On Bad Solutions and Negative Returns
Germans have an ironic idiom called “viel hilft viel.” This is directly translated into “lots helps lots”, and is often used to ridicule the notion that by just doing enough random actions, you will eventually fix the problem. Mostly, we all know intuitively that this approach won’t work. If you have over-salted a stew, no random addition of more salt and spices will fix the taste. Unfortunately, when it comes to information security, individuals and the industry as a whole still haven’t come to realize that the same is true.
In this briefing, we will take a look at when actions meant to increase security preparedness and awareness can be counter-productive.
There are no magical solutions
The sentence “it’s alright, we have an IDS” is the dead canary in the coalmine of corporate information security. In just six words it manages to convey a horribly simplistic view of cyber attacks, a naive trust in solutions vendors, and a culture of buzzwords over fundamentals. It is also a sentence that has become emblematic for the mismatch between actual information security needs and the supposedly easy fixes up for sale on the marketplace.
To understand why let’s look at two important concepts: Complexity and integration.
Imagine you run a museum with lots of valuable artifacts that need protection. Naturally, leaving the halls fully unsupervised at night after you close the doors is a bad idea. If a burglar broke in, it may take hours for anyone to notice. So you hire guards to patrol the building at night. But what happens to security if you add more and more guards?
This is a tricky question (and for the purpose of this example we will assume that you don’t have the budget to put three guards with rotating shifts who are watching each other into each room). Let’s say you start with 5 guards and they manage to patrol each room once every hour between them. If you now hire 5 more guards, they will be able to visit each room once every 30 minutes. That’s an improvement to be sure, but in the real world, you cannot be sure that all guards are trustworthy. One of the guards may be a thief trying to slip in. Or one might be under financial duress and open to looking the other way for a fee. With each guard you hire, you increase the risk of one of them being a bad actor.
The same issue exists with information security solutions. No doubt, three layers of firewalls, an IDS on the network and a few more on each machine, remote sensing, remote log collection, antivirus and endpoint protection on all work machines etc will make the job of attacking your system tougher. But all of these tools themselves are systems. They have code and hardware designed by regular, fallible, developers. At what point is the risk, that one of the security solutions contains a critical vulnerability, larger than the additional protection it offers? At what point will you run into a vendor that is controlled by a state actor and includes backdoors into their products?
The answer is complicated, fuzzy and very much not good for a clear sales pitch to C-suite executives. “Buy our product and you will be secure” is a good marketing pitch. “Your security is an impossible problem that we’d be happy to solve as best as possible” is not.
But let’s assume that all of your solutions themselves are secure, don’t have any bugs and actually do what they claim to do on the box. There is another, equally important and equally ignored problem: Integration.
Let’s equate information security solutions to locks for a moment. Imagine a salesman sold you an unbreakable lock. Not even heavy equipment can cut through its bolts. Not even the best lock pickers can open it without a key. You invest heavily to acquire it, hand it off to your staff and they promptly and vigorously proceed to install it on the staff kitchen cupboard door while leaving the front door secured with the standard lock and the backdoor open altogether.
As absurd as it sounds, this is the situation - at least partially - in almost all major networks from corporate to government. As solutions and infrastructure grow more and more complex, fewer and fewer people have a full overview of what is going on and where the important doors are. Of course, most serious organizations have diagrams and charts to map just these important paths, but those charts are notoriously out of date in most places.
All of this leads us to the one key idea that you should take away from this briefing: You usually don’t need more or better locks. You need people who know what doors to put the locks on.
The issue with human talent
But where can you find those people? Since the specialists are horribly expensive, your best bet is usually to increase the information security skills of your own IT staff and the awareness of your non-IT staff. The tool to do so is training.
But unfortunately, training solutions themselves suffer from the same issues of complexity and integration. “Lots helps lots” is just as inadequate when dealing with training as it is when dealing with solutions. Humans have a limited attention span and employees also have a job to do. If a training is too long and too unrelated to their everyday job, it quickly becomes useless as they either tune out, avoid it or find creative ways to circumvent the training requirement. Worse yet, just like security solutions, the wrong training can end up having a negative impact on your staff’s level of readiness. After three hours of redundant multiple-choice questions on - for example - phishing attacks, most people are less likely to take phishing seriously than before.
Summary and Further Reading
When looking for information security solutions, find the doors that need locking and then find the locks that match them. Buying more locks won’t fix the problem and anyone who promises you a lock that will make your house burglar-proof is lying to you.
When looking for information security training, look for a solution that conveys the subject matter you need in a concise and impactful manner that is applicable to the workflow of your staff. The solution with most content may look good on paper but is unlikely to yield the best results.
On a personal note, Reflare has recently partnered with information security vendor New Light Technologies to release a comprehensive whitepaper covering the need for and pitfalls of information security training solutions. If this briefing was valuable to you, we heartily recommend that you give it a look for more detailed information.