This blog entry saw a ton of views, so I thought it worth updating and republishing. We called this our Christmas Wish List, but very much falls more inline with our wish list for 2017. We hope you enjoy the read.
It’s that time of year again, when we place our faith and trust in imaginary entities who always deliver exactly what is needed, under impossible circumstances, just in the nick of time. Why should wishes and dreams be limited to children’s toys? Don’t cyber security nerds and digital janitors deserve a little holiday magic too? As I close my eyes and think about what could be, I wish…
*********************************************************
It’s that time of year again, when we place our faith and trust in imaginary entities who always deliver exactly what is needed, under impossible circumstances, just in the nick of time. Why should wishes and dreams be limited to children’s toys? Don’t cyber security nerds and digital janitors deserve a little holiday magic too? As I close my eyes and think about what could be, I wish…
…for more emphasis on blocking and tackling. Patch your systems in a timely manner. When reminded to upgrade a system, or update a software application, do it as soon as possible. Close unused ports. There are dozens of very unglamorous things you are not doing that would make getting pwned so much more difficult. I know people use the term “rock star” a lot in this field, but we’re all a lot more Howard than Mick.
…for greater accountability at all levels. Bosses: walk the walk. Don’t say computer security is important and then force IT to make special exceptions for you. Your people do what you do more than they do what you say. Employees: Just because it’s a “cyber” policy doesn’t mean it should not be taken seriously. “Cyber” doesn’t mean “not real.” If anything it means the repercussions for not complying are likely to be disproportionate to whatever the meat-space analog would be.
…for more sharing and collaboration. Join your industry ISAC. Join a private industry sharing initiative like Red Sky Alliance. Go to pertinent Meet-ups and connect (I didn’t say “network”) with people who can help you and who you can help. I don’t care how good you think you are, you’re not going to make it on your own.
…practitioners would remember that they work for businesses, not security businesses. Anything you propose that precludes people getting things done or impedes their ability to make money is a non-starter. Learn the business, then apply security principles to it. Cyber security is not the issue we think it is, and no amount of wishful thinking is going to change that.
…more people would do threat modeling. Don’t buy the hot thing because you saw it on an airport billboard. Don’t follow a given practice because you heard it stops the APTs. You and your business are a target, but for whom? What are their motivations? What are they capable of? You don’t bring a knife to a gun fight; you’re equally foolish if you buy a tank to fight a roach infestation.
…more people would understand what real intelligence is and use it. Intelligence is not a feed. It is not an aggregation of feeds. Intelligence is a product of human minds applying various methodologies to data in order to provide context and meaning in order to help you make sound decisions. You can’t understand the threat, what risks you face, or what technologies or strategies will help you if you’re not consuming intelligence.
…organizations would inject more realism and rigor in their security testing regimens. Once you know who or what you’re up against, test yourself against that same caliber of threat. Serious bad actors don’t look or sound anything like a pen test. If your adversaries are high-end, understand that they do their homework, they put in the time, and they understand ROI. If you’re not training to fight peer or superior adversaries, you’re setting yourself up for failure.
…organizations would implement more effective security training. You can’t hold people accountable for security violations if they don’t know what a violation is. What’s good security practice and what’s negligence or malfeasance? Good training in cyber security doesn’t have to be expensive or time-consuming or onerous. You wouldn’t take someone off the street, throw them into a machine shop, and expect them to have all their fingers at the end of the week, but you pay lip service to security training and wonder why people are constantly falling for phishing schemes and plugging in those USB sticks they find in the parking lot.
…for more open mindedness in our field. If you listen to most people in cyber security it’s obvious what the solution to problem X is: just do what they say. That would be great if the world revolved around one person and there weren’t a million different factors that impact the ability to implement said solution in a non-catastrophic way. We spend way too much time fighting each other, blowing things out of proportion, and making up controversies than we do addressing actual problems. There is plenty of blame to go around, but if you’re not giving an inch or walking a mile in someone else’s proverbial shoes, you’re probably not really doing everything you can to advance the cause.
Now if you’ll excuse me, I’ve got to go prepare for the shenanigans of Stekkjarstaur, Giljagaur and Bjugnakraekir.