I keep asking myself, why do we still see sensational data breaches almost every week? Are attackers really that much smarter than the good guys?
The short answer is, no, they’re not.
Attackers win because the good guys do a lousy job of defense. The good guys are so bad because nobody presents cyber-security to busy decision makers in a manner they can digest. Clueless, our leaders throw it over the wall back to the IT staff, but with minimal support because we haven’t convinced them that IT should be an asset, not an expense. So, everyone makes the same mistakes, over and over and over again, and that’s why our private information us up for sale in underground websites.
If we want to beat cyber-attackers, we have to break this cycle. We need to lead our leaders.
Start by presenting security in a manner busy decision makers can use. I distilled it down to a six word rhyme everyone should take to heart. I don’t know how to make it any simpler.
Care and share to be prepared.
In part one, I made the case why everyone should care enough about cyber-security to take action. Here, I’ll make the case for sharing. Warning: It’s radical. Here it is. Organizations should make all their security practices public. Publish it. Present it at conferences. Subject it all to peer review and scrutiny. Stand up in front of audiences and defend it. Answer questions. Listen to public criticism. Make changes. Rinse and repeat. If an attacker steals personal information about millions of people from your organization, fess up, share what went wrong, in detail, and the plan to get better. Operate in the open.
Am I nuts? I can hear the objections already. How in the real world does it make sense to share security tactics? Shouldn’t that stuff be among the most closely guarded secrets of any organization? Doesn’t sharing it give away proprietary knowledge away to attackers?
Here is another short answer. No. Opening up about how we do security doesn’t give away anything. Attackers already know this stuff. Attackers spend all day probing and all night comparing notes to improve their probes for the next day. Bad guys collaborate. Good guys don’t. It is any wonder industry and government are such easy targets?
Don’t believe me? Forget high-tech for a minute. Take a look at a tidbit of history.
Alfred Charles Hobbs was a famous locksmith in the mid 1800s. In 1851, he embarrassed British lock makers by picking their best locks during London’s Great Exhibition, forcing manufacturers to design better locks.
Hobbs’ work led to a book, “Rudimentary Treatise on the Construction of Locks,” edited by Charles Tomlinson, and published in 1853. Take a look at what Hobbs had to say, before most of our great great grandparents were born, starting near the bottom of page 2:
A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by shewing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and they know already much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock—let it have been made in whatever country, or by whatever maker—is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to be the first to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.
Sound familiar? In today’s world, Hobbs would be an Internet security researcher.
Still not convinced? I’m publishing this on Saturday morning, Dec. 16, 2017. Here are a few articles about data breaches or their consequences over the past week. Not the past year. Or the past month. The past week. Plus one more from eight days ago about a company that should have known better.
- Dec. 15, 2017: Millions of California voter records exposed in unprotected MongoDB
- Dec. 14, 2017: Cryptocurrency Infrastructure Flaws Pose Bitcoin Risks
- Dec. 11, 2017: Data breach exposes PII of 700 Texas school children
- Dec. 11, 2017: Report: Russian Hackers Target Banks in US, Britain, Russia
- Dec. 8, 2017: Henry Ford Health System data breach compromised data of nearly 20,000 patients
- Dec. 8, 2017: Stanford University school’s chief digital officer leaves role after data breach
- Dec. 7, 2017: Uber paid Florida hacker responsible for breach $100K through bug bounty program
How’s the way we’re doing things today working out? What was the definition of insanity again? Maybe I’m not so nuts after all.