[BreachExchange] How Football Can Help Explain Data Breaches

Audrey McNeil audrey at riskbasedsecurity.com
Mon Nov 27 19:15:50 EST 2017


http://www.govtech.com/blogs/lohrmann-on-cybersecurity/how-
football-can-help-explain-data-breaches.html

As a security professional, I regularly get asked questions that may seem
simplistic, but can be difficult to answer in a brief, kind, informative
way.

Questions like: Why are there so many big data breaches lately?

Or: How did the criminals steal our data at Equifax, or Yahoo, or OPM, or
Uber or (fill-in-the-blank)?

Sometimes the questions come with a cynical twist, like: With millions of
dollars in resources, why can’t companies or governments just stop those
hackers? What’s the “real” problem?

These cyberqueries can pop up anywhere, from panel sessions at conferences
to extended family gatherings during the holidays — and even at church
potluck events.

Usually, the part-question, part-comment, part editorial (outlining what
they’ve heard) is directed in such a way that the asker wants a quick
elevator-pitch kind of answer. (Note: Oftentimes, facial expressions
implore you not to offer long speeches on the complexities of Russian
foreign hackers nor personal appeals for them to buy identity theft
protection.)

Frequently, I use (American) football analogies to help explain what’s
happening in our cyberworld and encourage an engaging, two-way conversation
that’s not overly technical.

One reason to compare cybersecurity to football (college or NFL) is that
sometimes we are watching or talking about football when the question is
asked. Whether on Thanksgiving watching the Detroit Lions or on New Year’s
Day watching a college bowl game or during a Super Bowl Sunday party in
February, security and technology pros get these questions as part of the
normal small talk about work.

So what can be said? How would you answer? Here’s why I think football
analogies can help us understand cybersecurity.

What Football Can Teach Us about Cybersecurity and Data Breaches and
Hacking?

At a basic level, the football-cybersecurity analogy is fairly
straightforward. There is an offense and a defense in football, and
cyberpros in companies and governments (usually) play defense to stop the
hackers who are on offense trying to access protected data. (Side note:
There are certainly people who encourage hacking back — where the "good
guys" go on the offensive, and you can read more about that legal trend
here.)

Just as offensive coaches in football scout the other team, watch film,
look for defensive weaknesses, diagram options, practice plays and more to
be successful and score touchdowns, so hackers gather data on companies and
governments, look for holes, find weak links and vulnerabilities in the
people processes and technologies deployed. If the defense takes away one
thing in football (like stacking the line against the run), the offense
will adjust and try something else (like passing).

In the same way, hackers constantly adjust their methods and techniques to
get around cyberdefenses. There are even attack/defend cybercompetitions
all over the country with young (and old) people learning different roles
in red teams and blue teams. The main point is that both hacking strategies
and online defenses are moving targets, not one-and-done challenges.

But this initial analysis is just the beginnings of the similarities. Here
are some other helpful football analogies used:

Just as coaches and teams prepare for upcoming games, chief information
security officers (CISOs) and other security leaders prepare for online
confrontations. — I like this quote from Kevin Davis in Nextgov: “Coach
Coughlin was a demanding coach, but he was also fair. What he asked from
each player was simple — that you worked hard to be as prepared as possible
and that you strived to continuously improve. Thinking about this now,
these are the same standards we should be applying to government when it
comes to cybersecurity.

In some ways, the “Monday morning quarterback” responses we often see in
football are similar to the reactions we see in the wake of security
breaches, with lots of questions surrounding what went wrong and how to
improve before the next game (i.e., next attack).

However, when it comes to cybersecurity preparation, there is one question
asked continually across government and the private sector — what is the
right “playbook” for cybersecurity?”

Recruiting football players similar to acquiring (and keeping) cybertalent
on your team — from free agency in the NFL to college coaches recruiting
3-, 4- and 5-star high school football players, the challenges of
attracting and retaining the best and brightest to your team are similar
between football and tech talent.

Equally as intriguing in this analogy is the need to develop the players
(or staff) on your team. Some college football coaches like Mark Dantonio
of Michigan State University are known for “over-achieving” by talking 2-,
3- and 4-star recruits and building teams that can beat teams that attract
4- and 5-star recruits. Nevertheless, it is hard to maintain the needed
level of excellence if a program (or company or government) cannot compete
with the offers being made to others — especially in the NFL.

Huge upsets in football can be compared to major data breaches by
well-known companies such as Yahoo and Equifax. I am writing this blog
right after the Pitt Panthers just upset the No. 2 Miami Hurricanes. Other
major upsets this year include the Iowa Hawkeyes upsetting the Ohio State
Buckeyes.

The age-old adage, “pride comes before a fall” applies to sports and
cybersecurity — as I explain in more details in this blog on how
overconfidence can lead to data breaches.

Never-ending rivalries. When we think about hacking, it doesn’t take long
for nation-state hackers to be brought up, with Russia, China and even
North Korea entering into the conversation. This new “cyber cold war”
between adversaries that sit around the table at United Nations (UN)
meetings in New York while at the same time hacking each other behind the
scenes, remind me of the Ohio State versus Michigan, Alabama — Auburn, and
the USC versus UCLA football games that have so much animosity.

Watch this video with describing the feelings between Michigan State and
Michigan, which articulate the view that: “It’s not over; it will never be
over here. It’s just starting. ...”

Trick plays, unexpected twists, unexpected results for both hackers and
football teams. To pull upsets in football, the underdogs often try to be
unpredictable. Hackers also win by doing things in unconventional ways. The
best and worst hackers often surprise top companies and governments with
unexpected cyberattacks in unique ways. The global Internet is a great
leveling field which allows countries and groups from anywhere in the world
to attack in new ways that were impossible a few decades ago.

Perseverance and determination needed to succeed for both cyberdefenders
and football teams. Anyone who plays or has played football for any length
of time knows that injuries, and other setbacks can be disheartening. It
takes ongoing vigilance to be successful, and in cyberspace, the online
attacks never stop. Even if you are successful for a long time, what worked
last year may not work this year. The strategic and tactical battle is
constantly evolving.

More Cybersecurity / Football Comparisons

There are many other articles and blogs on this cyber/football analogy
topic. Here are a few that I have written in the past, as well as the
thoughts from others:

Government Technology (GT) magazine - Blind Spots: How Cyberdefense Is Like
Stopping Tim Tebow

SecurityInfoWatch.com — How Football Helps Explain Infrastructure
Cybersecurity

GT magazine — Seven Career Lessons from Kirk Cousins

ThoughtCo.com — Five Life Lessons Learned from Football

GT magazine — Perspectives after the Nebraska Cybersecurity Conference

RSA Conference Website - What the Super Bowl Teaches About Cyber Security

What About Those Who Don’t Like Sports Analogies?

Some readers don’t like sports analogies at all — and don’t find them
helpful. Why? Because they don’t particularly like certain sports, or may
feel that these analogies are severely flawed.

For example, I have described the need to build “your own farm team” as in
baseball to develop cybertalent within your own organization. Some don’t
like the concept of levels of baseball referring to different cybertalents,
since everyone should be on the same team and work together. The sentiment
is that, “there are no minor leagues in cybersecurity.”

I realize that this choice of cyberanalogies can be both helpful as well as
lead to erroneous conclusions and strategies. For example, Americans may
have been playing baseball or softball while the Russians have been playing
Game of Thrones for generations. For those who don’t like sports analogies,
you can see some Game of Thrones cyber analogies here. I have also
discussed Star Wars analogies on cyber ethics, how the Mr. Robot TV show
can help understand hacktivism and other related cybertopics.

One reader told me that the entire concept of free agents and the top
cyberexperts moving around (as in sports) is horrible, and I should not
encourage such talk. “I want everyone to know that their role is important
and that we all need everyone to work together — not create tiers of pros
or privilege.”

To be transparent, I am just glad that readers are willing to send me
LinkedIn comments and emails to let me know their views at all. There is
certainly no doubt that football and other sports analogies can only be
taken so far.

Final Thoughts

So back to the beginning and why I still believe that football analogies
can help with explaining data breaches, cyberdefense and related hacker
topics.

Put simply: It usually works for me. I know and love football, and so do
many other people I talk with about security and technology. For better or
worse, more people understand football or other sports than understand the
intricacies of cybersecurity, data breaches or hacking. Football helps
explain cyberconcepts in easily understood, fun, informative ways — without
using political or religious connotations, which can sometimes lead to
other concerns.

On a personal level, football has taught me about leadership, discipline,
teamwork and the essential role of every player on the field. One weak
offensive lineman or an exceptional pass rusher on defense can radically
change the result of an entire game. The same is true for cybersecurity
teams and hackers.

The University of Pittsburgh Panthers Head Football Coach Pat Narduzzi
recently said, “We’re not just coaching football, we’re changing lives with
these young men.”

That same passion and sense of mission comes out in many security teams
with “white hat hackers” who defend systems, data, infrastructure,
companies and even nations from cyberattacks.

And perhaps that is the greatest similarity of all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171127/2aa388ee/attachment.html>


More information about the BreachExchange mailing list