Chapter 1 of my Data-Driven Computer Defense book

[To be clear, this is pure selling tactic for my Data-Driven Defense book (https://www.amazon.com/Data-Driven-Computer-Defense-Way-Improve/dp/1092500847/), but it does share the main points that anyone can take away to improve their computer defenses even without reading the book. And I have written about the main content here on LinkedIn and with free whitepapers as well. This just explains the basic ideas included in all of them. Email me at [email protected] to get my free whitepaper.]

1 Introduction

“I'm often in trouble for speaking too clearly.”—Unknown

A Data-Driven Computer Defense is a common sense set of strategies to more efficiently put the right defenses in the right places in the right amounts against the right threats.

Computer War

Imagine two armies, one good, one bad, locked in a multi-decade war. The bad army is constantly winning battles on the left flank and has done so for years. In real-world battles, the good army, after noticing a weakness on the left flank, would amass more troops and resources on the left flank to counteract the enemy’s continued success. In fact, in a real war, the good army would continue to amass additional resources on the left flank until it became impenetrable, or they would ultimately lose the war.

But in the virtual war that is being conducted against today’s corporate computers, upon learning that the left flank is constantly being defeated, defenders inexplicably amass defending troops nearly everywhere else. They put more troops and resources on the right flank and the center. They sometimes even stack troops up vertically because they have heard of some theoretical attack from the air that they might one day have to defend against. Everyone involved can see that they are losing because of the battle occurring on the left flank, they complain about it, and then they respond by doing everything else but addressing the attacks on the left flank threat.

In a real war, if you couldn’t get the generals to fight on the left flank, you would replace those generals. Unfortunately, in the computer world, those replacement generals are just as likely to concentrate on anything but the left flank, just as their predecessors did. If you think this sounds like a terrible way to conduct a war, you are right.

If you don’t like the war allegory, imagine a homeowner who lives in a house that intruders constantly break into by using a window beside the door. In response, the homeowner buys more locks for his door because he’s heard that most home burglaries happen because doors don’t have enough locks. Or he’s heard that traditional locks aren’t smart enough and don’t have enough technology in them. So, despite the best direct evidence that the window is the problem, the homeowner upgrades the wrong defense. Home burglars and hackers alike appreciate such a lack of appropriate focus.

Most readers will recognize parts of their companies in these allegories.

Introduction

My name is Roger A. Grimes. I’ve been a computer security consultant since 1987. I have dozens of computer certifications, including some of the most sought-after computer security certifications in the industry. I have been an instructor for many of them. For over 20 years, I’ve been a professional penetration tester, and I’ve broken into every company I’ve been hired to break into in less than three hours except for one, and that only took five hours. I’ve taught thousands of students around the world how to hack into computer systems and how to best defend them. I’ve worked for some of the world’s biggest computer security companies, including Foundstone, McAfee, and Microsoft.

I’ve written or co-written ten books, including this one, and over 1,000 magazine articles on computer security. I have been a security columnist for InfoWorld or CSO magazine since August 2005. I am a frequently invited guest speaker at industry computer security conferences and regularly interviewed on national media shows for my sometimes contrarian and provocative views.

I’ve worked with hundreds of companies, large and small, and after over thirty years of experience I came to the sad conclusion that very few of them ever really did the right things at the right time with their computer security defense, even when the evidence of what they needed to do was overwhelming. In any other field, their response and approach would border on legal neglect. But this neglect wasn’t on purpose and their approach doesn’t need to stay this way.

This book is dedicated to explaining why most companies are inefficient defenders and how to fix the problems so that they can end up with a more efficient computer security defense that significantly lowers risk.

It is written in a friendly, first person approach, sharing examples of hard-won past experiences. A book on general computer security defense can easily be written in a staid tone. I intentionally choose a lighter, more conversational approach to give everyone a better chance of not getting bored.

Notes to Readers

There are four things to note about the writing in this book before we begin. First, I frequently use the terms threat, risk, and exploit interchangeably throughout the book, without overly focusing on their specific meaning. The context will indicate the meaning. Second, I often use the terms corporate, company, or organization as a stand-in for any entity that practices computer security, including a corporation, small business, organization, government agency, or military unit. Third, I often use the term hacker to mean malicious hacker, even though I understand that most hackers are good people who never do anything illegal or unethical. Fourth, I often use the term computer to mean any computer, system, or device capable of computing and being hacked, be it a computer, cell phone, laptop, Wi-Fi router, network device, etc. I use all four writing shortcuts because most readers understand what I’m trying to convey, and it just makes writing a book like this easier to write.

The Definition of Insanity

For the last 20 years, I’ve worked full-time reviewing companies’ current security practices. I made assessments about what each was doing right and wrong, including what was badly broken. My lengthy reports have detailed the good, the bad, and the ugly. Most of the time, 80% of what the organizations were doing wrong (e.g. unpatched software, poor anti–social-engineering training, too many users in highly privileged groups, etc.) was common to almost all companies. In every case, the majority of the report came from a long boilerplate document template, with the remaining 20% being customized for each entity’s peculiarities.

My reports focused on the worst negative findings and prioritized what the company could do to significantly improve their security as quickly as possible. Most of the time what I recommended as the highest criticality was low-cost and fairly easy to implement, simply an improvement or renewed focus on an already existing process. And almost every company, when I revisited later, hadn’t accomplished a single critical recommendation, much less accomplished all of them.

This was true even if they had been thoroughly, publicly hacked, had lost over $100 million in damages, faced ongoing lawsuits, had CEOs and CSOs fired, and faced millions more in fines if they didn’t correct the situation. Regardless of the company or direness of the situation, when I came back later, nothing that would significantly decrease their security risk had been accomplished.

It wasn’t that they didn’t do anything. All these companies spent a lot of money (often in the many millions of dollars) and obtained new resources (often hiring dozens of new experienced computer security employees and buying tons of new computer security services, software, and hardware), but they didn’t fix the most important problems they had, even though I had spelled them out in extra-large, red, bold fonts in my reports. During report delivery, I would spend my time talking to everyone in the room and get absolute consensus on what the biggest problems were and how to fix them. Everyone would nod their heads and agree on the best solutions. And yet a year later, their biggest risks were still their biggest risks.

For example, maybe they were broken into by hackers because of unpatched Oracle Java?, and I had identified it as their biggest problem. A year later their biggest problem was still unpatched Java. They would acknowledge it, tell me all the reasons why they could not fix it, and then spend the rest of the time complaining in disbelief about why they were still being hacked so much. I would tell them it was because they didn’t fix their biggest problem. They would agree. And a year would go by and still, again, nothing would be fixed. Maybe one or two companies out of hundreds over decades actually fixed their biggest problems first.

The situation I’m describing isn’t unique. The problem isn’t me, my findings, my reports, or my style. It happens to every computer security consultant or employee. Most long-time computer security consultants and employees go through a predictable series of shared, distinct, emotional phases in their career. They start out wanting to change the world and stop malicious hacking. They are euphoric, eager, and ready to put in the long hours that it takes to make the world a better place. I liken their optimistic attitudes to new teachers or nurses.

Unfortunately, they end up being disappointed by the realization that the hackers will very likely always win. They are quickly frustrated by being forced to work on projects that will not do much to significantly reduce hacking trouble. They might even know what they need to do to really significantly reduce risk, but they aren’t allowed to do it. They are responsible for everything and given none of the authority to fix it. It’s torturous. It depresses them and breaks down their enthusiasm.

After a few years, nearly every computer security employee ends up feeling that they can’t really stop attackers and the best they can do is to keep their head down and focus on doing what they are told to do, even if what they are doing won’t really help that much.

I have counseled dozens of computer security professionals who are frustrated with their careers. Some accept their occupation for what it is. Others simply give up and switch careers into something else entirely because they cannot live with how soul-crushing and unfulfilling it can be.

The front-line computer security defenders blame management for not listening to them, and senior management keeps wondering why their millions of dollars are not making their entities more resistant to attack. Senior management is often resigned to feeling like they are trying to survive until the likely day when hackers penetrate their defenses and even higher senior management asks them to fall on their own sword. Everyone on the team is demoralized to a certain extent.

The end result of most corporate computer defense strategies is that hackers can easily penetrate enterprise defenses at will, negating all those millions of spent dollars and “brilliant” strategies. Most of today’s defenses work so poorly that the entire industry of corporate defenders is being told that the only way to even minimize the problem (“because you can’t stop it!”) is to adopt an “Assume Breach” style of defense.

Assume Breach believes the hacker is already inside your porous defenses or easily could be. This isn’t hyperbole. It’s the reality for most organizations. And so, you need to beef up early detection alerts and implement defenses to isolate and slow down hackers and malware once they are on the inside.

The sad reality is that most of these organizations aren’t doing the simple, usually less expensive, things that would make their environments significantly more secure and more difficult to successfully attack.

An outside observer watching this misaligned chaos might mistakenly conclude that all these complaining, attacked companies aren’t doing anything to defend themselves from the initial attacks. They might even come to believe that these companies must want to be successfully attacked. Such an observer could be forgiven for coming to such conclusions because that’s what it looks like when you see how most companies are not correctly responding to their biggest threats.

With a different approach that clearly defines the biggest threats and focuses on the right things, the companies would be better secured and IT security employees would be happier. This book is about finding that better place.

The Problem and the Solution

Many companies do not appropriately align computer security defenses with the threats that pose the greatest risk (i.e. damage) to their environment. After I recognized the central problem, I spent nearly a decade trying to figure out why this was true. After all, no one wants to waste time and money on strategies that are doomed to fail. No one wants to resign their career to the fact that they will never win or be successful. No one wants to make poor choices. But nearly everyone is doing so. How did things get this way?

After reevaluating hundreds of security reviews that I had performed over decades and speaking with over a hundred CSOs and hundreds of front-line computer security employees, I was able to recognize common patterns and problems. I address them in Chapter 3, “Broken Defenses”. They all share one outcome—they lead corporations to focus on the wrong things.

The best computer security consultants recognize that there is a world-sized gap between the myriad of critical threats you are told to fear and the biggest successful threats you ACTUALLY currently have and will most likely need to deal with in the near future. If you truly understand that distinction and all of its ramifications, you can probably skip a third of this book, even though I think you’ll enjoy reading more of the context. Either way, I’ll revisit this concept in a variety of ways throughout this book.

The growing number of ever-evolving threats has made it more difficult for organizations to identify and appropriately rank the risk of their most critical threats, especially against each other. This leads to an inefficient and often ineffective application of security controls—at least in the right places in the right amounts.

The implementation weaknesses described in this book are common to most organizations and point to limitations in traditional modeling of computer security threats. Most of the inefficiency occurs due to inaccurate risk ranking and poor communications and leads to uncoordinated, slow, ineffectual responses.

Chapter 4, “Fixing Broken Defenses”, proposes a solution framework that can help organizations more efficiently allocate defensive resources against the most likely threats in the right places in the right amounts to better reduce risk. As discussed in Chapter 10, “Selling DDD”, this new data-driven approach to a computer security defense plan results in many benefits, including:

·         Increased focus on the right things

·         Improved data collection and analysis

·         More efficient, lower cost, computer security defense

·         Better threat intelligence

·        Improved threat detection

·        Quicker responses to growing threats

·        Reduced damage

·        More accountability

·        Measurably lower computer security risk

·        Increased trust in computer security defenses

·        Improved morale for all stakeholders

The key goal of an implemented Data-Driven Computer Defense is to more accurately align and funnel mitigations against the root causes of the most successful, damaging threats. The outcome is a more efficient appropriation of defensive resources with measurably lower risk. The measure of success of a data- and relevancy-driven computer defense is fewer high-risk compromises and faster responses to successful exploits.

If such a defense is implemented correctly, defenders will focus on the most critical initial-compromise exploits that are most likely to harm their organization. It will efficiently reduce risk more quickly than other defense strategies and appropriately align resources. And when the next new threat vector lifecycle begins, the organization can recognize it earlier and respond and reduce damage more quickly.

Reprogramming Your Brain and Culture

Following a Data-Driven Computer Defense involves impacting every part of the organization, not just the computer security or IT departments. That alone is difficult enough, but it becomes even more so because many of the things I’m going to tell you to do will seem like the antithesis of what you’ve been taught your entire professional life. You, your co-workers, and your bosses will likely be skeptical at first. That is normal and to be expected until you and they see the results.

Whenever you have a huge, long-term structural problem that isn’t being solved by traditional means, it requires a paradigm shift in thinking, often across an entire industry or the larger culture. It wouldn’t be a big, long-standing, problem in the first place if it didn’t require a big shift that can sometimes feel wrong at first. What years later is eventually recognized as common sense can initially feel counterintuitive.

For example, in the nutrition industry, it’s taken decades of empirical studies to demonstrate that sugar and carbs may be causing more problems than fat and that eating whole eggs doesn’t cause cholesterol problems. Yet, most of the diet advice still is based on the notion that eating fat makes you fat and eating eggs gives you cholesterol, even though nearly every study coming out today does not show that to be true.

The New Password Paradigm

Many paradigm shifts are occurring in the computer security industry right now. For example, we all know that one of the best things you can do for a good computer security defense is to enforce that all users use strong passwords. Strong passwords must be long (at least 12 characters), be complex (incorporating multiple types of character sets: uppercase, lowercase, numbers, and symbols), and be frequently changed with a maximum life of 90 days. That is a well-known fact supported by every computer security leader. There isn’t a computer security regulation or best practice that doesn’t say this. A strong password policy is often required by regulatory law (e.g. PCI-DSS, SOX, HIPAA, NERC, etc.).

However, decades of experience and data shows this approach is wrong and likely contributes to an increase in successful malicious attacks. Yep. Everything you’ve ever heard about password policy in the past is wrong. Today’s most knowledgeable password experts now recommend non-complex passwords that rarely change. Anything else probably increases your risk. Frustratingly, it will probably take another half decade or longer for the existing computer security guidelines and laws to be updated to reflect the better methods. So, you’ll probably be forced to implement the old requirements for many years to come even though it actually increases your security risk.

A former co-worker of mine at Microsoft Corporation, Dr. Cormac Herley, is on the forefront of the new recommended password policies. When he and others looked at the data, they found out that the data on password hacks did not support the old best practice recommendations. Updated research and a renewed look at the data turned the computer security world upside down regarding password policy.

It’s not as if the new password policies are a secret. They can be found in the world’s most trustworthy sites for computer security policy, including https://pages.nist.gov/800-63-3/sp800-63b.html and https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf. When these policies came out, their contrarian ideas made headlines for weeks around the world. It was the opposite of being a secret. Still, most people, including most of the readers of this book, haven’t heard of them. Ideas that run contrary to long-held beliefs take a long time to become generally accepted, even if the data is better and many people broadcast it to the world.

As Cormac said in my book, Hacking the Hacker (https://www.amazon.com/Hacking-Hacker-Learn-Experts-Hackers/dp/1119396212/), “I didn’t come into the computer security world to intentionally and deliberately antagonize anyone. But because I’ve only recently come into the security world, I didn’t have the long-standing culture biases that many others get. I had a different background, driven by data and the need to see supporting data. When I didn’t see good data, it allowed me to ask fundamental questions, which the culture had already long accepted. I wanted to get the data, test, and do the empirical analysis—do things with math. It’s not only a desirable way of doing things, but necessary. You might have a model of how you think 2 billion users will behave but 2 billion users will respond the way they are going to respond regardless of your model. You can hope that it happens, but you have to measure what happens to see if there is any resemblance to what happened [to compare] to your model. And if your model is wrong, change it.”

Security by Obscurity Is Good

Here’s another example: Most computer security practitioners are taught early on that “security by obscurity is no security.” The idea is that attackers might be able to discover any fact surrounding your system, so assume they have all the necessary facts and design your security system to be secure even if they have perfect knowledge of it (for everything but the ultimate authentication secrets). The “security by obscurity is no security” dogma is believed and repeated so much that it borders on religion. However, it isn’t any truer than the old password policy beliefs.

The truth is that obscurity is a great defense and often one of the best ways to get the biggest bang for your security dollar. It just shouldn’t be the only or primary way your system is secured. You should still design a system as if the axiom is true. It can only help you. But there is a fundamental difference between not relying solely on security by obscurity and refusing to benefit from it at all.

If you look at the data, you should absolutely include some obscurity as part of your overall security defense. Any variable that a hacker has to guess or look for slows them down and makes their job harder. If obscurity is no security, then why don’t the world’s armies tell each other where their nuclear subs are traveling and where all the nuclear missile silos are located? I can tell you why. Obscurity has good security value.

Throughout this book I’m going to ask you to question some of your existing beliefs. I’m going to offer you new ways to look at things that have always been right before your very eyes. But instead of just asking you to blindly accept what I say or even giving you someone else’s data, I’m going to ask you to use your own data and experiences. In fact, this whole book is about gathering your own data to build your best possible computer security defense. No one else’s data means as much as the data from your own, localized experience. When you get through with this book, you should always be skeptical of other people’s data, especially the further it gets away from your own organization’s current experiences.

Some of this book will seem overly defensive at times, especially when discussing how to “sell” these ideas to others in Chapter 10, “Selling DDD”. That’s because I know what a “hard sell” it can be to others who are not ready to accept the basic facts. It is my greatest hope that one day everything said in this book is accepted as common sense, because it is common sense. But in the end, the only proof that matters is your organization experiencing less damage from current and future attacks. Everything else is opinion.

“If I were to try to read, much less answer, all the attacks made on me, this shop might as well be closed for any other business. I do the very best I know how—the very best I can; and I mean to keep doing so until the end. If the end brings me out all right, what is said against me won't amount to anything. If the end brings me out wrong, ten thousand angels swearing I was right would make no difference.”—Abraham Lincoln

This Book’s Chapters

This book is broken down into ten chapters that are spread across three main parts.

Part I, “Bad Defenses”

This part of the book talks about Data-Driven Computer Defense, the methods hackers use to compromise systems, and how most of today’s corporations are doing computer security defense wrong and why.

Chapter 1, “Introduction”

This chapter introduces the data-driven computer defense concept and why it is needed.

Chapter 2, “How and Why Hackers Hack”

Most hackers follow a general series of common, sequential steps to compromise a system, even if they don’t always use all of the steps or use them in the same order. Understanding how hackers and their malware break into systems is essential to stopping them.

Chapter 3, “Broken Defenses”

Companies don’t want to defend poorly, so why do they do so? This chapter explains what they are doing wrong and how security got to be this way. The first step in fixing a problem is admitting you have a problem.

Part II, “A Better Data-Driven Defense”

This part of the book explains the theory behind a data-driven defense and gives all the details for why it is the right way for any organization to improve their computer defense efficiency.

Chapter 4, “Fixing Broken Defenses”

This chapter discusses the key elements for creating a better defense that more efficiently aligns mitigations against the right threats.

Chapter 5, “A DDD Example”

This chapter uses data-driven computer defense strategies to reinvent and improve a very common computer defense, patch management, as an example to help you to start thinking in a data-driven way.

Chapter 6, “Asking the Right Questions”

This chapter discusses how defenders need to ask better questions to get to the crux of their computer security problems.

Chapter 7, “Getting Better Data”

This chapter tells you how to obtain better data to more accurately drive your new computer security defense.

Part III, “Implementing a Data-Driven Defense”

In most cases, changing to a Data-Driven Computer Defense means impacting the whole corporate culture, changing focus, and affecting every part of the organization. It’s not easy. This part of the book tells you how to do it, especially because every organization is unique and requires a custom solution.

Chapter 8, “The Data-Driven Computer Defense Lifecycle”

This chapter helps you drive all the new lifecycle components of a data-driven defense within your own corporate culture.

Chapter 9, “More Implementation Examples”

This chapter gives example after example of the ways different companies implemented a better data-driven defense. Most of the examples cited here can be implemented within your own organization.

Chapter 10, “Selling DDD”

This chapter tells how to get your company to accept a data-driven computer defense across the entire organization. It summarizes the benefits and arguments any DDD proponent can use to sell this new data-driven methodology and provides step-by-step recommendations any company can use to implement a DDD mindset and plan across their entire organization.

The theories and approaches described in this book have now been put into practice across dozens of companies with great success. Since version 1.0 of this book was released, it has sold more than 30,000 copies, and dozens of companies have thanked me for the positive impact on their organization’s computer defense plans. They are all proof-positive examples of the practical risk reduction strategies shared in this book.

The best part of this success is that these new corporate cultures now think of data-driven defense as common sense. It is a part of their ethos. The old way seems non-sensical. It just took some data, a few examples, and a little prodding to see what was working and why in order to get to the new understanding.

This Book Is a Red Pill

In the popular 1999 movie, The Matrix, the protagonist, Neo, is shown the terrible reality that exists under the false surface that he perceives. At a pivotal point in the movie, he is offered a red pill and a blue pill. The red pill will keep him forever awakened to reality, no matter how painful and challenging that new reality will be. But he can instead choose to take the blue pill, which will render him back into his original, more tranquil ignorance. Neo takes the red pill and reclaims his world from its robot overlords.

This book is your red pill. If I’m successful, from this moment forward you will forever think differently about computer security. You will see most computer defenses for what they are: inefficient, incorrectly ranked, and wastes of money and resources. You will no longer accept unranked items of things to do. Instead of blindly accepting dogma, you will require data to back it up. You will only value other people’s data after you measure and weigh it against your own data and experiences. Gut feelings are great. Data-driven defenses are divine. Have no doubt about it: My goal is to change the way you see and think about computer security for the rest of your life.

If you have any questions or comments, please don’t hesitate to email me at [email protected]. Keep up the good fight!