[BreachExchange] You’re too busy to get your security right

[Audrey McNeil]

https://www.csoonline.com/article/3264350/data-
protection/you-re-too-busy-to-get-your-security-right.html

Every now and then the topic of being a security generalist comes up in a
conversation. Almost every organization has a person who deals with a wide
variety of security matters. Security isn’t just one thing, it’s a term
that describes a very large number of activities and spheres of knowledge.
I consider myself a security generalist to a degree, I suspect many people
reading this are also one. Rather than being very good at one topic, like
cryptography for example, many of us have dealt with a large number of
topics over the years.

I do like being a generalist and all the freedom and challenges that come
with it, but the winds that drive the industry are starting to shift. The
idea of having a few people who can a little bit of everything isn’t really
working for most organizations. We’re all too busy to be effective much of
the time.

Contrary to all the news we read security is indeed starting to get better
but not in the way many of us think or expect it to get better. There are
still a large number of network breaches and data theft, but it’s not all
that bad if you really look at what’s happening. The vast majority of
incidents you hear about are the result of overworked and underfunded
security teams at an organization. It’s always a complex system that wasn’t
properly architected. The places security is getting better revolves around
the things that have been commoditized.

The current trend of commoditizing IT is leading the way to better
security. If you look at the ability to outsource something like
authentication, you now have authentication experts handling your
authentication security. Security might not be the driving force behind a
lot of this outsourcing, but security does get to hitch a ride. Your
overworked security team isn’t going to understand the latest and newest
threats against authentication systems, but this is quite literally the job
of authentication as a service provider.

This is a natural evolution of most industries if you think about it. Are
you going to use a service that has terrible security practices? Certainly
not. The security measures in place will be an important part of making
decisions around which services to rely on to run your business. Of course,
how we decide which services have good security practices is another topic
for discussion. It’s not simple to decide if a service is actually secure,
we will discuss that topic another day.

I do know a few security folks who believe keeping important security
functions in house is the only way to ensure everything stay secure. The
thinking is something like this: If I don’t have control of all my data and
all my servers I can’t possibly be certain that everything is OK. I don’t
want to trust an external third party because they could be doing things in
ways I don’t approve of and I would consider to be insecure.

I once thought this way, but I’ve softened my thinking rather drastically
in recent months. It does get exhausting having to keep track of who is
doing things wrong. More importantly though, this line of thinking clearly
doesn’t work and probably has a net negative outcome if you look at the big
picture. A big part of what changed my mind was just looking at all the
news happening around us. The vast majority of data leaks are the result of
trying to self-host services and data.

The new normal

The argument I always hear is “but do you trust <vendor> with your data?”
The better question is probably why are you somehow more trustworthy or
better than the vendor in question? Are you an expert in authentication? Or
logging? Do you have the knowledge needed to spot a threat actor in a
mountain of access requests? You might be, but you might not be. Believing
you’re an expert in everything can create a false sense of security.

The better question to be asking is: are you spending the proper amount of
time on any of your projects? The answer for all of us is “probably not.”
We all have more work to do than time to do it. Even in the best of
circumstances getting security right is a massive challenge. If we aren’t
given enough time to do things there is a very low probability that we will
get things right. Even the best of us make mistakes when under a time
crunch.

As A Service, by definition, will do better than many local experts. Most
of the on-site experts have a lot of things to do which means they don’t
get to dedicate a proper amount of time to any one problem or solution.
When you are working with another organization to use their services they
are generally going to be better at that task than you are as it’s the only
thing they do. There is a certain advantage to being able to focus your
attention on a small number of things.

Email dumps will be our example. Email dumps used to be a lot more common
than they are today and, unsurprisingly, a rather big deal. For almost
everyone their email contains a treasure trove of sensitive data. It makes
sense that an attacker would try to gain access to email as one of the
first steps in collecting important data.

How often do you hear about massive email dumps these days? I did some
research and I couldn’t find any examples of large email dumps from the
major email providers recently. All the large and scary email dumps have
been the result of people running their own email servers. There are of
course a few exceptions to this rule that seem to revolve around personal
email accounts, but in general it holds true.

Today it is more dangerous to run your own email server than it is to use a
service. This is not an idea that’s popular in some circles, but the data
backs up this statement. If you look at any of the recent large email leaks
they’ve all been due to mistakes made with self-managed email servers.
Properly managing an email infrastructure is nothing like it used to be.
The days of having an POP3 server behind a firewall are long gone. Everyone
wants access to email from everywhere and on all devices. The attack
surface is several magnitudes larger today than it was ten years ago.

The experts are, well, experts when it comes to email.

This is a new way of thinking for many of us. It’s hard to give up control
especially when we view control and security as very similar things. For
many of us security is becoming less about securing actual systems as it is
about ensuring the services we are working with take appropriate
precautions. The new world is tasks like ensuring our data is being
properly protected and creating policies that we are comfortable with when
interacting with customers and employees.

As most of IT is turning into a commodity and security is hitching a ride.
We aren’t going to fix security in the traditional sense, but we are seeing
progress when we view it as a feature of the services we rely upon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180322/bdd5a902/attachment.html>