Preventive Security - Alive or Dead

Preventive Security - Alive or Dead

There are some new buzz words in the cyber security industry today. Terms such as “data-driven security” and “security analytics” seem to be in the forefront and what all of the “cool” kids are talking about while the “old-timers” dig in and continue to believe that all security problems can be easily solved using customary prevention and detection methods. So who’s right? The answer is, at least to me, they both are. Both schools of thought are correct because implementing a data-driven defense strategy does not replace your existing preventive strategy. A Data-driven cyber security framework will only enhance and amplify an organizations already existing cyber security strategy.

The 2016 Verizon Data Breach Investigations Report (VDBIR), which should be mandatory reading for all security professionals, uses a finalized data set that is made up of 64,199 (adjusted from over 100,000) security incidents of which approximately 2600 (adjusted from 3,100) where confirmed data breaches. These numbers may seem staggering at first and one could hardly blame another for concluding that preventive security measures are failing us but as we dive further into the VDBIR and other industry reports the real picture begins to become clear. It is not that preventive measures are failing organizations. The problem is usually that organizations, for whatever reason (budget, skill-set shortfall, etc.) seem to be the ones that are dropping the ball when it comes to security prevention safeguards.

Active Data Breach Landscape

Let’s take a look at the data breach landscape over the last couple of years. In 2014-2015 we observe through reporting that organizations were often extremely negligent when it came to implementing even the simplest of mandatory security prevention techniques. Let’s take the US Office of Personnel Management (OPM) data breach for example. This breach resulted in a loss of over 21 million records of individuals and their Personally Identifiable Information (PII). The report filed by the Office of the Inspector General concluded that “OPM did not maintain a comprehensive inventory of servers, databases and network devices”. In reality, the auditors were unable to tell if OPM even had a simple vulnerability scanning program in place. So, as we see here with OPM, it is not that preventive security measures failed us. It was the improper (or in OPM’s case lack of) implementation of preventive security measures that failed us which unfortunately seems to be more the “norm” rather than the exception these days.

With the assistance of data analytics we can clearly see that cybersecurity prevention is certainly not dead. What the data is telling us though is that across the industry we need to be more competent and proficient in implementing both our preventive and detective security solutions and defenses. Only after this is accomplished successfully will organizations then be poised to begin overlaying a data-driven cybersecurity framework and reaping the rewards of becoming more laser focused on the most critical threats that may harm their organization.

The Security Compliance Zombie

The Security Compliance Zombie

I recently had the opportunity to view a  webinar where the topic was how to stop what was referred to as “compliance zombies”. We have all seen zombie movies. Zombies, they are unintelligent existences that march straight forward, with no thought whatsoever as to what they are doing, to achieve a single objective. No thought. No deviation. Even if they are putting themselves at great risk.

Security compliance zombies do the exact same thing. They press forward with a set of vague guidelines just for the sake of being “compliant”, without really understanding what it is exactly they are doing and often, and without intent, putting their organization at risk. When it comes to security and compliance I believe a lot of us out there can relate to this type of zombie phenomenon and I am speaking from experience.

Several years ago, when it came to securing the environment I was responsible for, I found myself behaving the exact same way. Being the lone security engineer with the responsibility for ensuring several small networks were both secure and “compliant” with applicable industry security standards I found myself just pushing forward aimlessly. Mandating controls and secure configuration guides without REALLY thinking about what it was that I was doing. Implementing what I believe the controls were stating because, hey, I was the security guy. I am supposed to know it all, right?

I wish I could say that I realized right away just how wrong that mindset was. But if I did I would be lying. It took longer than I care to admit. But I am happy to say that it did all change for me one day when I was challenged by one of the system engineers on a specific control that I said had to be implemented. The particular control addressed object reuse and it stated

“…the constant reallocation of objects is a security risk because residual data may remain when the object is reassigned to a new process after a previous process is finished with it. Clearing residual data from an object before reuse assures that system resources, in particular storage media, are allocated and reassigned…”.

And do you know what that system engineer had to gall to ask me? He asked me “What does that mean and how do I apply it”? I will never forget that moment because I did not have a definitive answer for him. And to me, that was not acceptable. That’s the moment that I realized I was acting like a zombie and things had to change.

It took some time but I went back to my desk and I traced that control, Object Reuse, all the way back to the NSA’s Rainbow Books. Then I sat down with that system engineer and provided them with a thorough explanation of not only the meaning of the control but the complete history, purpose, and applicability of the control.

So, you may be wondering, what is the cure for the security zombie? First one needs to come grips with the following statement…compliance does not equal security. I know it may come as a shock to some but compliance is merely a snapshot of how your security program meets a set of general security requirements at a given moment in time. It does not mean your system or data are by any means secure. Next get ready to put in some serious work because it’s time to gain a thorough understanding of the data, systems, and technologies you are tasked to protect. It’s time to start reading documents like secure configuration guides (i.e. STIGs and ICS Benchmarks) and RFC documents all while you start to learn and understand things about your environment like who has access and where the weak points of the systems are.

Does this all sound familiar? Are you a security zombie? If so it’s time to cure yourself and your career of that dreaded disease. It’s time to begin to understand what threats and vulnerabilities are and which ones are applicable to your environment. It is finally time to put in the time and the effort to understand how threats, that are pertinent to your environment, operate so that you can finally start to design and build the proper defensive solutions.