opinion People are the biggest problem in enterprise infosec. Make them your greatest asset.
The numbers are so bad because we wrong people.
Here are messages you can use. If you’re trying to secure a corporate network, you almost certainly can’t. If this is not possible, this network can be broken up and emptied of good things in a few hours.
We know this because we know it, of course, but also because of a SANS Institute survey of 300 security professionals. Not the ones trying to fend off attackers, but the others trying to break down the walls and break into your systems. Of course the kind of pen testing seeking ethical approval, but attackers nonetheless.
In a failed attempt to cheer you up, the Institute points out the varying length of time at each stage of a successful attack to help you plan where to focus your detection resources. What it does not indicate is what is implied in the structure of the survey. Ethical online attacks are a source of information like no other. If you could have a white hat team constantly on hand to keep their eyes peeled for every change you make, how much better night’s sleep would you be?
Don’t quit too soon. The other thing the survey doesn’t mention is why, after all the years and billions spent improving data security, it’s worse than ever.
Unfortunately, the team you actually have on hand consists of the attacker’s best friends. According to Verizon’s 2022 Data Breaches Investigation Report, over 80 percent succeed because of bad employee actions. There are many classes of errors from email slip-ups to active fraud behind the headline, but it boils down to the first rule of cybersecurity: people are the problem.
The response of many organizations, especially larger ones, is to enforce strict infosec rules with harsh penalties for violations. So of course we come up with this 80 percent. No one dares admit to anything, let alone the things they do to circumvent the rules to get their job done.
But you Not need a company of intimidated employees. What you want is a company of hackers.
That might sound suicidal to those who think hacking is an attack, but less so to those who think hacking is a mindset. Hollywood and the daily media are in the first camp: online attackers are amoral thrill-seekers at best, but more often than not they are quasi-criminals bent on mischief or actual crime. Registration number Readers will be in the second camp, and rightly so.
Hacking as a way of thinking is characterized by themes such as curiosity, tenacity, imagination and the joy of discovery and invention. It’s not a skill set, although of course it develops one. It is playful, pattern matching and problem solving. Teaching people to think like hackers is in many ways better than teaching them to fear the bogeyman.
Take phishing. The usual corporate approach to educating non-infosec people to avoid phishing is to explain the principles, show some examples, maybe run some fake phishing campaigns to shame those who don’t “get it”, and move on . Another part of this 80 percent is wired.
It’s far better to teach people how to write phishing emails. State the principles of social engineering and reward the best efforts. It doesn’t matter what technical skills or knowledge people have, at worst they learn just as much as they would in the traditional way. But some will start thinking creatively about security.
Most people only need a basic awareness, and that’s good, but you can get as deep into the hacker mindset as you like. Looking at security in detail as a set of components that need to be hardened, tested, and maintained is a whole lot of work.
It’s much more exciting to think about the kill chain, the way through a system that extracts the prize. If you wanted to read the CEO’s expense report history, how would you do it? Say it doesn’t get much more fun than asking how to protect the human resources and financial systems, we challenge you twice. It’s an uncomfortable leap to offer bounties for the wounded instead of written warnings, but where would you rather work?
Inculcating this mindset as widely as possible has consequences. You won’t be able to fire people who are poking around in your infrastructure, but if they do, you’ll find something and Not tell you You need different rules for how external pentesters work, what to do when vulnerabilities are discovered, and how to behave responsibly when taking responsibility.
The biggest risk seems to be success if you find many hackers among your employees who have taught themselves way too much about your systems. This is best addressed by looking at the cheating triangle: Most people commit cheating when they are motivated, have the opportunity, and have a reasonable belief in what they are doing.
The motivation does not change with a hacker mentality in companies. Opportunities certainly increase as skills are acquired – but rationalization becomes more difficult. The company isn’t stupid or suspicious or indifferent, it’s asking its people to come in, enjoy serious problems and play by the rules.
On the other hand, not only do you get a lot more security-focused—your permanent testing team—but you also get people with the hacker mindset of creative analysis and problem-solving. That’s contagious for the job that actually gets printed on their business cards. And if you’re at a company that’s having a problem with this, we suggest that you make fixing that problem your top priority.
Yes, your systems are vulnerable. Yes, attackers get through. Yes, people are the problem. They are also your greatest security asset. Just buy them some white hats. ®
https://www.theregister.com/2022/10/10/opinion_infosec/ How do you protect your systems? Cultivate an Insider Threat • The Registry