Side Glance: Security

SG	Side Glance: Security

The law is not thrust upon man; it rests deep within him, to waken when the call comes.

—Martin Buber, Israel and the World

Do not weep. Do not wax indignant. Understand.

—Baruch Spinoza

I was once accidentally given some classified information in my government job. I had been at a breakfast meeting where one of the attendees had passed around copies of a presentation that inadvertently included something that was classified. Since most of us at the meeting didn’t have a need to know that information, and since in any case it wasn’t appropriately marked as classified, this was considered a spill and had to be cleaned up immediately.

An hour or so later, two men showed up at my office in dark suits and carrying briefcases. They asked me to hand over the slide deck, asked a few questions about whether anyone else might have seen it, carefully slid the material into a briefcase, and left without—I noticed—smiling or making any jokes. This incident fit my stereotype of what information security would be like. It was the only incident in my career that did.

Yes, information security is a major risk today. But it’s important to go beyond the hype and the disaster stories. These can easily activate an availability bias—that is, a bias that the examples that come quickest to mind are more representative than they actually are. The newspaper articles and some email news blasts you read might give you the wrong impression of how big the risks are or what exactly is at risk. To Spinoza’s advice at the beginning of this chapter, I would add: do not panic.

As for how big the risks really are—well, actually they are very big. Your technologists probably don’t tell you every time a hacker tries to break into your systems, because it’s probably happening dozens of times a day.* Fortunately, most of their attempts don’t succeed.

But I can’t emphasize this enough—you’re under constant attack, whether you’re a charity, a scholar of Napoleonic military campaigns, a bank, or the Department of Homeland Security. This means that you must constantly be taking steps to stay secure. Security is not something you can add whenever threats arise. Every bit of digital technology you deploy must be built to be secure, and every business process must be examined carefully with an eye toward its security.

Now for the good news. Most successful break-ins are not sophisticated. The security vulnerabilities they exploit come from stupid stuff. Many can be solved through what amounts to basic hygiene or simple automated controls. While the digital age exposes you to more threats, it also provides tools for dealing with them. The difficulty comes when you try to address new threats with old tools or when you consider security to be the job of a few supergeeks in IT, an issue no one else needs to worry about.

Since bad actors generally attack us over the internet, traditional security models have often focused on the point at which the enterprise’s network is connected—thinking of it as a door that must be locked tight and monitored at all times. Or, in the militaristic lingo that’s used, the place where you conduct your “perimeter defense”—often by building a demilitarized zone between your network and the internet.

One challenge of perimeter defense is that it’s hard to tell the difference between malicious traffic coming from the internet and the valid traffic that constitutes your business. Another is that such a defense doesn’t provide adequate protection against malicious insiders—employees or contractors, for example—who legitimately have internal network access. Ultimately you want to always be prepared to deal with any dangerous case—if somehow a bad actor does sneak through your DMZ and into your network, what then? Are you helpless?

That’s all, but please make no mistake about it: security is your job and everyone else’s, not just something the IT department deals with.

Let’s start with some basic concepts. Generally, we think in terms of three goals for information security, easily remembered by the acronym CIA: confidentiality, integrity, and availability.†

Confidentiality—The information in your systems should only be available to those you want it to be available to. Bad guys want to steal your confidential information—your customers’ credit card numbers, your secret product designs and business strategies, and details of your IT infrastructure that they can use to cause additional mischief.

Integrity—The information in your databases should remain accurate and your systems should continue to do what they were meant to do. The bad actors would like to make your IT systems do bad things or change your data, have money sent to their bank accounts, allow terrorists to get green cards, remove evidence of their criminal convictions, deface your website.

Availability—Your systems should function and be available for legitimate users to use. Hackers want to interfere with your systems, delete your data unless you pay them a ransom, bombard your servers with traffic so they’re too busy to do legitimate work, block you from communicating with partners and customers.

Your goal is to secure confidentiality, integrity, and availability. As a side note, it’s not only the actions of external attackers that can keep you from this goal. Someone in your organization might accidentally email confidential information to people who shouldn’t have it. Bugs in your code can send money to someone who doesn’t deserve it. A flood might wipe out your datacenter. Or a system might crash when you have no backups and thereby keep you from doing business. You should consider all of these events—anything that can affect CIA—as security threats.

It’s useful to divide the bad guys into two main groups: the so-called script kiddies and the professionals. Or, more accurately, the hackers who look for easy victims, and those who are absolutely determined to do whatever it takes to hack into your company. The latter category is often referred to as advanced persistent threats (APTs).

By far the majority of hackers are in the first category, and their job is pretty easy. There are so many internet-connected networks that they can just use easily available automated scripts to search for the companies that have made things easy for them by exposing vulnerabilities.

Hackers of this sort are constantly scanning the gates of your network looking for a way in. They might, for example, be checking to see if you’re running an old version of a software product known to have vulnerabilities.‡ Defending against them is a matter of hygiene—that is, adopting good practices that are widely known.

But the APTs are a different breed. They’re brilliant problem solvers, sometimes state-sponsored, and the problem they are trying to solve is how to break through your security controls. They’re willing to put considerable effort into it. They might, for example, research your company’s executives—perhaps even spy on them. Then they might use information they gather to craft very legitimate looking spear-phishing emails that seem to come from a friend or spouse and relate to a topic relevant to them. That email might have a link that appears plausible but when clicked installs malware onto the computer that, in turn, throws open the door to your network. You get the idea.

The APT is in it for the long haul, willing to do research, stealthily and slowly exploiting opportunities, and leveraging any foothold it gets on your network so it becomes a large-scale breach. And they are adept at covering their footprints as they do this.

You want to completely stop the wannabe hackers, make things really difficult for the APTs, then make a business decision about how much more expense and effort to put into guarding yourself against the most dedicated and smart hackers, and in which areas.

Security is part of the service that you deliver to your customers and a responsibility you have to shareholders. It’s a requirement of doing business. It’s the job of marketing and sales, who are making an implicit promise to customers that they (you) will safeguard their personal data while providing a service that continues to function. It’s the job of the CFO, who is managing risk for the company. It’s the job of operations, for the company must be able to continue to do business. And, of course, it’s the job of the CIO and CISO.

It’s tempting to think of security as something that is outsourced to the IT department, but in fact everyone must participate and be willing to devote effort. Investments in security are not investments to meet “IT’s needs”—they’re to meet your business’s needs, with IT acting as a steward. Employees understandably squirm at constraints on their freedom, with their natural inclination being to resist any security rules. But in the digital world, security absolutely must be part of doing business, implicitly written into every employee’s job description. Everyone in the enterprise should collaborate in building a culture of security.

Enterprises are remarkably good at doing things that hackers can exploit. At USCIS, we had our auditors call employees, pretending to be from the IT helpdesk and asking for their passwords. Many obliged. The auditors wandered around our office in the evening, finding sticky notes with employee passwords and documents with personal information on their desks. Think about this: hackers can easily find exploitable information by “dumpster diving” through your company’s trash or by reading your employees’ Facebook posts.

Dumb mistakes are common within IT as well. There is a well-known, top-ten software vulnerabilities list, yet developers continue to include these types of defects in their code. They also often don’t patch old versions of open-source software with vulnerabilities (see Figure 7: Vulnerable Downloads Per Month). And it’s easy for an IT employee making manual changes to “fat finger” a mistake that creates a vulnerability. Worse, IT organizational silos have led even developers and operators to think of security as a job only for the security specialists.

We must reduce the number of these mistakes by creating a culture of security across the entire enterprise.

The good news is that a lot of what makes for good security is free, or nearly so. It just requires intent. It also helps to think of security as an aspect of quality, a security vulnerability being just like any other defect that needs to be fixed. Instead of reactively dealing with security threats as they arise, the enterprise should be building its systems and conducting its operations with security built in, just as it strives to build in quality.

The Rugged Software movement promotes such an approach for software development. In its manifesto (of course it has a manifesto!), the rugged way of thinking is defined this way:

“Rugged” describes software development organizations which have a culture of rapidly evolving their ability to create available, survivable, defensible, secure, and resilient software. Rugged organizations use competition, cooperation, and experimentation to learn and improve rather than making the same mistakes over and over. Rugged organizations also actively seek out threats and create defenses before they are a problem.2

The Rugged movement proposes that organizations change their way of thinking about security. Instead of reacting when threats and vulnerabilities are discovered, a rugged organization makes its systems defensible against any kind of threats that might emerge in the future.

While this might sound impossible, Rugged points out that it’s largely a matter of commitment. Much of security is simply about developing good habits, like washing your hands. It might seem inconvenient at first, but it quickly becomes ordinary hygiene and, when it does, it can be virtually costless.

In the spirit of erasing boundaries between IT and the rest of the enterprise, I suggest that we extend the idea of rugged software to everything your enterprise does. Security should be built into business processes as well as IT systems. It should be a way of doing business, not a set of defenses that are added.

Automation helps solve many security issues. Code can be tested automatically for security flaws. Open-source products with known vulnerabilities can be identified by automated scans. Automated controls can be placed in cloud environments to enforce security policies and check for common vulnerabilities. Automating certain business processes can also improve security: for example, when an employee leaves a company, all of their IT accounts should automatically and immediately be deactivated.

When a security incident does happen, your organization must be able to detect and respond to it quickly. In the traditional approach, security experts sat in front of screens with dashboards and monitoring information, looking for evidence of break-ins. Increasingly, this kind of monitoring and detection is automated, as is the response to detected incidents.

Information security is indeed a complex area, and you need the help of the supergeeks to master it. But all of their efforts are in vain if the rest of the organization isn’t committed to customer security and doesn’t take basic steps to preserve it. The company must also be willing to invest in security—not because IT asks for it, but because it is essential.

The goal of the organization isn’t just to enforce security and compliance, but to remain fast and nimble while doing so. With automated controls in place, employees can work quickly, secure in the knowledge that controls are keeping the enterprise safe and compliant. Once again, speed and agility are the important risk mitigators. But let’s not allow that arms-length relationship between IT and the rest of the business fool us into thinking that security is something only IT worries about, because that opens a huge gap through which the bad guys can slip.

† A fourth is sometimes added—nonrepudiation. This means that if someone “signs” a transaction they can’t later deny that they did so.