The recent Ashley Madison hack isn’t the only high-profile one to make headlines this summer. The personal and private information of more than 21.5 million current and former federal employees and over a million unique fingerprint scans were leaked in an attack on the Office of Personnel Management (OPM) that is believed to be the work of the Chinese. Government officials said longtime security lapses left the OPM vulnerable to hackers. As a result of the OPM hack, Director Katherine Archuleta has been forced to resign.
Why do we keep reading about a litany of breaches? Don’t cyber pros understand they are looking after our most sensitive personal data? Yes they do, but to understand their actions demands a more detailed examination of the psychology of security from the perspective of the security professional.
Archuleta is guilty of following protocol — doing what everyone before her did and not waking up to the reality of the threat. Her inability to deal with a complex cyber landscape is mirrored elsewhere in the government, which is stricken with the “double whammy” of low budgets and the difficulty of retaining highly skilled security professionals.
Oddly, Archuleta maintained to the end that OPM was better off because of her leadership, but it was shockingly clear that this organization was absolutely outclassed by its attackers.
Sure, OPM had bought all the “standard stuff.” They have a fancy proxy, a whizzy “next gen” firewall, and even the latest in intrusion detection systems. They cripple their end-user devices with traditional AV and a glut of other detection capabilities. But the bad guy got in. Why?
There has been a sea change in the attack landscape over the last year. Seventy to 90 percent of malware used to target an organization is unique to that organization, and today’s defenses have no hope of detecting it. But still we spend.
When I met with the CISO of NATO he told me his organization’s response to this reality: “We have to have two of everything from different vendors.” I asked if he could quantify how much more secure his organization is, given that it has doubled its cost. His answer was the same as Katherine Archuleta’s when asked how the attackers compromised OPM: “I don’t know.”
Never trust a PC or mobile device. BYOD is a disaster waiting to happen.
Remember the old saying in corporate America: “No one ever got fired for buying IBM”? IBM was trusted as the de facto standard in the enterprise. If it seems to be working, why change? The problem here is that cyber-security appears to be “working” until, horrifically, it isn’t, and we read about yet another woeful breach of critically important information.
It is crucial to realize that the products that claim to protect today’s IT infrastructure don’t work as promised. Probably the only reason that your organization has not been in the headlines is that you’re a bit luckier than OPM. Or perhaps you haven’t noticed yet that your infrastructure has been infiltrated.
The security industry will sell more than $60 billion of products this year that have no possibility of ever living up to the bombastic claims of the vendors. But still we buy them. Fear, herd mentality, best practice? Doing what’s needed to remain compliant and keep our jobs? Isn’t the security of our employees, customers and citizens worth more?
It’s time to break the cycle and fundamentally fix our leaky infrastructure, and every CIO and CISO has a responsibility to deliver security — more security than PCI requires. Because having passed a PCI audit didn’t help Target much.
It is time to recognize the psychology of our insecurity. We need a stronger mandate than regulation and the occasional public shaming of a clueless leader of an organization chartered with guarding vital information. We need infrastructure that is secure by design. There is no army of “cyber experts” big enough to pick through the haystack of alerts, trying to find the attack that actually penetrated the enterprise.
A horrifying 80 percent of security spend in the coming year will be on traditional perimeter security products (products that are only effective on one-third of the threats, at best). We are under targeted attack and are rolling out pop guns in our defense.
Your organization does not have to fall prey to the fatalism of the “you’ve already been breached but don’t know it yet” set.
Often I learn that CIOs and CISOs know that the technology they use to try to secure the enterprise is not up to the job. They just don’t know what to do instead. The answer is actually amazingly simple —“move forward.” Adopt cloud infrastructure for your back-end servers as quickly as you can. It is much more secure than anything you could operate.
Adopt micro-segmentation for your networks. Adopt the latest endpoint OS (specifically, get ready for Windows 10). Crucially — never trust an endpoint. All PCs should live on a separate network, outside the enterprise, with no direct access to the core network. Never trust a PC or mobile device. BYOD is a disaster waiting to happen.
At the highest level, understand that the best solution requires a mix of technology and human creativity. Coming from this place of truth will minimize your exposure through creating a security culture and approach that’s not in search of a silver bullet. Think like a hacker. If you can’t afford to hire a team of hackers to break and test your systems for vulnerabilities, look at outsourced bug bounty platforms like HackerOne and Bugcrowd.
Your organization does not have to fall prey to the fatalism of the “you’ve already been breached but don’t know it yet” set. Those are the narratives of executives who know they are failing and seek solace in collective failure. Securing your infrastructure is within reach, but the irony is that it doesn’t need more money. What it does need is more creative thinking.