Cyber Security Quotes: “Life is NOT like a box of chocolates”
Finding good cyber security quotes is much harder than finding good movie quotes. The classic film quote “Life is like a box of chocolates” in Forrest Gump became an instantly recognisable line and scene; the naïve and uncomplicated Forrest Gump – runner, shrimp fisherman, husband and father – having met presidents and fought in wars – sits simply on a bench and observes, to those who sit next to him, that his mother said “Life is like a box of chocolates, you never know what you’re gonna get”. Cyber security quotes, like movie quotes, can be equally as enlightening.
In the period post-Christmas, when boxes of chocolates are (in the Huntsman Security office at least) a close memory, it occurred to me that in cyber security life is seldom like a box of chocolates. It might work as a movie quote – but it doesn’t really fit the narrative as a cyber security quote.
In fact there is a dreary predictability to the results of organisations’ cyber security efforts that paints a far less glossy picture than Hollywood could ever make into a feel good movie… if cyber security were like a box of chocolates it would be full of Turkish delights, chewy toffee nougat surprises and coffee flavour Revels.
Cyber security quotes: “In security you know exactly what you are going to get”
The reality is that for some time in cyber security there has been an acknowledgement that all organisations will at some point be hacked, lose data or suffer some form of breach or denial-of-service attack. No one is immune, even the most security critical (NSA) the most sensitive (OPM), the most privacy and breach aware (Equifax) or the most high profile (Trump).
So you ARE going to get a chocolate with a nutty, chewy, hard centre that everyone has been trying to avoid and then have to deal with the cyber security equivalent of trying to get the bits of nut and toffee out of your teeth. See http://www.huntsmansecurity.com/data-breach-notifications-numbers-hard-facts/
If you have vulnerabilities they will be exploited
There is a constant battle to keep systems up to date – not just the operating systems, but applications as well; not just workstations but servers and operational systems; all vendors; data centres and remote locations; connected and unconnected.
For many security teams this challenge alone – either the doing of it or the checking/auditing of it – is a massive overhead. Of course the one system that is missed, the one patch that isn’t applied or the one un-patchable system that has to be left exposed will be the one that leads to a breach as it is found and compromised.
As the furore around Spectre and Meltdown circulate, barely has the last of the Christmas chocolates been eaten (even the Bounties) and the IT industry is having to deal with a patching problem that is as broad and deep as an ocean of shrimp and as painful to fix as running across the United States to the ocean and back again.
Users will NOT choose good passwords (ever)
…and if they do, they will choose one and repeat it everywhere, or write it down, or append a sequence number when they change it – or share it with colleagues.
Passwords are not a great solution. IT people know it, security teams know it, users know it and helpdesks that have to reset passwords and unlock accounts certainly know it.
Security issues associated with the use of passwords are starting to become less problematic – as things like biometrics have found their way onto mobile phones, password managers become more widespread and two-factor systems are catching on to improve the strength of authentication.
However, we have not seen the last password database being dumped on the Internet, nor will password choice improve significantly as people have to remember more and more or change them less frequently. Passwords really are the Turkish delight of the cyber security chocolate box – unpalatable to just about everyone.
In some cases, especially where no one likes coconut, the number of passwords to remember can feel like the time when there are so many left over Bounty Celebrations and blue Quality Street that you know exactly what you are going to get, and it is going to be horrible.
We are, as a cyber security industry and as users, still a bit too reliant on passwords to be able to resolve the fundamental challenge of validating a user and allowing them access or not based on “something they know”. See our post on multi-factor authentication.
Application developers and designers are not security people
If you receive, buy, download or commission a software application, system design or architecture then it is highly likely to be attackable in some way.
Part of the reason for this is that software (and you can include systems, and devices) is often designed and created by people who are highly skilled at software design or development but who aren’t security people that are expert in defending systems or even in attacking them (or seeing how they might fail).
We can see this in the recent Intel chip issue mentioned above – the hardware/chip designer created an approach that optimised performance and gained speed, but opened a weakness that was compounded by insecure controls within the design/implementation itself.
This is a big deal because it affects so many devices, systems, operating systems and users. However it would be the last design or implementation flaw that makes its way from the drawing board or development studio into production.
You will, if you are using software of any sort, get shot in the buttocks (metaphorically speaking) at some point and have to answer questions about it (hopefully not from the President on national TV as Forrest did).
Awareness and education only go so far in securing behaviour
“Stupid is as stupid does” seems a little harsh to describe user behaviour in cyber security terms (it might be a great movie quote, but it is a little bit unfriendly as a cyber security quote). The reality is that while we have invested (and must continue investing) in staff training, awareness and education around cyber security and compliance there is a limit to what can be achieved.
Many good things have come out of the efforts in this space; the understanding of psychology, ways to encourage conformance rather than enforce compliance, making security “socially acceptable” when choosing passwords, securing laptops or looking after data on mobile devices.
There is still work to do of course – the number of passwords that are written down or laptops that are left unattended or unlocked is still too high. People still click on things they shouldn’t without checking and there is almost always sensitive data on home PCs and cloud storage systems that organisations are rightly nervous about.
However the challenge with many of the more critical issues, like drive-by downloads, clicking on emails, links or opening attachments is that the attackers are clever and able to create phishing, spear fishing or other malicious delivery channels that look credible or real to the user and hence subvert standard staff awareness training advice. In short, attacks are being designed to circumvent the suspicions of an educated user by not being suspicious.
This doesn’t mean users are stupid (whatever the help desk might assert) just that the attacker can be clever enough to fool some of the people some of the time – and if they just need to fool one person once to gain a foothold for an attack then that might be enough.
Is cyber security like “like a box of chocolates” as in the quote?
The reality, as we’ve outlined, is that far from being full of surprises there is a looming inevitability around the nature, prevalence, frequency and likelihood of cyber attacks – both unsuccessful and successful.
We can liken the asymmetry between attackers and defenders as an attacker having to only find one nice chocolate with a delicious centre (perhaps a vulnerability they can exploit or a user they can dupe) whereas the defender has to get through the whole box without ending up with even a single macadamia nougat surprise (they have to be able to defend all systems, close all vulnerabilities and spot all attacks all of the time).
This rather negative view can be offset by the fact that there are now many solutions to every aspect of the cyber security problem space – solutions that detect and/or prevent attacks or exploits of various types in network traffic, on platforms or on the endpoint systems that users access; monitoring solutions that gather log, activity or network data and analyse for both known and unknown attacks; workflow, automation and orchestration solutions that can support overworked security operations teams to investigate and respond to alerts and threats.
So the other way of looking at “cyber security being like a box of chocolates” is that there is a wide choice of solutions on the menu card that address a variety of issues and tastes, both technical, process oriented and in the way people design, build or interact with systems and data.
The trick is making sure you are on the front foot – and able to undertake the operational and project elements of cyber security in such a way that you are able to demonstrate intelligence, effectiveness and efficiency in the way threats are detected, verified and countered and in harmony with the wider business goals and objectives.
You don’t need to eat ALL the cyber security chocolates (even if you want all the chocolates); but on the other hand nobody wants to be left with 4 Bounties that they don’t like. See http://metro.co.uk/2016/12/25/celebrations-chocolates-ranked-from-worst-to-best-6343823/
So if you want the security control equivalent of the orange crème and vanilla truffle (i.e. the good ones) then 2018 is a year where the latest round of cyber security attacks, the recent breaches, the upcoming compliance drivers and the growing level of technology sophistication mean that getting stuck in is going to be important.
Bounty – No one likes you!