A few weeks ago, I received a meeting request on behalf of one of our customers directly from an auditor. I know that there are people who dread meeting with auditors, but I actually enjoy these conversations because I get a chance to describe, in detail, the features within our software that enable the protection of data in all states – at rest, in transit and in use. More importantly, I get the opportunity to talk about security best practices and how to easily adopt a defense-in-depth security posture.
If one layer of an environment is compromised, there are several other layers that an attacker would have to painstakingly get through in order to access an asset inside of a file server or database. Additionally, I discuss how to configure security environments according to the principle of least privilege, where each user only has as much authority as strictly necessary for their role. Can you tell I enjoy these talks?
This particular interaction, however, somewhat discouraged me. While the auditor had asked some great questions indicating that he, and the organization he represents, cared a great deal about information security, I discovered towards the end of the conversation that he was using outdated software. If there is one takeaway from the major security breaches of 2017, it is that keeping your hardware and software up to date is immensely important. Although the auditor was able to check many of the boxes on his compliance document, a number of features remained that could benefit the security posture of his organization – if only their software were up to date. Was he compliant? Sure. Was the organization at risk? Yes. The best analogy for this would be riding a motorcycle wearing nothing but a helmet. In the event of an accident, he won’t receive a ticket for not wearing a helmet … but he’s going to be dealing with really gnarly road rash.
Gaining security insights from martial arts
Many moons ago, I worked my way up to the rank of blue belt as a martial artist in the Kajukenpo style. I read books, poems and quotes by the legendary martial artist and actor, Bruce Lee. It is surprising how many parallels there are between the battle against your sparring opponent in the dojo and the battle against cybercriminals in the workplace. I’d like to examine some of Bruce Lee’s most famous quotes and discuss how they could be interpreted in regard to information security.
“There is no such thing as maturity. There is instead an ever-evolving process of maturing. Because when there is a maturity, there is a conclusion and a cessation. That’s the end. That’s when the coffin is closed. You might be deteriorating physically in the long process of aging, but your personal process of daily discovery is ongoing. You continue to learn more and more about yourself every day.”
— (From The Warrior Within: The Philosophies of Bruce Lee (1996), p 131)
Too often, compliance with national or industry standards is seen as an end goal, when it should instead be viewed as the foundation. We can use the recent Equifax breach as an example of this. Imagine that you are a compliance analyst or auditor and need to verify that an organization is doing security reviews. You would include the question, “Do you perform security reviews?” in a security and compliance questionnaire. The two organizations that you are interviewing both respond with “Yes,” meaning they are at a lower risk for breach. However, this isn’t always the case. In the investigation of the recent Equifax breach, it was determined that Equifax was doing security reviews, but only once per quarter. As Lily Hay Newman of wired.com put it, “Four meetings a year to defend hundreds of millions of people’s crucial personal information gets you exactly the type of security posture Equifax had.” They may have been marked compliant for the requirement of holding security reviews, but they were not planning to scale or planning appropriately for the future in this instance. They should have followed Bruce Lee’s advice and continued to look for more opportunities to mature, including holding security reviews more often.
“You have to keep your reflexes so that when you want it — it’s there. When you want to move — you are moving. And when you move, you are determined to move! Not accepting even one inch less than 100 percent of your honest feelings. Not anything less than that. So that is the type of thing you have to train yourself into. To become one with your feelings so that, when you think — it is.”
— (From The Warrior Within: The Philosophies of Bruce Lee (1996) p 126)
A strong, forward-thinking security stance requires strategic action plans. What will you do if and when a security vulnerability is found internally? Who will fix it? How will you ensure that it is fixed in a timely manner? How and when will you inform customers affected by the vulnerability? How will you train your organization so that similar vulnerabilities are not introduced in the future? How will you ensure that future vulnerabilities are found quickly?
These are all valid questions organizations should pose when putting together security plans, so that if any vulnerabilities are found or a breach happens, you are prepared and know the best approach to resolve the situation. Bruce Lee teaches us to act quickly when the opportunity is present. Don’t wish for security to happen, make security happen.
“Running water never grows stale. So you just have to ‘keep on flowing.’”
— (From The Warrior Within: The Philosophies of Bruce Lee (1996) p. 48)
Information security is a cat and mouse game. As soon as one vulnerability is patched, cybercriminals begin looking for another one to exploit. The bad guys often outnumber you, and they are constantly evolving their methods. There are thousands of potential attackers, and they only need to succeed once. An organization’s security team is smaller, and must constantly succeed in order to withstand a cyberattack. A recent Ponemon Institute study found that the average cyberattack persists for 90 hours before the attackers give up in search of a softer target. Security officers at organizations need to determine whether they are able to hold off an attack for 90 hours. It is important to follow Bruce Lee’s advice, to be stateless and keep on flowing. Do not settle or become stagnant. Instead, continue to adapt and evolve in order to decrease the risk of becoming a cyberattack victim.
“You must have complete determination. The worst opponent you can come across is one whose aim has become an obsession. For instance, if a man has decided that he is going to bite off your nose no matter what happens to him in the process, the chances are he will succeed in doing it. He may be severely beaten up, too, but that will not stop him from carrying out his objective. That is the real fighter.”
— (From The Warrior Within: The Philosophies of Bruce Lee (1996) p. 161)
Know your opponent. Whom are you fighting? The auditors or the hackers? If you are seeking to satisfy the requirements of an audit, you will have the opportunity to meet, talk shop and, in a worst-case scenario, incur fines. You will receive no such pleasantries in the battle against cybercrime. If your layers of defense are breached, you can be sure that cybercriminals will steal everything that they can until they are detected. It is common for an attacker to steal a database and sell valuable data like credit card numbers and social security numbers on the dark web. The costs of a breach – investigation, remediation, loss of reputation, lawsuits, etc. – are massive. Organizations, some valued in the hundreds of millions, have ceased to exist after a severe breach.
Achieving compliance is a great baseline, but it is only the first step in building a security foundation. The real opponents, focused on biting your nose off, are the cybercriminals. Your goal should be to thwart them at all costs. To do that, you must properly layer your defenses.
This article originally appeared in the November 2017 issue of Workflow