In the wake of the massive attack on the systems and information at Sony last year, many smart senior executives, C-suite occupants, and Boards of Directors are asking what THEY should do in the coming years as a result of the attacks.
The lessons learned run the gamut from “I told you so” to “there but for the grace of G-d go I.” But, as JFK once said, we should not act in fear, but neither should we fear to act.
With the beginning of a new year, these executives (and not just the security professionals) need to address certain issues highlighted by the Sony and other high-profile hacks. Here are just a few.
1. You are a target.
Most companies believe that they are not likely to be a target of hackers. I don’t care whether it’s a law firm, a mom and pop store, or a Silicon Valley startup; they just don’t think that anyone would go after them. I mean, why would they?
They are nice, decent people making a valuable product or providing a valuable service. Hardly controversial. They don’t have anything anyone would want. The hackers are interested in banking information or sensitive personal data. We don’t have that, so we are not a target.
Wrong.
Hackers are both tactical and strategic. Some of them go after any target that they can get into – sometimes simply because they can, sometimes as a launching point for other targets. Actions over which you may have little control may suddenly make you or your product controversial and a target to someone.
Or, the hackers want to exploit your technology. Or a disgruntled employee wants revenge. Or some nation-state decides that it’s in its strategic interest to go after your bubble gum manufacturing process (a bubble gum gap!). Risks come in all sizes and shapes.
Suffice it to say, you should assume that you are a target, and that you are a target of highly sophisticated nation-state actors (including those within the United States).
This means your emails, your data, your connections, your partners, your telecommunications, your social networking, your websites, your sales, your personal data, financial records – everything.
This doesn’t mean you have to secure everything against agents of S.H.I.E.L.D., just know that it’s all at risk. And then make intelligent choices about what to protect and how.
Did I mention that you are a target?
What Sony learned is that it had been a target of attack in multiple ways by multiple agents for many years. Hacker groups, organized crime, and nation-states had attacked a motion picture, gaming and electronics company. If you exist, you are a target. Plain and simple. Head out of sand.
2. It’s not the computer
It’s NOT computer security. Never has been. It’s easy to make a computer secure. All you need is an industrial shredder. A hand grenade might do in a pinch. I
nformation security is about protecting the Confidentiality, Integrity, and Availability of information – data, facts, records, documents, forms, and processes.
The RISK comes primarily from the fact that all of this stuff is moving around on computers, mobile devices, networks and hubs that are, frankly not very secure. So it’s not the industry that you are in that is the risk. It’s the fact that you are doing whatever business you are in is mostly online. If you are a corner bookstore with any kind of web presence (and even if you don’t have one), you have risk.
What Sony learned is that the hacks were targeting information, which was sensitive and located in many places.
So, forget securing computers (kind of). Secure the data. Oh, and the computers. But mostly the data. But that is hard to do, since the data must be mobile and distributed to be useful. It’s not about a new gadget, device, or service. It’s about a comprehensive and layered approach to data protection.
All the time. Everywhere.
3. Sensitive data is everywhere
All too often we attempt to secure THINGS. Let’s secure our e-mail. Oh, and let’s secure our smartphones. Oh, and let’s have a plan to secure iPads. And POS terminals. And routers. All good ideas. But they miss the point.
If you were to ask most IT Security staff, “show me where on your network are your trade secrets” they would (appropriately) give you a blank stare. “Which e-mails contain attorney-client privileged records” might lead you to lock down the General Counsel’s office, but what about everyone who communicates with the GC (or outside counsel) or acts at their directions?
The HR department might be on a separate secured network segment, but their data will flow in and out of other network segments.
Air gaps aren’t really gaps anymore.
We tend to protect computers. Sony’s CEO’s computer. Most companies have no clue what data is important until it is lost. Most companies couldn’t identify its trade secrets until they are stolen. If you were to ask a departing executive to describe the trade secrets on his or her own computer or mobile device, they might be able to do so generically, but couldn’t specify the individual documents.
Sony’s legal threat to publishers not to reprint their trade secrets is illustrative. Which of the Sony CEO’s emails are “trade secrets?” The ones calling out Angelina Jolie’s talent and the quality of Adam Sandler’s movies? Is it really a trade secret that the movie Jack and Jill suuuucked?
We classify data by the means of distributing it and its location. That’s dumb. In the absence of good data classification schemes (and they are really really hard to implement) we rely on Data Loss Prevention solutions to ID sensitive data on the way out, or we try to protect everything. It doesn’t work. We need to do better.
Here’s a place where I don’t really have a solution, but hey – that’s what vendors are for, right?
4. Forget about regulations
Most data security strategy plans begin with trying to classify data based upon regulatory requirements. “Do we have any HIPAA data?” “Do we have any PCI-DSS Data?” “Are we covered by GLBA?” “Where is our PII located?” “Do we have contracts that require certain data to be protected?”
This results in a patchwork of data classifications and security requirements. We protect GLBA data one-way, HIPAA data another. We aim toward “compliance” — a mythical goal that can never be achieved, and even if it is achieved, means absolutely nothing. The hackers assume you are “compliant.”
Regulatory compliance is useful for a CISO to “sell” security to the Board of Directors. “We have to do this because [insert regulation] requires it…” You get buy-in from the General Counsel (we face fines and regulatory action if we don’t do x and such…”
If there were no regulation prohibiting you from putting your primary manufacturing plant on an active volcano, would you do it? I mean, if the rent was cheap?
Do the right thing to protect the data, reduce the risk, and achieve business objectives. THEN worry about the regulations. And buy insurance. Good insurance. Enough insurance. And the right kind of insurance.
Also, don’t forget about data going out of the system. There’s an apocryphal story about an employee of a Russian factory who left the factory every day with wheelbarrow full of worthless sawdust.
The security guard was absolutely certain that the worker was trying to smuggle something out in the sawdust, so he stopped the worker and carefully inspected the sawdust and finds nothing. This goes on every day for years. One day the security guard stops the worker and tells him that he was about to be transferred to a post many miles away.
He put his arm around the worker and asked in a plaintive voice, “Comrade, I know that you have been stealing from this factory, but I have never been able to discover what you are stealing. I will be leaving tonight and promise to tell no one about your remarkable secret. Please, comrade, tell me what you are stealing.”
The worker looked around and whispered in the security guard’s ear: “wheelbarrows!” We often spend so much time and effort keeping the hackers out, we forget about what is leaving through the back door – or even the front door.
The Sony hack, like the NSA “hack” involved terabytes of data being exfiltrated. So did the Target hack, the Home Depot hack, and most HIPAA attacks of massive databases of PII.
Don’t aggregate what doesn’t need to be aggregated, don’t make mobile what doesn’t need to be mobile, don’t keep in plain text that which doesn’t need to be in plain text, and check those wheelbarrows.
5. Out with the Old
One of the biggest barriers to innovation and security is sunk costs. It’s the Las Vegas gambling issue – continuing to lose because you have a lot committed to your current infrastructure.
Sunk costs or false commitment permeate human behavior. You stick with a terrible barber because it’s what you have always done. You don’t throw away an antiquated email system because of how much you spent on it just 2 years ago. You buy a system that is “expandable” into things you neither need nor want.
Humans are illogical. And groups of humans more so.
Take a fresh look at your IT Security needs and strategies. Take a fresh look at the technologies you are employing to achieve your objectives. Look at costs overall, not just cost of acquisition. If you want, get an INDEPENDENT and knowledgeable consultant to take the heat for you.
JFK also said, there has to be a better reason for doing things one way than the fact that they have always been done that way. Have that slogan tattooed on your forehead. Or better yet, have it tattooed on someone else’s forehead.
6. Make Vendors Duke it Out
If you’re a CISO, your life is divided into two parts. First is a never-ending series of impossible demands from your “clients” – business components, executives, etc., to deliver things that cannot be delivered, in impossible timeframes, with inadequate resources.
That’s the FUN part of the job. The second part is a never-ending stream of calls, emails and requests from product vendors, marketers, consultants and others promoting their “magic bullet” to solve problem number one.
They are lying.
Not that they are bad people, mind you. OK, some of them are. But you don’t need the best antivirus solution. You need the one that is best FOR YOU. And you have neither the time, nor the energy, the resources or the desire to write up a series of requirements and performance specifications for each separate product or service and to meaningfully compare their vaporware.
Make them do it for you.
And then share your lessons learned (what works and what doesn’t) with other CISO’s. And solicit their opinions too. It isn’t their first rodeo either.
7. Have a Plan
An information security plan is a strategic document. A living document. A document that should not be in a binder and put on a shelf. This is different from a policy. It says, “We are at point A” “We want want to get to point B” This is how we plan to get there.
A plan also includes plans for multiple contingencies. This includes Disaster Recovery and Business Continuation planning. Contingency planning. Incident response planning.
And about incident response planning – do it. In a future article, I will address both how do to good Incident Response planning, testing, education, training and mock scenarios, why Sony failed, and why you will as well.
But don’t worry about that. Failing is part of learning. In fact, EVERYONE fails to some degree. In incident response, your job is not to do the right thing. It’s mostly to do the least wrong thing.
Your plan should also include vendors, suppliers, regulators, insurers, and other stakeholders.
And the Board of Directors. As Mel Brooks emphatically stated in Blazing Saddles, “We have to protect our phony baloney jobs here, gentlemen! We must do something about this immediately! Immediately! Immediately! Harrumph! Harrumph! Harrumph!” (The harrumphs are important!)
8. Ditch the Plan
In Robert Burns’ 1786 poem To a Mouse, the author apologizes to a mouse for ploughing up the mouse’s nest explaining, “But, Mousie, thou art no thy lane; In proving foresight may be vain: The best laid schemes o’ mice an’ men; Gang aft a-gley; An’ lea’e us nought but grief an’ pain, For promised joy.”
Yeah, my middle English/Gaelic is a bit rusty too, but suffice it to say that in a combat situation, the first thing you do is ditch the plans.
This is really a restatement of the point above about sunk costs. Don’t stick to a plan when the plan no longer makes sense. Readdress your needs continually. Every situation is different. If you need to depart from the script, do so. And keep the Board of Directors advised. The four worst words in the English language are “oh, by the way…”
A five year plan is likely obsolete by month five. Maybe by hour five. It’s a superstructure of goals and objectives. But what is essential for the CISO – like the CEO and the Board – is to be fully integrated into all of the business units so that information security can serve the business needs of the company – not the other way around.
For that to happen, the CISO has to know what the business needs of the company are today, and what they will be next week, next month and next year. Sounds like fun, no?
9. It Will Happen to You
Yup. Did I mention you are a target? And you WILL NOT BE ABLE TO STOP A DETERMINED HACKER. Not if you are SONY. Not if you are JPMorgan Chase. Not if you are the NSA.
So part of your objective is to limit the damage, protect key assets, and be able to respond and recover. And work together with others. Because it will happen to you.
10. Perception is Reality
So much of information security and response is about how you are perceived. Most companies protect their reputations more by not disclosing attacks than be preventing or responding to them.
It’s a strategy that might work in the short run. Hell, it might work in the long-term. But you will be attacked. And you need to be able to manage the perception – both within the company and to shareholders that you failed to adequately prepare for and respond to the attacks.
Every company has a Vice President in charge of going to jail. Or something like that. You don’t want to be that person.
A woman had just been hired as the new CISO of a large high tech corporation. The CISO who was stepping down met with her privately and presented her with three numbered envelopes.
“Open these if you run up against a problem you don’t think you can solve,” he said. Well, things went along pretty smoothly, but six months later, there were problems implementing new security protocols that were over budget and past deadline, and she was really catching a lot of heat. About at her wit’s end, she remembered the envelopes.
She went to her drawer and took out the first envelope. The message read, “Blame your predecessor.” The new CISO met with the Board of Directors, explained that everything was the fault of the previous CISO’s plans that she inherited, and the Board nodded their heads in agreement. Problem solved.
About a year later, the InfoSec problems not yet addressed, a minor incident exposed the company’s vulnerabilities. Having learned from her previous experience, the CISO quickly opened the second envelope.
The message read, “Reorganize.” This she did, changing reporting structures and operations, and the problem dissipated.
Finally, there was a major attack on the company. The Internet was aglow with reports of the attack. The CISO retreated to her office and opened the third envelope for sage advice. The message said, “Prepare three envelopes.”