'Assume the Humans are Human and Bad Things Will Happen'
There is a fascination in the security industry with the threats and actors that reside at the top of the pyramid, the apex predators who employ the most sophisticated tools and tactics and have the budgets and patience to penetrate the hardest of targets. The fancier the bear, the more attention it attracts. But, for most organizations, the threats they face on a daily basis are far more mundane, if no less difficult to address.
Those threats come in the form of everyday issues such as someone typing a password into the wrong website, clicking on a link in a phishing email, or inadvertently sharing a sensitive document with the wrong person. They may not be as interesting as an APT team spending months to develop and execute a software supply chain attack, but the consequences can be just as dire. And for most security teams, defending against those unsexy threats is the core of their mission and occupies the bulk of their time.
But despite decades of work on defending against everyday threats, many modern networks still are not built to be resilient against them and one mistake or minor intrusion can have devastating, cascading effects. The time to address that issue was 20 years ago, but the next best time is now.
“I'm the cybersecurity director at NSA and you could absolutely craft a phishing message that would get me to click a link. You’ve got to design your architecture to assume the humans are humans and bad things will happen,” Rob Joyce, the director of cybersecurity at the NSA, said during a discussion at the Center for Strategic and International Studies on Tuesday.
Though there is no small amount of cognitive dissonance involved in hearing the director of cybersecurity at the nation’s premier signals intelligence agency make that kind of statement, it’s a mantra that many in the security community have adopted and have been repeating in one form or another for many years. Worrying about what Russian or Chinese or North Korean or Iranian APT groups are plotting will mainly serve to prematurely age the security team members and likely do little to actually secure the organization's network. It’s the small, boring, practical measures, implemented day by day and practiced year after year that often make the difference in making a network resilient and resistant to attacks.
But another challenge lies in wait there: money.
“The infosec team in most organizations is lucky if it gets six percent of the IT budget, and probably 25 percent of that will go to antivirus and firewall licenses. It doesn’t leave a lot of money for other things. The money dries up fast. Do they want to do the right thing? Hell yes. But it’s about meeting what the risks are for the organizations,” said Dave Lewis, advisory CISO at Cisco.
“The low-hanging fruit is what they should be picking off, but many people tend to focus on the high end threats.”
"You’ve got to design your architecture to assume the humans are humans and bad things will happen."
The challenge in building networks and security processes that are resilient by design is both a human one and a technological one. Technology often changes and advances more quickly than humans do, and adapting to those changes can be difficult. The shift to the cloud in the last decade has transformed many organizations’ IT strategies and presented new challenges for security teams who now find much of their data’s security in the hands of Amazon or Google or Microsoft.
“The current push for secure by design is something we’ve got to apply to the cloud and it starts with secure by default. Cloud deployments are often optimized for ease of use rather than security. Those companies are getting better about the default being secure, but we’re not all the way there,” Joyce said.
The same obviously applies to the on-premises portions of corporate networks, and finding ways to make life easier and more secure for users starts with figuring out what assets the organization actually owns and where they are. That’s no small task for many organizations, especially those with distributed operations and years or decades of accumulated stuff.
“We talk about building resilient networks, but how do you secure anything if you don’t know what you have?” Lewis said. “Many people don’t know these basics because we suck at capturing lessons learned and passing them on. A lot of security practices are tactical and not strategic and there’s no strategic vision behind them.”
In a plot twist few would have seen coming a few years ago, NSA is actively involved in trying to help enterprises make this shift, defend themselves more efficiently, and be more pragmatic about their security practices. The agency is sharing more of its security knowledge publicly than it ever has before and Joyce said there is more to come.
“We work hard at getting those secrets sanitized so they can get actioned. We don’t just throw it over the fence. We’ve learned that lesson. What we know is not nearly as secret as how we know it and we never unbundled that in the past,” Joyce said.
“The most useful thing is context. If we can point to something and explain in a classified exchange why something is important, then all of us can work in an unclassified environment to stop it. We have to continue getting faster at taking things that are sensitive and getting them into the operational space. That’s really where we’ve got to be.”