The Best Computer Security Lesson I Ever Learned

There’s never a lack of things to worry about in the computer defense industry. Nope, things are coming at us like an avalanche of new problems. Last year, we had over 12,174 software and firmware vulnerabilities (https://www.cvedetails.com/browse-by-date.php) we are told we need to patch IMMEDIATELY. One-fourth to one-third of those are ranked with the highest criticality (https://www.cvedetails.com/cvss-score-distribution.php), meaning that if they are successfully exploited, the attacker can take full control over the device they are executed on or perhaps the entire network in short order. On top of that, most have “low complexity”, meaning fairly easy to execute (i.e., you don’t have to be a rocket scientist to do them). And that is on top of hundreds of millions of malware programs and all the hackers trying to break into your organization, including financial criminals, nation-states, and teenage hacker gangs. There is no lack of threats.

Our defenses are always porous. Each of us is protecting our imperfect environments hoping that a hacker or his/her malware creation doesn’t try door number three, where we know our defenses are lacking. I’ve never spoken to a computer defender who didn’t believe that their defense wasn’t essentially a deck of cards waiting to collapse under the right hacker probe. We are given an impossible problem – defend everything – with finite resources and a severe lack of authority. We could protect everything fairly well if only they would let us, but we are often handcuffed in what we can do. It can’t get in the way of business.

What most of us spend our careers doing is trying to decide on which threats we really need to focus on, and which aren’t as important. The single best computer security lesson I ever learned was from Bruce Schneier (https://www.schneier.com/). Bruce is one of the true industry luminaries and almost anything he says is gold. If you don’t regularly read his blog and you care about computer security, stop what you’re doing now and subscribe. There absolutely is no better person to learn from. I would not be half the computer security thinker I am today without his guidance. Bruce has written a ton of books and taught millions of people around the world. He’s been on government panels, on all the big news shows, and been the invited guest to so many blue blood universities that he probably can’t name them all. Needless to say, Bruce teaches a lot. He has the best ability to clarify what the root cause issue of something is and to cut away all the bull crap better than anyone I have ever seen. Bruce is clarity. What he says often takes a decade to become everyday wisdom.

But the single best thing he taught me was probably nearly two decades ago when he responded to the latest found SSL vulnerability. At the time, the world thought SSL and HTTPS were the epitome of Internet security. We couldn’t even fathom’s today’s world where over 90% of all malicious websites are protected by HTTPS. At the time, HTTPS (using SSL) was thought to be “just what the Internet needed” for “good security”. If you had SSL enabled, well, you were as safe as you could get.

Then one day, yet another SSL vulnerability was announced. I forget which one it was, but it created quite the stir in not only the computer world, but in the world at large. It was one of those hacks that ended up getting wide-range news coverage. The world’s computer security experts were busy giving interviews, each trying to out do the other in how bad the problem was. It wasn’t just an SSL flaw, it wasn’t just a temporary Internet vulnerability which would be patched like all the others and life would go on. Nope, this was digital Armageddon and the whole Internet was irrevocably broken forever more. There was a lot of hype and FUD going on.

And then I read Bruce’s quote. I’m sure I’m somewhat paraphrasing it here…I don’t remember the exact quote, but when asked about the SSL flaw, he said something similar to this, “If SSL is your biggest security problem, then you’re doing a lot better than most other computer security people.”

It was the first time I had heard someone take a “top, critical threat” and put it in its appropriate global context amongst all possible threats. Bruce was pointing out the obviousness that almost no real attacks by real hackers exploited SSL. Back then, most of the successful threats were computer viruses, unpatched software, and social engineering. Yes, the SSL threat was concerning. The Internet was relying on SSL and its “lock icon” status in a browser to send a sense of security to everyone, but it really wasn’t being exploited by bad guys all that much. Bruce was saying that if the SSL flaw was what you were concentrating on to the exclusion of all your other outstanding, truly more likely to be exploited threats, then you must have all the other stuff that most of us are dealing with already under control, and that would be a great thing.

Really, what Bruce was pointing out was that likely no one (or few of us) had all the other more likely to be exploited stuff handled 100% effectively and that we should concentrate on those things first and best before getting all worked up about an SSL flaw unlikely to be exploited broadly.

It was the first time I had heard computer security risks measured against one another and ascertained for how likely they were to actually be exploited to help determine real risk and what to concentrate on first. It was an epiphany! I’ve since had other epiphanies from what Bruce has said or written, but this one sticks out in my mind as the one that has singularly impacted my computer security life the most. It has guided everything I’ve done ever since. It guides every decision I’ve made since. I ended up writing dozens of articles on it for InfoWorld and CSO magazines over the 15 years I was the weekly security columnist (https://www.infoworld.com/blog/security-adviser). I wrote a white paper for Microsoft on it (https://gallery.technet.microsoft.com/Fixing-the-1-Problem-in-2e58ac4a) when I worked there, and eventually, I wrote what I consider my magnum opus book, A Data-Driven Computer Defense (https://www.amazon.com/Data-Driven-Computer-Defense-Way-Improve/dp/1092500847). The book contains a lot of other lessons and recommendations I’ve learned in my 33-year career, but the foundation is about relative risk of different threats.

In a nutshell, the first goal of any computer security professional in charge of a defense is to figure out which of the thousands of threats they need to concentrate on first and best. Don’t get caught up in all the doomsday hype that is trying to drive your behavior into buying a product or responding to the latest threat. Every time someone says you need to react to the latest threat, take a step back and ask yourself, “Do I really need to worry about this?” That’s what I do with every single newly announced threat. And I know it makes me a better computer security person and defender.

One of my favorite examples is RFID credit card crime. The world is telling everyone that we need to be worried about thieves with wireless RFID scanners that eavesdrop on our RFID-enabled credit cards, and now a billion dollar industry has developed to protect our credit cards with RFID-blocking sleeves and material. Wallets, passport covers, purses, and even blue jeans now come with RFID-blocking material built in. But there has never been a single, real-world crime where an RFID-blocking shield would have prevented the crime. Not one. A billion-dollar industry selling unneeded products.

Or more particular to computer security, how about Meltdown and Spectre (https://meltdownattack.com/). Arguably, the most serious computer vulnerabilities in over three decades. If you didn’t apply the patches, there was almost no way to stop them from being exploited. It impacted most CPUs and computers produced since the 1990’s. Serious stuff. Every patch management report lists any devices missing the Meltdown and Spectre patches as “critical vulnerabilities”. You must patch them NOW!! Except for the fact that there hasn’t been a single real-world exploit of them.

If something hasn’t been exploited even once, is it really a high risk? I mean there are a lot of things we need to be worried about. There are a lot of things that are routinely exploited on a daily basis across millions of victims. Yes, we need to be considerate of any POTENTIAL high risk, but if the likely occurrence of a particular threat is near zero or zero, it really isn’t a true high risk, even if your patch management or vulnerability scanning report says it is. There are an awful lot of houses from the 1960’s with dusty, rundown nuclear fallout shelters.

Make sure what you concentrate on in your computer security career is a real, likely risk. There are lot of things to be worried about, so make sure you worry about the right things.

I’ll end with one of my favorite quotes: "If you protect your paperclips and diamonds with equal vigor, you'll soon have more paper clips and fewer diamonds." – Dean Rusk, U.S. Secretary of State, 1961-1969