An Excerpt from UNSECURITY

Fight Fear and Breach Fatigue
Fear comes from a perceived danger or threat. Fear is exacerbated by ignorance, or the inability to put the perceived threat into its proper context. Fear is an intense emotion, and it gets tiring quickly. Maybe this is why we’ve grown weary of breaches. We’ve got breach fatigue, and some of us have just accepted fate; whatever that may be. We’re defeated, or at least we have a defeated attitude.

We can win this game though! Before we go too far, we need to take stock of where we’re at now. We don’t know the exact score, but we do have some indicators of what the score might be:

It’s hard to make a case that the information security industry isn’t broken. We used to be shocked by these headlines, but those days are gone. In a few cases, the shock has turned to anger, but where do we vent our anger? Maybe we give the mob someone’s head. We can force a few retirements and launch a few lawsuits. After the anger (or memory) subsides, we just start over again. Memories fade, but nothing fundamentally changes. The cycle plays over and over.

It’s Up to Us to Fix Our Problems
The primary audience for this book are my peers, the other eight hundred thousand-ish people in the United States who have carved out careers as information security professionals, and hundreds of thousands more across the globe. Why us? Because we are the ones who understand the game we play better than anyone else. We are the professionals, we are the experts, we are the team captains.

There’s a difference between information security professionals and the rest of the world. We don’t represent the norm. We think we do, but we don’t. According to CyberSeek (http://cyberseek.org/heatmap.html), we are part of a cybersecurity workforce, an elite group cybersecurity engineers, cybersecurity analysts, cybersecurity managers, chief information security officers, researchers, and penetration testers. We hold cool certifications like the Offensive Security Certified Professional (OSCP), Certified Information Privacy Professional (CIPP), Global Information Assurance Certification (GIAC), and Certified Information Systems Security Professional (CISSP).

We really are an elite force of awesome people with all sorts of different backgrounds, but one thing binds us together: we are all on the good team. We are all in this together, and it is time to pick ourselves up, look in the mirror, and get honest with ourselves. Together, we must sort through the problems facing our team. Each chapter in this book focuses on different challenges we must address, and offers ideas for solutions:

  • Chapter 1: We’re Not Speaking the Same Language—The information security industry is broken because we don’t speak the same language.
  • Chapter 2: Bad Foundations—The information security industry is broken because we build on bad foundations, or worse, without a foundation at all.
  • Chapter 3: Lipstick on a Pig—The information security industry is broken because we don’t get real with ourselves.
  • Chapter 4: Pipe Dreams—The information security industry is broken because reality is a hard pill to swallow.
  • Chapter 5: The Blame Game—The information security industry is broken because people don’t want to own it.
  • Chapter 6: The Herd Mentality—The information security industry is broken because people focus on others instead of themselves.
  • Chapter 7: Because I Said So—The information security industry is broken because people don’t want to do the right thing.
  • Chapter 8: Empty Promises—The information security industry is broken because we don’t commit and keep our word.
  • Chapter 9: The Money Grab—The information security industry is broken because money is more important than your security.
  • Chapter 10: Too Many Few Experts—The information security industry is broken because we have too many “experts” but not enough experts.

My Motivators
I care for people and hate cheating. I love winning and hate losing.

People are woven into fabric of everything we do. This may sound corny, but it’s the truth. If you love people, it makes you a better information security professional. We don’t protect data just for the sake of data. Behind every health record there’s a patient. Behind every social security number there’s a grandparent, parent, son, or daughter.

Deep down, I hate seeing people taken advantage of and I hate cheating. In our industry, there’s plenty of both.

Throughout this book I will refer to the information security industry as “our” industry. My foundational belief is that we’re all in this together. We must get started now, because we can’t afford to wait any longer.

Why We Must Fix the System
I don’t have a majestic Braveheart speech to rally the troops, but I do have several stories that illustrate why I care.

Mom-and-Pop Printing Company (M&P)
This story shows that when a large company flexes its security muscles without thinking it through, it can hurt good people.

M&P was a small, family-owned printing company in Phoenix with about sixty employees. It printed all sorts of materials for large companies,
and one extra big company—we’ll call it EBC—accounted for about 60 percent of M&P’s business.

One of the struggles facing this small company was that each of the large companies it served had its own specific information security requirements. You see, ever since the big Target breach of 2013—which accessed the retailer via its HVAC vendor—companies have made more of a point to do vendor risk assessments.

Some of M&P’s clients wanted an SOC 2 report, some companies developed their own assessments or questionnaires, and at least one large company wanted ISO 27001 certification. These requirements were an increasing burden for M&P, which was already struggling with being profitable due to razor-thin margins. The printer had to comply or risk losing business.

Everything came to a head when EBC changed the way it handled information security for its vendors. This company decided that instead of assessing risk, it would simply require all its vendors to install the same security controls that EBC used. Now, EBC had a multimillion-dollar budget for information security, and the number of its security staff alone exceeded the number of employees at M&P.

This put M&P in an impossible position, and the results were catastrophic. Because this small company could not afford to secure information the same way that the large company did—regardless of risk—the small company lost the business. The last I heard, M&P was forced to lay off more than half of its workforce.

M&P didn’t pose a greater risk to EBC; you could even argue that it posed a lesser risk. The small company simply couldn’t comply with the unreasonable requirements of the large company. I can only imagine the heartbreak felt by the owners of M&P when they were forced to hand out the layoff and termination notices.

Don’t be fooled into thinking that this sad story is an isolated incident. This type of thing happens more often than we’d admit.

Long-Term Care Organization (LTC)
The information isn’t yours, but it is.

LTC was a fast-growth company with a real track record of success as defined by market share and revenue. Management had a “growth at all costs” mentality, and information security was but an afterthought, or simply a box that needed to be checked. LTC had grown primarily through innovation and acquisitions.

Occasionally, a business partner or board member would inquire about information security. After all, LTC held millions of sensitive health records belonging to various downstream customers. To satisfy the occasional requests, LTC decided to do periodic Information security assessments. To the outsider, LTC appeared to run a tight ship.

Things were not as they appeared, however. Information security was treated as an IT issue, not a business issue. When LTC’s information security personnel reported that the company’s risk assessment was ranked “very poor”—450 on a scale of 300 to 850—the executives failed to take it seriously. The attitude among executive management was that the information security team was composed of paranoid people who continually said no. They were the “no” people and didn’t understand how LTC’s business operated. You’d think that a “very poor” risk assessment would be enough to motivate executive management to put better practices in place. You’d be wrong.

The motivation of LTC was never to be more secure. Its motivation was to do the least amount of work and spend the least amount of money possible to appease anyone who asked about its security. The common question was “Do you do periodic information security assessments?” The answer was “Yes.” Nobody asked if the company improved security as a result of any assessment. Did they do an information security risk assessment? Yep. Done.

The company handled millions of sensitive health records for people living in long-term care facilities. If the company suffered a breach, who suffered? The information belonged to the people living in LTC’s facilities, yet they had no say in how their information was protected.

This is BS.

Large Distribution Company (LDC)
Ignorance is no excuse, and it’s not defensible.

LDC never gave a second thought to information security beyond a firewall and some passwords. The only reason passwords were a thing is because the computers came with them. LDC never thought it’d be a victim of an attack. Its logic was that it had nothing that an attacker would want, so why bother? It didn’t have any credit card data. It didn’t have any health data. Security wasn’t a concern whatsoever.

Information security wasn’t an afterthought for LDC; information security wasn’t a thought at all.

One day, weird things started to happen. Whatever. Then a few weirder things happened. Whatever. For the next month, weird things continued to happen—things like unexplained network and server performance fluctuations, missing files, new user directories, and user accounts that nobody recognized or claimed to have created. No matter. Whatever.

One Saturday, the CIO got a text from the company’s president. Saturday? That was odd. The text said, “Just got a call from the president of Big Customer. They’re claiming that we’re sending them phishing emails. Do you know anything about this?”

Big Customer (BC) was LDC’s largest customer. BC decided to block all emails from LDC because of the high volume of phishing attempts.

This time LDC decided to act, because it had no real choice in the matter. LDC called an information security consultant to investigate. Within fifteen minutes the consultant found a remote access Trojan (RAT) on a domain controller. A closer look revealed an active reverse shell to a source in the Czech Republic. Ugh!

Then the consultant found six additional RATs, other malware installed in countless places, compromised user accounts, and unexplained files everywhere. I guess that explained the weirdness. Oh, and it looked like the bad team made off with nearly a million dollars stolen through a series of unauthorized ACH transfers. ACH is short for automated clearing house, an electronic funds-transfer system run by the National Automated Clearing
House Association (NACHA).

We shake our heads. Stories like this one tick us off. Some jerk took off with almost a million dollars that could have been spent to grow the business, pay employee bonuses, or whatever. Instead, the money is gone, and the bad team can reinvest a portion of it to enable better future attacks on others.

Could LDC have made this any easier?

This was a case where nobody was responsible for information security. Would you believe after this breach that executive management and ownership still debated the value of information security? They did, and it’s sad.

The Prognosis
Depending upon how deep we want to go, we can find millions of flaws in our industry. We should not get bogged down in the minutiae, though. One of the telltale signs of an experienced information security analyst is the inability to put things into perspective.

We also need to keep our pride in check, look at ourselves honestly, and fight our bias. Introspection sets good security people apart from great security people. Great security people are introspective geniuses. They look for solutions to their problems within themselves first, before they point fingers at others.

Some truth and encouragement before we move on: Not all is doom and gloom. There are many good things about our industry. Unfortunately, due to the nature of our work, it’s easier to find the broken things because they stick out. But we have thousands of smart, dedicated, and talented people working in our field. We spend millions of tireless, thankless, and selfless hours protecting people we will  never meet. Some of us are innovative, selfless, and passionate. This core of strength and integrity gives us the courage to address our problems and to improve our industry for the sake of everyone.