Security Industry Failing to Establish Trust

During the Virus Bulletin closing keynote, Brian Honan urged the security industry to share more, victim-shame less and work harder to establish trust.

MADRID—In other industries, failure is embraced as a learning opportunity. In security, not so much.

Instead, it’s too often an opportunity to victim-shame, a chance to mock a corporate giant such as Equifax which recently lost 145 million customer records and had a CISO—albeit with a lengthy IT career—who had a music degree much to the glee of the Twitter echo chamber.

In his closing keynote at Virus Bulletin 2017 on Friday, independent consultant Brian Honan said security is failing as an industry to establish trust.

“As an industry, we’re very bad at learning new stuff—and we mock victims,” said Honan, founder of Ireland’s first CERT IRISSCERT and an Infosecurity Europe Hall of Fame inductee. “Deloitte is a victim. Equifax is a victim. Yahoo is a victim. Every customer who trusted those companies with data is a victim. Yet as an industry, we laugh and we mock, and our reaction is not to learn or share, but to keep things quiet.”

Instead, he made an impassioned plea to learn from other industries such as airlines that plan for failure, expect things to fail and react accordingly. The result, as he showed on Friday, is a remarkable turnaround of its safety record since the mid 1980s.

“We need to share our dirty laundry, and stop creating an atmosphere of fear and mocking,” Honan said. “Our first reaction needs to be to help and not mock. If we don’t do that as an industry, the government is going to do it for us.”

The cascading failures of 2017, replete with mega breaches and global ransomware outbreaks, are symptomatic of issues that still linger in the air for close to two decades. As Honan points out, we still haven’t figured out passwords, we still open untrustworthy attachments, we still stink at patching, and malware still finds its way onto computers.

“In 2017, why are we still relying on people to pick ‘password1’ to protect them from criminals?” Honan asked incredulously.

Poor passwords, missing patches, out of date software, out of date antivirus, lack of continuous monitoring and an endless string of vulnerabilities are burying security pros in a sea of distrust.

“These are not super cyber ninjas in North Korea [who are hacking us],” Honan said. “We repeat the same mistakes over and over and we’re not getting different results.”

As 2017 has so far demonstrated, there are more real-world, bottom-line consequences to major attacks than ever before. WannaCry forced hospitals across the U.K. to re-route patients. NotPetya put global shipping line Maersk out of commission for some time, as well as giant pharmaceutical Merck. Maersk alone reported $300 million in losses from the June wiper attack.

And the solution enterprises and midmarket companies are given is an endless parade of appliances and products sold on the basis of fear, uncertainty and doubt without ever touching the problem.

“We need to change what we are doing. We need to change our approach based on FUD,” Honan said. “The key thing in our industry is to scare the crap out of someone and then come in with a shiny box and say ‘Here you go, this will save you.’ And when that doesn’t work, what do you do? You scare them again, and another shiny box comes in.”

Most firms aren’t in the crosshairs of advanced attackers. Most companies don’t need to necessarily concern themselves with zero days, Honan said.

“We need to stop relying on the APTs and zero days as a sales piece. What we’re trying to do is build trust,” he said. “We need to share information and lessons learned, and not be worried about doing it in an open way that may not bring value. If we don’t, I fear we may have a bleak future ahead of us where we won’t trust anything anymore. We won’t trust our elections, our transport, anything.”

Suggested articles

Discussion

  • Jason on

    Equifax, D&T, and Yahoo are not victims. They are as culpable for their breaches as the criminals who compromised their systems. Those who trusted those organizations or whose data was entrusted to them are the victims. There is no sales pitch in requiring organizations to follow time tested standard practices. Use good authentication, patch your systems, and watch your systems. These companies chose not to, and they should be ashamed.
    • Will on

      I disagree. If a gunman were to shoot up Yahoo! offices, would we blame them for having too lax security when it was revealed the gunmen entered the building by running a Jeep through a wall? Would we all shake our heads and say on Twitter that they deserved it because they didn't have enough guards armed with high-caliber rifles? Or that they should have had thicker walls? Or that the office employees should have been wearing bulletproof vests, because similar incidents had happened at other office buildings in the past? No, we wouldn't, and if we did, *we* would be mocked as being unreasonable. The truth of the matter is that information systems grow organically and to some degree unexpectedly/unpredictably over time. Sure we need better ways to manage security problems, that is not in doubt. But no company, no person, no government agency has proven itself to be bulletproof. If you worked at one of these breached entities, you would certainly have a different attitude. You would try to defend yourself from those that say it was your fault for getting hacked, and you would try to explain the operational realities of why these vulnerabilities were there for the picking, that each administrator was responsible for managing over 1000 hosts, and the public would only see it as excuses. We all use the same technologies. We all have common vulnerabilities and weaknesses. We are all in the same sinking ship. We all have undeniable interdependencies on the same core infrastructures. Either we figure this out as a community, or we all eventually go down with the ship. Get over it -- we can't put the exposed data from these breaches back in the bottle, so let's figure out how to make the data less valuable for attackers who succeed in breaching these organizations.
    • Matt on

      Absolutely correct! Thank-You Jason! There is quite simply no excuse for the level of negligence and incompetence we have seen from some of these organizations.
    • Ashley Bye on

      I've recently completed an MSc in Information Security, and this was the topic of my dissertation. In particular, it focused on developing a model for an engaged information security culture based on the aviation model for learning from mistakes. I agree with Brian's comments that developing similar practices within the information security community could be very beneficial in helping to reduce incidents, especially those with a recurring theme. The model has several subcultures, including a learning culture and a just culture. The former promotes learning from own and others security incidents and also actions that if left unchecked could result in an incident. The latter sets the foundations for this by encouraging people to report and speak about incidents without fear of retribution, or name-and-blame - that is not to say that punishment is always unwarranted, but it focuses on accountability (and I'd argue that resignation is not a means of accountability). I find it sad, therefore, that we continue to criticise organisations when they are subject to data breaches, and comments such as those made by Jason help fuel companies secrecy and limit information sharing.
  • Lance on

    I absolutely agree with Jason. As a Senior Security Engineer, we advise on these things a lot and I get more companies saying NO because of the costs or whatever excuse they can come up with. They always want a "temporary" workaround which ends up being the "permanent" fix.
  • Jeronimo on

    It is incomprehensible that companies entrusted to safeguard our data failed to follow proper standard and well-established security practices. Victims, they are not. Irresponsible, negligent, and just plain stupid. In the case of Equifax, they had a very important job to do, and given the sensitive nature of the information they were supposed to be protecting, it was clear what level of due diligence was required. I agree with information sharing in certain situations. But for stupidity, there is no such remedy.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.