Hello World, of Sorts
After years of being a vocal critic of the deficient cybersecurity within the physical security industry (some would say curmudgeon), 2018 marks the end of an era. In the sea of topics, ranging from banana cables to communication protocols to IP Camera bandwidth, the industry has now embraced that cybersecurity should be part of “the” discussion. No doubt that is a positive step that many are celebrating, but there’s definitely a hangover phase most aren’t yet seeing.
In speaking with many people in the industry – ranging from end users to vendors and integrators alike – there’s a mix of confidence and confusion. On one side, some are under the impression that air-gapping their network and locking down ports is the adequate prescription. On the other side, some want a summarized “top 3” to execute. Side note, usually, the aforementioned items make it on the “top 3”. Yep, only three (that’s in an upcoming separate post on misconceptions).
This industry loves to oversimplify.
Really? Are we really going to tackle cybersecurity and combat hackers with 3 bullets? It’s misleading and going to get a lot of organizations and careers in trouble. If you’ve ever sat through one of my presentations, my “about me” slide almost always has the tagline “Optics are easy, but good security is hard.” Translation: Doing cyber things and saying that you’re secure is easy, but real cybersecurity and the work involved are actually quite complex and challenging. This is why there are teams of 1,000 InfoSec professionals in a Fortune 500 company and they still get hacked.
Not long ago, I was being interviewed by a physical security magazine. The reporter interviewed several people, and one of the questions was: “What are the top misconceptions about cybersecurity in the industry?” In a subsequent conversation (after spoke to a variety of people), the editor revealed that one of them was “that cybersecurity is too complex (so why bother doing it)?” The assertion was that it’s a misconception to believe that cybersecurity is overly complex and therefore not a futile effort. I countered that it wasn’t a misconception, and the sentiment of complexity being fairly accurate yet with an inaccurate assumption to take no action. My suggestion was to change it to “since cybersecurity is complex, many think they can’t tackle it.”
I recall another instance where I had provided graphics to a magazine (at their request) that illustrates the attack surface (scope of what can be attacked and mapped to cursory methods by example). I considered it to be extremely basic, if not deficient if used for any other purpose. Their reaction was that it was overly complex because it had a couple of words in there they know that their readership isn’t familiar with. Nothing outlandish, but things like SQL injection or XXS – perhaps some of the most common attack methods and how they relate to what can be attacked. So, they wanted me to pare it down to only what their audience was already familiar with – which I did (and took a couple of revisions for something acceptable).
The Acceptance Hangover
I get what’s going on here, and their intentions are good. In both instances, they disclosed that they don’t want to seem overly complex and turn their readers off. So, I asked, “how do we bring an industry forward if we obscure basic concepts from view? We don’t need to bury them with detail, but a couple nuggets here and there that require a Google search shouldn’t be where the line is drawn between educating and holding things back.
I explained that when I started out in ethical hacking, I’d go to DEFCON, BSides, etc. and only understand about 5% of what they were talking about. I was scrambling to understand what this word was, that concept, or method – I was pretty lost. But I can’t imagine a better experience, because it was 95% upside in new information. Little by little, I could synthesize bigger pieces of those conversations. Talk to any hacker and they’ll tell you they’re still chasing down nuggets and seemingly never stops because cybersecurity threats, methods, and priorities are always under the influence of a variety of headwinds at any given time (vulnerabilities, defects, discoveries, creativity, etc.). Not being the smartest person in the room has more benefits than hanging in a room where you feel smart – if you embrace it.
The Hangover Tonic
The industry desperately needs to quickly realize that cybersecurity is quite a bit like heart surgery: Success depends on knowing the ugly truth and adopting practices that are fairly procedural. For anyone serious about good security, we don’t really solve any issues by trying to characterize the reality. For those who don’t really have goals of high security, well, that’s a different story, but seldom will you find anyone who says, “My goals are low security.” So…
I also find it interesting that people in the industry feel this is some new daunting journey. The reality is IT already went down this path. The industry will predictably mimic the same ups and downs, but ironically could elect to have an easier time of it by looking at the lessons that were learned. While that part of it is fairly academic, culture is a much more challenging aspect. We’ll continue to see people trying to manage perception, either with good intent or trying to capitalize on it.
The Dreaded Hype Cycle Is Coming
The bottom line here is that just like any 12-step program, the first step is to stop the denial process by recognizing that you have a problem. The second step must start with honesty, not just to others but to ourselves. It’s called getting real – and we’re not there quite yet.
One of the inevitable phases that I dread is the “cyber expert vacuum effect”. It predictably comes right after Step 1 but before Step 2 – and it’s already started. Now that vendors know they have to talk about “cyber”, they’ve anointed people with new titles that have “cyber” in them and updated claims asserting that systems are “cyber secured”. All of the sudden, like magic happened, in time frames that I know isn’t possible.
Products don’t become secure overnight, nor are people transformed into experts as quickly. The most honest statement that I can think of is one told to me years ago by someone that I respect very much. They’ve spent years in the trenches, extremely talented, and anyone could claim to be an expert, they could….but the won’t. He told me, “the more I see and know about security, the more I realize how much I don’t know. This stuff is really complex and anyone telling you they have it nailed to where its simple isn’t doing it right.”.
So, the point is, even he never feels like an expert and hates to be represented like one because he knows that saying “I don’t know” is always a moment away at any given time. My point is – THAT’S OK! What’s not ok is mischaracterizing the situation or misrepresenting our ability to deal with it.
The advice that I give to clients looking to embrace cybersecurity in the physical realm and take an honest approach focused on results is – don’t depend on vendors to get you “there.” You can’t buy your way to good security, and while vendor products are an important piece, they shouldn’t define or govern the state of your security. Otherwise, how do you know if they’re doing a good job?
Rather, it comes down to instituting fundamentals into a focused program. Start by defining what good security means to you – be specific. Then develop some metrics to measure your current state against where you need to be. Make sure to take inventory of assets, threats, controls, processes, and then prioritize technology and people. This remediates the most common failures that I see across even my largest clients.
Sure, we all have specific vulnerabilities that need to be tackled immediately. And who has the time to go through a significant planning and study phase to address items screaming “hack me”? I’m not advising to look the other way while building a master plan. If they’re obvious (or become obvious, which, many in this industry are if you are looking closely enough), then address them straight away. Just realize that the “program” will mandate revisiting those items again to ensure that they fit within your defined program and operations.
So, don’t get too entrenched or committed to a platform when playing whack-a-mole. If you start with the fundamentals, then you’ll have a much more accurate picture that will define the complexity, upgrades, projected outcomes, and perhaps most importantly be able to qualify the people and advice they are giving you.