Security Myopia and Brushes with C-Level Insanity
Over the past few years, I've read many articles bemoaning huge losses due to corporate security incidents. I would often ask myself, "How could this have happened?"
After recently attending a security conference, I believe I've found the answer.
I sat in a room full of members of the C-suite. For those not up on current jargon, these C-Level folks are our CISOs, CIOs, SOs and so on. As we went around the room and heard from each member, I was nearly sickened by what I heard.
When asked about the architectural approach to creating a secure environment, they were clearly five years behind the curve. Proof of that came from one CISO that convinced himself that MySpace didn't lose a cent when user provisioning failed. He was steadfast in his belief that losses associated with provisioning were much higher for his brick and mortar organization than for Web 2.0 platforms.
One individual stands out in my mind, though. With pride, he stood up and described how his organization just deployed this great appliance that would alert him when it saw a "bad packet". He went on to say that it had 3,200 signatures for known "bad packets" which was better than the others he tested with detection for roughly 800 "bad packets".
The poor guy was still hooked on blacklist technologies. At that moment, it dawned on me that the C-suite was dangerously unaware of the threat landscape. Moreover, it was blind to what is waiting for them just around the bend.
When it was my turn, I stood up and said that I was going to throw out antivirus, stop patch management, throw my IDS equipment into the nearest river and I was no longer going to deploy or manage endpoints. After all, why should I when everyone on Earth has a device capable of reaching the net?
Gasps erupted around me. Some even became visibly angry, and when they boiled over, they called me insane and accused me of "thinking too far into the future."
But was I really? Am I insane?
Traditional Tech Struggles with Today's Threats
Let's take one example. It's no secret that signature-based antivirus has been ineffectual for at least two years. Right now detection rates sit around 30 percent of known malware. But let's come clean about the dirty little secret that most people don't know.
There is no official measurement for Trojans in the antivirus industry, so we know that things are much worse than the 30 percent reported. In addition, most, if not all of the malware I've analyzed over the past year has had undetected Trojan capabilities.
But to be fair, you can't entirely blame the C-suite for its ignorance. Legislators and vendors share in it equally.
You have legislators with good intentions in mind when they pass things like HIPAA (we can discuss PCI another day). The toxic side effect is that it requires organizations to deploy marginal technologies. Vendors, who are going to capitalize on this, are going to continue to generate revenue from regulations that address the symptoms instead of the root cause.
So at the end of the day, decision makers end up doing all the wrong things for all the right reasons. Legally, they have to comply with regulations in order to pass the checkbox audit.
What I do blame the C-suite for is their severe lack of vision.
These executives, by definition, are supposed to be able to spot future trends and guide the organization in the right direction today so that it is equipped to deal with the new threat landscape of tomorrow. Based on what I saw, the outlook for many organizations is grim especially when criminals already understand the power of software as a service (SaaS).
Never Underestimate the Power of Denial
It's no secret that an organization can't turn on a dime. I think of organizations in the same sense as the Titanic. It's an ungainly, oversized boat with an undersized rudder. If you don't start to steer long in advance, there is no way to avoid the iceberg. The longer these folks deny that huge changes are just around the corner, the greater the chance that their organizations will clip an iceberg.
So, what tipped me off that it's time to rethink everything we do as security professionals?
Not long ago, I handed over a set of iPhones to my teenage girls. Soon after, I noticed that they no longer used the expensive laptops they forced me to purchase for them. Going further, I noticed that even cornerstone applications like Microsoft Office were no longer useful to them. I knew right then that computing, networks and endpoints as we know them are going to change radically and soon.
Over the past few months, I saw that the majority of their data was no longer stored locally either. It was parked on sites such as Google and Photobucket where their friends could collaborate. The applications they used most were not developed by Microsoft, rather, by users who had access to Google's APIs. Since they are using devices that do not support antivirus on the endpoint, Google has added it on the server side, for a whopping price of 25 cents a month.
This proved to me that users today are not limited in their view of what a network looks like or what a software developer is. Mind you, these are the same users that are soon to enter the workforce, if they haven't already done so.
Most of us old school security pros have a hard time letting go of our conservative ways and traditional beliefs. I too am guilty of this illness but witnessing this has put me on the road to recovery.
Article courtesy of Datamation