Breaches Gonna Happen

Two simple tests tell me whether someone does or doesn’t get infosec.

The First Test: Do you think your systems will ever suffer a breach?

If you say yes, if you assume there’ll be a breach, sooner or later, because nobody is invincible, then in my book, you get infosec.

If you say no, because you think nobody could get past your infosec solutions, you don’t get it. You’re adding to the risk if you think you’re invincible.

The best infosec people assume a breach will occur. Certainly, they strive to prevent a breach, and to detect and contain a breach rapidly if one occurs, and to recover rapidly and thoroughly, but they never assume they’re invincible.

The people who worry me most about infosec are the ones who think that any breach means someone needs to be fired or something needs to be replaced. These are the people who play the blame game: if something goes wrong, there must be someone or something you can blame (other than yourself, of course).

Take, for example, the flap over Symantec anti-virus and the New York Times breach. The New York Times got hacked, and Symantec’s anti-virus tools didn’t stop it. One of the sure signs that someone doesn’t get infosec is that they think an anti-virus tool should make them invincible. I’ve never heard an anti-virus provider make that claim. If the Times thought an anti-virus tool should be 100% successful against 100% of attempts, shame on them for dangerously naive security planning. It’s like thinking that a lock on your front door should prevent all crime against you.

As reported so far, Symantec tools captured only one of the 45 pieces of malware that had invaded the Times – but was that because the malware was delivered where anti-virus tools weren’t deployed or involved? Were the anti-virus tools misconfigured or out of date? Was the malware customized not to match known virus signatures? Were there ways for the Times staff to bypass virus checking? Was it the only tool in the toolbox? Back to the door lock analogy: if there’s a crime in my house, I wouldn’t blame the front door lock until I determined that’s where the criminal got in, and that the lock had been properly locked. Even then, if the criminal got in through a locked front door, I wouldn’t declare it’s time to stop using door locks.

If it turns out that the anti-virus tools at the Times were thoroughly deployed and properly configured, and the attacks got through only because they didn’t match known anti-virus signatures, that confirms what people who get infosec understand very well – that anti-virus tools alone aren’t enough. If the anti-virus tools are indeed catching lots of other malware, they’re still serving a purpose, but failure to stop this breach doesn’t mean it’s time to throw out the anti-virus tools.

The Second Test: Do you think infosec decisions are business decisions or technology decisions?

My second test is as important as the first: Is infosec a business decision or a technology decision?

If you think it’s a business decision, you get infosec. If you think it’s a technology decision, you don’t. No tool is universally the right answer; business matters drive the selection and usage of tools.

The “IT knows best” crowd – or, one might say, the “shut up, it’s good for you” crowd – thinks technologists should decide which solutions to enact and how to configure them. Sometimes, IT people are the ones with this attitude, but sometimes it’s management: the managers who dismiss infosec discussions as icky techie stuff, so they wash their hands of it and leave it to the technologists to magically render the organization invincible.

Is this what happened at the New York Times? Did management fail to view infosec from a business perspective, and then they were astonished when the security tools in place didn’t match up with business needs? The fact that the Times is looking for someone or something to blame suggests to me that management at the Times doesn’t get infosec.

Infosec decisions are business decisions, based on impact and likelihood. The potential breaches that have the greatest impact – from the organization’s perspective – and the greatest likelihood, need the most thorough protections. The potential breaches that have the least impact and the least likelihood don’t need the most thorough or costliest solutions, and in fact you’re wasting your resources if you overdo the security in those areas.

You can pass the tests with or without an infosec or IT background

You can pass both of my tests whether or not you have an IT background, and whether or not you have an infosec background. You don’t need to be an expert to understand that breaches are always possible or that they should be driven by the organization’s needs, and not just by technical matters.

What really led to the breach at the New York Times? The reports so far don’t say, but there are multiple possibilities:

Management gets infosec Management doesn’t get infosec
Infosec staff gets infosec The infosec environment was good, but management and staff both understood that no solution would be 100% effective every time. They’ve got work to do to recover and adapt, but they understood a breach was always a possibility. They’re not blaming a tool failure until they find out that’s really the culprit. The staff did the best they could without much help from management, and they knew a breach was entirely possible, but now management is fishing for something or someone to blame.
Infosec staff doesn’t get infosec The staff did a poor job of delivering an infosec environment that matches business needs. This breach might have been preventable, if they had delivered a better environment. Management would get after the staff for poor execution, and wouldn’t single out one tool as the cause. It’s no wonder this breach occurred. Management and staff together thought that as long as they deployed some anti-virus tools, this kind of thing couldn’t happen. Of course they’d try to blame the anti-virus tool for their problems.

We may find out more later on, but for now, trying to blame the anti-virus tool at the New York Times suggests that somebody there doesn’t get infosec.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *