This Cybersecurity Medicine Might Be Tough To Swallow

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://techcrunch.com/2014/12/31/this-cybersecurity-medicine-might-be-tough-to-swallow/

Imagine you’re the CEO of a thriving company and you’ve been horrified by
the news of the Sony hack, the Target breach and the litany of security
issues that have plagued big companies in recent years. You swear you’re
going to do whatever’s necessary to make sure it won’t happen to your
company. But do you realize what that really means?

At a holiday party, a guy starts chatting you up while you’re working on
your fourth martini. And he speaks directly to your fears. He knows someone
who could help you out with your security problems — make it so that you
would never suffer the fate of those poor suckers at those other companies.
You have to admit, you’re intrigued because you never want to be in the
position of explaining to your board of directors why you were the latest
victim.

You get the name and run a background check and find out she’s good. Very
good. Her experience includes stints with military intelligence, the NSA
and a number of successful security startups. You’re ready to write the
check just to hear her pearls of wisdom.

The day finally arrives and your assistant shows the consultant into your
office where she quickly takes a seat, takes a speck of dust off her pants
and looks you in the eye.

“You’re really willing to do whatever I say?” she asks.

You tell her that if she has a plan, you’ll follow it. You wait anxiously
to hear what she’s going to say.

The first thing you need to do, she tells you, is disconnect from the
Internet. Before you can object, she holds up a hand and asks that you let
her finish. You start to sweat, and she keeps going.

You’ll need to take away all of the laptops. There will be no smartphones
or tablets allowed in the building. You’ll use desktop computers without
USB ports or DVD drives. There should be no way that you can save to an
external device. Everything will be connected on a highly secure,
completely private internal network accessible with two-factor
authentication.

You won’t use any cloud services and there will be absolutely no mobile
apps. If you run a website, you will keep it simple and with very little
information. Contact information will be through a form and you won’t have
an address for the company beyond a post office box.

You will hire highly skilled security personnel. Everyone will leave their
phones at the door on the way into the building — including you. Everyone
will be searched entering and leaving the building — including you. No
exceptions. You will put cameras everywhere and you will have your security
staff monitor them in a control room to make sure nobody is doing anything
suspicious.

Anyone caught with a prohibited device will be fired immediately.

You will keep partnerships to a minimum, and all guests, including
customers, will be subjected to the same strict security regimen, and no
one will be allowed to carry any devices of any kind inside.

“I couldn’t possibly do that,” you say to her wide-eyed. “I would be
sacrificing my entire business, handicapping and harassing my employees and
my customers, all in the name of protecting my company.”

“So it seems you wouldn’t do whatever it takes, would you?”

—

Playing Security Chess

So if you can’t lock down your company, what can you do?

You have to give up the notion of complete security and place your bets on
things you can control because there is an organized effort to attack your
networks. And depending on your type of business, the more determined these
parties might be.

Yet it seems that the further we advance technologically, the less secure
we become. David Cowan a partner with venture capital firm Bessemer
Ventures says one of the reasons for that is because technology has become
so intertwined in our lives.

“Broadly speaking we are adopting technology that’s becoming more and more
pervasive in our lives and jobs. The opportunities for cybercrime, mischief
and [mayhem] has grown over the years and there is more motivation to do
so,” he told me.

As Cowan explained, back in the 90s, hacking was about ego, but over time
it has evolved to include fraud, identity theft and other criminal activity
— and more recently nation-states partaking in surveillance and organized
cyber-mayhem.

But as one security startup CEO told me recently, we are doing better than
we think. You may find that hard to believe if you’re a CEO trying
desperately to avoid being tomorrow’s headline. But he described a giant
chess match between the people trying to get into our computer systems and
those trying to keep them out.

As bad as it seems today, this security executive says if it weren’t for
the checks and balances that security companies have put in place, it would
be far worse and we couldn’t be using the internet to conduct business the
way we do.

Walking the Security Tightrope

So we are left with a balancing act: We can’t be stupid, but neither can we
sacrifice the business in the name of protecting it. As Cowan explains,
security isn’t your highest priority as an organization. Being a good
company is your first priority, and security should be part of that.

“Job one should be providing functionality your users need to get jobs done
and have good experience. For most of the interesting applications in the
world, trust is an integral part of good user experience,” he said. And if
you want to be trusted, security needs to be at least an important
component.

> From a broader perspective, you cannot have a completely secure company
that has been stripped of internal freedom, precisely for the same reason
you cannot have a democratic society that is safe from any attack and
maintain anything approaching privacy. If you decide, as our example above
highlights, that you will do anything to be secure, you end up with a
company so locked down that it will not be able to maintain a staff, let
alone a staff that you would want to work with.

Surely there is always a tradeoff between security and privacy, and
everyone has their own tolerance level regarding which side of this they
should fall on. In the end, you have to ask yourself how much you squeeze
the individual factor out of the equation. Can you honestly turn your
workers into drones incapable of malicious activity, let alone honest
mistakes?

When it comes down to it, you would no doubt agree with the CEO in our
example that you cannot prioritize security over the company itself. No CEO
would. You just have to be able to reconcile the fact that you could
experience a breach — and that’s the tricky part.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!