Super Wicked Cyber Security
Today, you will no doubt have read about the Apple Keychain and associated vulnerabilities – with roughly 88% of Apple and IOS Applications vulnerable. No doubt Apple will release information soon, patches, and otherwise address this issue, but the fact that they asked academics to delay release for 6 months and have known about this since October 2014 should make everyone pause. If firms like Apple had this issue, a firm that hires the best and spends massive amounts on security design, we must come back to a simple theme: Information Security is becoming nearly unmanageable at large, massive Fortune 500 firms. If even Apple can’t ‘get it right’, if firms like JP Morgan, or well funded government agencies like OPM can’t ‘get it right’ what hope does an average firm have?
Corporate tactics are not changing, last battles continue to be fought despite changing dynamics. You might be pressured to ‘buy Imperva’ for your Web Application Firewall instead of considering other startup firms like Zenedge, or told to only buy from 'approved vendor' lists. Best practice frameworks dominate - new variations are laughed away as ‘too risky’. Over time, security professionals essentially behave like Lemmings – happy to copy ‘best practice’, happy to ‘not get fired by buying IBM’ as the old saying goes, and essentially following very similar models and approaches. How much easier can we make it for hackers when we all follow more or less the same approaches, and simply parrot back what was picked up on a 5 days CISSP bootcamp course? Those courses are important - absolutely - but where is the 'value add' in our industry? Where is the creative or unique thinking?
Failing Cyber Security is essentially due to hubris, the idea that we can attack a growing Gordian Knot with old approaches and the 'same old, same old' instead of facing the fact that we face likely the most intractable problem of our time.
Governments and private industry are spending vast resources, yet are clearly losing. So, what to do? Embrace the complexity. Acknowledge it. What we are trying to defend as CISO's does not need to be static, or a changing problem we have no influence over, it can be simplified, as I wrote about in my previous publication ‘Gordian Knots’.
Yet even if we embrace simplification to address this compexity issue – turn off systems, segment, stop BYOD, run IE as a VM only, all which I have previously written about – even that is not enough. The final step is accepting that Cyber Security is really a ‘Super wicked problem’. Super Wicked problems, as noted in 2007 and 2012 papers by Kelly Levin and others, have four features in addition to massive complexity bordering on Chaos (with my own comments in brackets):
- Time is running out. (Breaches weekly now)
- No central authority. (Governments all have different views on approaches, different data protection laws, different views even on ‘best practice’)
- Those seeking to solve the problem are also causing it. (Security Teams and other stakeholders often may fix one issue only to cause another one, or deploy a ‘standard’ vendor only to find out 6 months later he has a vulnerability – and most firms are exposed since they are all using the same approach due to ‘best practice)
- Policies discount the future irrationally. (So much of Cyber Security is based on solid policies – but policies are not always followed, a good policy now could be terrible next week (such as ‘use Apple Keychain’ or a password vault)
Once you accept these principles that can also apply to Cyber Defense, once you embrace the challenge and the near chaos of defending a large multinational firm, you can then reinforce simplification efforts and at the same time change your approach to solving the Cyber Security by redefining the actors working to address the problem (security as a whole). You can do this by approaching cyber security via standard ‘wicked problem’ approaches:
Authoritative Cyber Defense Strategies
Put the solution design in the hands of only a few people, perhaps via an IT Steering Committee with experts ready to implement tactics. This ensures a unified strategic approach (no BYOD, for example, due to the key stakeholders NOT wanting the added complexity in your firm) with the disadvantage that others in an organization are not part of the solution.
Competitive Cyber Defense Strategies
Put points of view against each other, requiring parties that hold these views to come up with their preferred solutions. Let the Security team design secure coding standards, but also the development team feel free to add to them, or innovate, or change a design that can never be totally secure. The disadvantage is that this adversarial approach creates friction.
Collaborative Cyber Defense Strategies (Best, but time consuming)
Engage all stakeholders in order to find the best possible solution for all stakeholders, essentially the entire firm – such as the ‘ethics and values of your firm’ - becomes security focused. Awareness training is a good start here, as is enablement of the business, ensuring they understand additional features or ‘nice to have’ options actually may have massive security impacts – not just in cost, but in uncertainty. If for instance your firm needs to ‘go production’ with a security flaw with a 1 in 1,000 chance of a serious breach, 1 in 10,000 or 1 in 1,000,000 OR removing the feature completely (100% security then) this needs to be a board level decision.
Does this mean any of the above will conclusively work? No. Does it mean the approach is better vs current approaches? Maybe. Super Wicked Problems require you to face the fact that you are dealing with intractable issues that are not solved exclusively by best practice, Gartner magic quadrant vendors, or Security control and policy standards. Are all of those important? Of course. Can we do more by changing our strategies and to move from ‘Risk based’ security to Risk based approaches to Wicked problems – allowing for creative solutions (on TOP of best practice) to defend firms? Absolutely.
This is wierd that I can't reply to your reply Robert, so I'll reply above! The threat exchanges that The US govenrment has set up are equal to that of the dutch. Some non-identifying information that sits in a data base somewhere and allows freeware (like ModSecure) and others to benefit from what competent products actually find is one first step, but going further to where ISPs are given a fingerprint of an actual device to block from ever entering the internet or a network is something very different. Virus and spam companies have had similar exchanges for over 2 decades and I still get offers of $30 Million dollars from nigerian princes and just this week received 10 malware attached emails through my retail store's email system. My point is, even with all of this exchange of data - no one is really leveraging it to a consistant level to eliminate bad actors. Recently, one of my provider's client's site was attacked and it went down because it wasn't on a protected service. After the attack they were given a demand - 500 Bitcoins or we do it again. 1 year of service being $60,000 - they paid the ransome and by their estimation saved $45,000. But here is the problem - 1 after you have been attacked successfully once your are 80% more likely to be attacked again - after all, success is what this game is about. 2. Haven't we seen this movie before? There is always a back-up and the the blackmail will always continue. 3. by paying off your attacker, you actually make other targets less secure because its impossible to effectively build a security matrix and threat database if the attacks never come. 4. sooner or later you will become the target of what we call "advanced persistant threat," which means you will be constantly under attack or threat of an attack necessitating you building a 24/7 staff and spending MILLIONS to defend your right to operate on the internet unmolested. and in the end - did you save $45,000 or did you commit to spending millions later on?
Completely agree and being on the security sales side I can say that many clients evaluate the cost of a breech with the cost of security and a lot of times there is a distinctive mismatch. Many times I have had the bad fortune of pitching $1Million in security to a company that faces only a fraction of that in reprocussions from an attack or data breech. After the cost hurdle is jumped I usually find that most companies do not understand the perspective of "defense in depth" and say crazy things like "I don't need a WAF, I have a PIX firewall..." or "We have IPS On our router... we don't need WAF... Besides our Load Balancer protects us from DDoS..." In every case I find that the main operating mindset is that of one item should somehow protect the dozens or hundreds or thousands of targest in your infrastructure from a virtually limitless target surface. I work with a lot of cloud and CDN vendors building security infrastructures and in every case they talk about competing with premise equipment and I caution against this practice and instead encourage cooperation. Why not send messages from Kona or ZENEDGE or incapsula to other devices in the network? Why can't security become an open framework where systems create a messaging network so you can actuall correlate and target bad versus good connections? Why should all vendors share fingerprints of known bad actors? After all, if we all work together we can build a non-adversarial completely secure environment - we have the tools we just need the desire.
Head Of Information Security at Quantexa
9 年I agree 100%, great article. The value add proves commitment and shows a level of understanding which is always a good starting point in my book. The main issue as I see it, is some individuals lack common sense when it comes to designing solutions and also the hands off clients who leave it 100% to the consultancies to do.
Cybersecurity Advisor/Coach
9 年Great article! the author definitely is a well informed and insightful practitioner. We need more of that type of security thinkers not the rule-book gatekeepers.
Retired Enterprise Security Consultant
9 年Great article Robert. I'm really looking forward to joining your team.