.
All that being said, I too tend to be an organized person and categorizing things helps reduce the chatter in my mind. I also find that the 7 Deadly Sins have a rightful place in information security, as we find so regularly that businesses, practitioners and risk owners commit these “things that His soul detesteth”.
Without further ado:
- Lust – It continues to be proven time and time again that technology does not solve security challenges, yet there are individuals who find that shiny new piece of technology irresistible. It is the people and processes around your hardware and software that will determine how effective they are, regardless of what miracles they claim. It was not the sandals that allowed Jesus to walk on water.
- Gluttony – Some security practitioners and business owners do get it. In fact they get too much of it, and their employees pay the price. Your security controls should match your risks. And although we appreciate the intent of these enthusiastic individuals, please stop. You’re giving us a bad name. Security can be inconvenient for employees even when it’s done well, when it’s overdone it can be downright painful.
- Greed – Businesses will often claim that they can’t afford to spend money on security services. To this I reference the countless statistics demonstrating breached businesses that were unable to recover. The losses caused by cybercrime are increasing at a staggering rate. If you’ve got confirmation from a reliable source that it’s going to rain for forty days and nights, don’t build your Ark out of straw.
- Sloth – Inaction on the surface of a business may in reality be a symptom of other things, including lack of resources, lack of direction or lack of motivation. A healthy dose of awareness and education is typically needed at these organization, followed closely by good leadership. Executives should be setting the security “tone at the top”, and an effective Risk Management process should be defining security priorities. Information security is like religion, it’s a journey not a destination.
- Wrath – To be honest, I couldn’t come up with a good analogy for this one, but I can get a little feisty when Dunkin’ Donuts is out of hot chocolate. I confess.
- Envy – Information security is no place for blind faith. The business across the street may look like yours, but that doesn’t mean you have the same risks. And it doesn’t mean you should be implementing the same security controls. Understanding your own risks is the only proven method for protecting your business. Amen.
- Pride – “We’re well along with our security program, gentlemen.” “We’re audited all the time and we’re compliant.” “We’ve got that security thing under control.” The words of false prophets, these can be the most devious of all. Not only do these individuals deprive their people and organizations of objective assessment, advice and relief, their messages convey a false sense of security. These are the proverbial wolves in sheep’s clothing.
I was baptised at a relatively early age. Rocking a bowl cut and leisure suit, I even made Communion. And then through a little bit of hard work I learned that some assets are sensitive and need special security controls. It didn’t take an act of God.
If you are a business owner, a CFO or a security practitioner, or just know one of these individuals, I encourage you to re-read this list of mortal sins. If necessary, etch them into a stone tablet and carry them to the top of the nearest mountain.
It may just help you avoid the Apocalypse.
It doesn’t take a security genius to figure out that the theory of preventing security incidents – from malware infestations and child porn cases, to bank fraud and databreaches – is a failed concept.
For years we have ignored, overlooked or rationalized the dramatic increases in both security spending and losses from cybercrime. Despite a 40 percent annual increase in information security budgets, the total of losses and costs from security incidents has increased 400 percent. This can only mean the following:
- We are spending our security dollars on the wrong things. If your company spends more on security hardware and software than it does on security policies, processes, measurement and analysis, it may be time to review your priorities. Security peace of mind comes from knowing exactly where your weaknesses are and the knowledge that you’ve effectively strengthened them. Ask your security hardware vendor to guarantee their product’s effectiveness – they’ll respond only with a smile. You may also be interested to know that the US Military spends more on analysts and communications than it does on guns and artillery.
- We are implementing the wrong things incorrectly. Whether it’s the use of default passwords on firewalls or misapplied IDS and SIEM rules, commonplace security hardware and software is falling down on the job. But it’s not doing it alone. Just like guns don’t kill people, firewalls don’t ALLOW ALL. Without a thorough, consistent Certification and Accreditation process, companies will continue to put hardware and software on the wire that does little to protect them, all while introducing new vulnerabilities.
- The wrong things, once implemented incorrectly, are not being assessed or measured for incorrectness. It is a well-known statistic that a significant majority of security breaches are made possible by the lack of effective patching of systems and applications, where patches have been available for six or more months. While poor configurations are released into the wild, effective assessments can reduce those risks. How well is your security infrastructure protecting your business? If you can’t answer this question quantitatively, it’s time to implement a system of regular assessment and measurement.
One of the most profound findings from 2011’s Verizon Business Data Breach Investigations Report (see image) was that 86 percent of databreaches were discovered not by the afflicted parties, but rather by the afflicted party’s customers, partners or business associates. This staggering number demonstrates that despite all security efforts, companies are doing an inadequate job of prevention (and detection, in this case).
The time has come to shift our efforts to detection and correction, or at least institute a better balance across these domains. Consider your bank, and what they consider their most valuable security controls. Rarely do you find armed guards at banks today, and most of them prefer glass doors. Inside, however, you’ll find cameras, panic buttons and dye canisters at every teller station. You can’t stop bank robbers, but you can stop bank robberies.
With all of the press around security incidents these days, blogs like this feel like beating a dead horse. Unfortunately, if this preaching weren’t falling on deaf ears the statistics would be headed in the other direction. So grab your conscience, some duct tape and a bottle of water, there’s work to do.
And grab a shovel, we need help digging this grave.
Like most people, I remember September 11, 2001 like it was yesterday.
It was a bright and beautiful afternoon as we drove North along the 3 headed back to Zürich, following a 10-day visit to Innsbruck, Venice, Milan and a number of other quaint countryside villages. I was visiting a good friend who had recently moved to Switzerland, and we were taking some time to enjoy Europe’s best sites. The Alps are breathtaking, no matter what time of year it is.
As we entered the city center and got closer to Andre’s apartment, we could feel the end of our trip growing closer. I was scheduled to fly out the following morning and Andre was headed back to work. As we mentally switched gears, we also switched radio stations, changing from the throbbing dance music that kept us hammering on the Autobahns to a local news broadcast. It was in German, so I only caught every fifth word.
I will never forget the look on Andre’s face.
“An airplane crashed in to the World Trade Center”, he said in his thick Dutch accent.
Simultaneously piecing together in my mind what I just heard and sorting through the possibilities of mis-translation, I immediately began rationalizing what might have happened. Once I gathered my thoughts I explained to Andre that this had happened before, and that the buildings are so big that a small Cessna wouldn’t cause much damage.
For a while I lived in New York City just three blocks South of the World Trade Center. I lived in a large apartment on the 26th floor with a balcony that overlooked the towers. I walked through World Trade South nearly every day. My apartment didn’t need paintings or artwork, I had the New York City skyline.
“It wasn’t a Cessna, it was a jumbo jet.”
For Americans, everything changed on 9/11. The inconceivable events that transpired on that day shifted everything we knew in a different direction. Finances, politics, healthcare, education, relationships – everything we knew suddenly took on a different perspective. A different priority. But none of these things changed more than our position on security.
The 9/11 Commission spent nearly three years collecting, analyzing and documenting the 585 pages of data resulting from that day and the years leading up to those horrific events. In the end, the Commission determined that there was a single condition that made the events of that day possible.
We didn’t think it could happen to us.
As simple and sad as that seems, there’s another chapter to this story. We face a much greater threat today, and we find ourselves repeating history. The infrastructure that our very existence depends on is in jeopardy, and we have put our heads in the proverbial “9/11 sand”. An exploitation or compromise of our power, water or financial networks could result in a complete collapse of society and death tolls that bin Laden himself could not imagine.
This is not science fiction. Thanks to Hurricane Irene, we have seen very recently what power and water loss of only a few days can do to a community. Now imagine this on a global scale.
By the year 2020, there will be 50 billion devices connected to the Internet. There will be tens if not hundreds of thousands of hackers and organized cybercriminals. If it took the United States ten years to track down one man moving from cave to cave, how long will it take us to dismantle an organized network of 100,000 computer hackers?
On this, the ten-year anniversary of the worst security incident in United States history, I urge you to ask yourself the following question:
What are we doing to avoid Cyber 9/11?
Cybersecurity insurance continues to be an increasingly popular investment for businesses of all types and sizes. Seen as a catch-all for the unpredictable, unreasonable or undesirable, cybersecurity insurance has become an attractive option for businesses who don’t have or don’t take the time to understand their alternatives.
But cybersecurity insurance policies, like other insurance vehicles can be tricky and expensive. They’re not a cloak of invincibility. Heck, they’re not even a security blanket. Here are just a few of the issues.
- First, cybersecurity insurance is a moving target and you may find yourself underinsured or not insured at all. The less you understand about security, your assets and your risks, the less you will understand your insurance policy. One of the most painful lessons of Hurricane Irene was in the area of insurance. We heard countless stories of homeowners who thought that their expensive flood insurance policy would cover their losses, only to find out that they weren’t covered due to some esoteric loophole. Little did these policyholders know that there are many types of flood insurance, each covering a specific condition. The same is true of cybersecurity insurance.
- Insurance can be more expensive than prevention. Insurance premiums for flood, fire and other policies are based on endless mountains of actuarial data that have been analyzed, sliced and diced such that the carrier knows exactly how much to charge for coverage. This premium ensures that the carrier will continue to make money even when its policyholders have claims. These calculations are based on statistical certainties. Because cybercrime is both immature and ever-changing, these piles of actuarial data do not exist, causing carriers to conservatively over-charge. The money you’re spending on insurance could have been better spent on avoiding the problem in the first place.
- Insurance won’t replace all assets. If insurance is your primary security mechanism for assets that are irreplaceable, you’re putting yourself and your business in jeopardy. Things like backups, historical data, documents and other sensitive or confidential assets cannot be recovered by insurance. There’s a reason that 25% of businesses that are victimized by cybercrime never recover.
- Insurance won’t protect your reputation. When your business experiences a databreach, a malware outbreak or other security incident that results in a public relations issue, no amount of insurance coverage is going to repair the damage. Understanding your risks will help you avoid an incident, paying for insurance that doesn’t help only adds salt to the wound.
Cybersecurity insurance can be a valuable defensive mechanism for businesses when applied properly. When properly understood and selected, it can address areas of risk that are difficult to manage with other controls. When misunderstood, it can compound a security incident with confusion, frustration and expenses.
If you’re considering cybersecurity, give the policy a close read. If you already have a policy, give it a closer read. The last thing you want to hear from your insurance carrier after a security incident is, “sorry Charlie”.