Top 3 reasons why fighting small battles is losing us the war

Are you sure you are a security guy? A friend and colleague working in anti-fraud has asked me a number of times on a recent project. The answer is no I am not. Not your typical one anyway. I think sometimes I am more of a business guy trapped in the body of a work prevention officer. I care about viability, the bottom line and time to market. I spam people with the latest developments in the industry. I am also a tech geek trapped in the body of InfoSec guy. I think web sockets, noSQL, node.js, coffee script is cool; not worry immediately about security hazards they bring. I believe most things that benefit the business can be done securely enough to mitigate the risks to a level the business would accept. For these reasons, I have become increasingly frustrated with the InfoSec industry and security in large companies in general. If we stopped crying wolf at the small stuff, there is a better chance we could have some real influence on the big issues.

Large corporations today are not getting the benefits startups and consumers enjoy. The technology innovation and adoption cycle used to go government > corporations > consumer. That is now reversed. This is not entirely the fault of security and compliance groups but some of it certainly is. Maybe not by directly saying NO, but by the perception that security, compliance or risk would never approve this. By making the review and assessment process so long and onerous, it is just easier to not do it.

I will provide three examples where fighting small battles is losing us the war:

1. Fear of the external and loss of control

See if you agree with the following statements in today's world:
  • Security of the internal network is a myth e.g. RSA, Sony
  • Having a hard outer shell and soft center(s) is pointless
  • Firewalls are porous
  • Anti-virus is ineffective
  • You have to give someone access. Someone has to administer systems
  • Data loss and leakage is simple and occurs every day
  • Many services are outsourced, this includes the cleaners in your office and datacenter, repairmen, temps and contractors, all the way to HR, infrastructure, desktop and networks management
  • Great volumes of data are already stored outside the corporations network, often unencrypted e.g. emails sent externally, backup tapes
  • Data sent externally, even where encrypted, will be decrypted and stored on external systems. It may not be disposed of securely
  • An organizations most valuable data is unstructured and stored in email and file shares (on servers, endpoints, mobile, backups)
  • Due to email your most sensitive data already lives and traverses the Internet daily
  • Most web applications still have the most basic cross site scripting and SQL injection vulnerabilities 
  • Many systems are still vulnerable to default or simple passwords or are missing patches
  • Social engineering is still one of the most effective attack vectors. Coming through the front door is still good enough and easy enough
Still with me? At least for the 20% that matters? How about these:
  • Moving security controls as close to the sensitive data as possible makes sense
  • If the sensitive data is secured, network controls, remote access, where the data is physically matters a lot less
  • Five of the most effective security controls in most scenarios would be authentication, authorization, logging and monitoring, encryption and patching
Still with me? I would be surprised if many battle hardened security professionals today disagreed with the general observations above. Still having come all the way to the edge of the cliff, many will not take a leap to the logical conclusions.

Many startups today will begin with their life on the Internet. The required tools are simple, easy to access, easy to use and often free. Tools such as collaboration, social networking, video conferencing, group messaging or social coding. Even the basics just work so much better than in large corporations. Email is fast and easily searchable, calendars and available time sharable across anyone. Documents live in one place on the web, do not need to be emailed and can be worked on by anyone simultaneously. Endpoints and mobile can be whatever makes you most productive (e.g. Mac, Android, Ubuntu) and information and functions accessible easily from anywhere in the world.

All of these services could be available to large corporations at reasonable security. The fear of putting data outside of the corporate internal network, the fear of staff you do not control, the over reliance on network controls and antivirus is a major barrier. To even consider these business enabling tools, security would need months due diligence, weeks of evaluation, signing over of the vendors first born in case something goes wrong. As InfoSec professionals we do not want to do the same boring simple cheap controls that make 80% of the difference, no this is new and risky so there must be mountain of new controls, which we never have to deploy on internal networks because there was no business case. My favorite is when we pretend we are lawyers and are concerned about the liability and data jurisdiction restrictions. Why don't we assess the risk, put reasonable controls in place and let the business get on with it?

The thing we do not seem to realize is that for there to be any need for security there must be a business first. Many of the things that startups and consumers take for granted now is the small stuff. In the scheme of things and if you subscribe to the above truisms they are not the big risks to the business. By simply denying them or making it so hard for the business to do them, all we do is lose our seat at the table. They work around us or approach us too late to allow any influence.  By working with the business on the small stuff that simply reduces the friction and allows them to compete in today's world, we have a far better chance at getting a seat at the table for the decisions that really matter.

2. Too much complexity

Most security professionals would subscribe to the view that increased complexity reduces security and increases the likelihood of vulnerabilities. Yet we seem unable to be comfortable with a parato level of security. An example: once we had a project to improve the supplier security schedules at a company. These are the legal clauses relating to security that goes into contacts with suppliers. The organization recognized that they were a mess. There were too many different versions, they were inconsistently applied and had no relation to the risk posed by the supplier. There was a wise view that the internal policies and standards could not be simply applied to all suppliers in a legal contract, as they were simply not written for that purpose and any suppliers that read them would not actually signup to them.

Me and two security guys I respect a lot were tasked with coming up with a new security schedule to solve this problem. One of the guys in particular is quite brilliant, he is recently told me "I have no idea what I would do if a company actually did the basics right. If they did passwords and patching, I would be lost. Everything else is just window dressing". I liked the cut of his jib. Therefore, we wrote a one pager. Just the absolute minimum security controls we could accept with a simple, unambiguous four step criteria of which controls would apply to which type of product / service.

Of course being a large company, it then needed the dreaded review cycle. Every security, risk and compliance professional that reviewed it felt that their touch was needed; a critical security control that could not be lived without has to be added. Not surprisingly at the end, it was over 85 pages and completely unusable. The organization itself was no way close to compliant with it and no way would any supplier sign it.

I think after giving so much ground and having security cut from initiatives, after having to battle to get funding for every security initiative we now just shoot for the stars expecting to be beaten down. Being naturally risk averse and afraid of missing something we ask for everything. The latest advanced persistent unicorns are defeating all our controls; we need new and advanced defenses. It does not matter if you are just doing point-to-point web services with mutual authentication. TLS is too old and not sexy. We need this cool message signing to defeat the evil Zeus and Stuxnet!

The role of security is not to get cool tools deployed. Most of the time the basics done well is enough and applying the appropriate controls at the least cost and effort will get the business to engage more frequently and on issues that are more important.

3. Passing the buck

Agree with some of what you wrote above but end of the day I do not care. As long as the business accepts the risk, they can do what they want. I still get paid and do not need to stick my neck on the line.

This is just wrong.

Like a doctor or lawyer of old, be a trusted processional. A true expert. Like when faced with a complex and risky surgery or an experimental drug. You will not feel the consequences as patient (the business) will but like the doctor you are often, the best positioned to make an expert recommendation. You will fail and make the wrong recommendation sometimes but if you out yourself in the shoes of the business owner and use all your domain expertise and experience to make the best recommendation you can then would that not more often that not result in the best outcome for the organisation? Ultimately, it is still a business decision, like the patients, and they may choose to ignore your recommendation. However, where we save our own arse and do not even make a recommendation then that is the biggest disservice.

We should be fighting for the big stuff and not sweating the small stuff. We should identify and focus on the big risks to the organisation and not get dragged down rabbit holes every time they occur. And the occur often. What could put the business out of business? There should only be a handful. What just helps the business get stuff done? These things are not without risk but the risk can be managed with simple, cost effective measures. This is not about passing the buck to the business but rather stepping up as domain experts and security professionals. Accepting responsibility, sticking our necks on the line for the overall best outcome for the business.

Summary (TLDR;)
  • Apply modern attitudes to security. Internal is not safer than external these days. There is no reason that security should directly or indirectly prevent services to big companies that consumers and startups use safely
  • Be pragmatic and reduce complexity. Resist the temptation to implement additional security controls because it is a new service or a new control when the basics reduce the risk to an acceptable level
  • Use your expertise to make recommendations not just get risk acceptances
Related posts:
PS: For anyone who subscribes to this blog, apologies for the lack of articles recently. Have been busy moving from London back to Melbourne and getting a new job. Article about what I have found effective in getting a security role to follow soon and hopefully at least one a month.

Like this post? Get updates via RSS or follow me on Twitter:

Photo credit: ProtestPhotos1 Flikr

No comments:

Post a Comment


Written by