In the first article in the series we talked about how when you don’t understand your attack surface, too much security can actually make you more vulnerable and undermine the efficiency of your organization’s operations. In the second article we looked at problems caused by unbalanced security, which leads us to this third and final installment on security solutions that fight for the same resources.
You Chose Security Solutions that Fight for the Same Resources
As we mentioned prior, according to research for the OSSTMM 4, there are at least 10 types of operational controls, and each control protects against a different category of attack, so layering your security with the same type again and again still leaves you open to at least 9 other categories of attacks in that same vector.
The typical network with authentication and encryption is only protected against 3 types of attacks (because encryption is generally implemented so that it provides 2 types of controls, Confidentiality and Integrity). If your resources are all going into maintaining 30% protection, isn’t something wrong?
Which is why you need automatic updating, patching, cloud-stuffing and anything where you can shove work away from your precious human resources. Now I like automation as much as anyone. Actually some of my best (and only) friends are robots. They do something really well: maintain quality through repetitive tasks.
In a study from the mid-nineties, researchers found robots did as good a job at discovering new medicines as their human counterparts. Robots found medicinal assays with a 30% success rate. The best of their human counter parts did 30% as well. But the robot did it every day, every time. The humans only did so on their best days. So I like robots for their consistency. Which is why it’s easy to see why we can rely on them. Until we can’t.
If a robot fails in the woods does it make a sound?
Your automated security processes usually need the same resources as the stuff they are protecting. Humans don’t. Humans are “out of band” in that sense. When a robot finds a failure in the system, it messages you. But when it’s the robot that fails, it does so silently (sounds kind of sad like that). Humans don’t compete with automation for resources.
The more automation you have, the less need you have for messy people and the more consistency you have in your processes. Which is great for processes unless they’re security processes. In security, automation works best as a tool and not a foot soldier. You see, your security automation is in charge of making periodic and systematic changes to controls and then verifying those changes. That means you have employed a machine to maintain consistency at changing consistency (by making unattended changes).
So the better it is at consistency the more it can change but the less it can handle the inconsistency of change. Automating security is a paradox. That’s why those who program automation for security employ techniques that make the robot a bit more forgiving of errors, any kind of unexpected changes in the thing being changed. And so begins the automated walk down the yellow brick road to the emerald city of security problems.
When you run automation for security then the human becomes the tool, fixing everything the automation breaks, putting out fires, and apologizing a whole lot to other humans, sometimes with presentation slides. Now you’re back to competing for resources again, but this time the automation is taking your people away.
But what happens when you flip it around? What happens when you put too much security on your employees rather than in your machines? Either your security suffers or your business does. In the case of people too, too much security leads to less security.
People don’t function well consistently. Sure, there are people who have habits you can set a watch by, but even they, if you begin to put the pressure on, will fail. The more you ask a person to be able to detect, discern and analyze, outside their direct task, the slower they go. Because people can’t really multi-task regardless of what you’ve heard someone say on Facebook.
We can’t. The more we do, the more we automatically slow down and the more we lose hold on and the more we forget to do (or else just look for short-cuts). All those security awareness classes actually slow down employees. Any reminders of mistakes and their consequences from security policies to security campaign posters inevitably make them fail at the very thing you’re teaching them to be careful not to fail at.
People who feel watched, or who are reminded of things that could attack them, or are told they could screw up, will be paranoid, cautious, slow and incapable of doing the right thing when the pressure is on, like during an active social engineering or phishing attack.
Fear is a horrible motivator. The more afraid of screwing up that the employees get, the less they’ll do and the less happy they will be, forcing them to seek positive social interaction. And so begins the death spiral to employee inactivity and overload. You see, the biggest mental threat to an employee, the one that’s the most taxing, is social interaction. It’s exhausting.
Many studies show that even non-verbal social interaction (like social networks) tax our brains heavily as we are constantly “on” making sure we don’t say the wrong thing and that we follow expected social norms. The more employees who are looking for social interaction, the more who will be drawn into it. This leads to a competition of social resources whether in person or on the Internet. The end effects are failure to meet security expectations when needed and information leaks through gossip and ranting.
Organizations which think that security awareness is just showing people how to act in potential security situations and reminding them they’re responsible legally for their bad choices, may be in for a rude awakening. Or they may just be out time, money, and happy employees who don’t gossip about work stuff. And this happens when you let your security hurt your security.
So, it’s time to change. There’s better security awareness methods out there worth following at this Troopers workshop. Find me there. I’m open to talk about any of the topics covered in this article if you catch me at an event like Troopers in Germany or RVAsec in Richmond, VA, USA — both coming up soon!
Author’s Note: The information in this article comes from research for OSSTMM 4 and its spin-offs which include the Secure Programming Guidelines, Security Awareness Methodology Manual, Hacker Highschool, Vendor Trust and Security Assessment, and the Desktop Security Matrix, some of which are already publicly available or available to ISECOM subscribers. The difference between ISECOM research like the OSSTMM and security best practices is that ISECOM studies and verifies practices to determine facts as opposed to the anecdotal security found in best practices. OSSTMM is true.
About the Author: Pete Herzog is the co-founder of ISECOM, and as Managing Director is directly involved in all ISECOM projects. In 2000, Pete created the OSSTMM for security testing and analysis. He is still the lead developer of the OSSTMM but has also leads the organization into new research challenges like Smarter Safer Better, the Bad People Project, and the Home Security Methodology. Pete’s strong interest in the properties of trust and how it affects us and our lives has led to trust metrics and has brought ISECOM more deeply into Human Security. In addition to managing ISECOM, Pete taught the Masters for Security at La Salle University in Barcelona which accredits the OPST and OPSA training courses and Business Information Security in the MBA program from ESADE which is the foundation of the OPSA. In addition to security, Pete is an avid Maker, Hacker, and reader.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Adapting Vulnerability Management to Address Advanced Persistent Threats
- Fred Cohen on Simplifying Security Assessments for Critical Infrastructure
- Dynamic Monitoring: Products Influencing Products
- Top Five Hacker Tools Every CISO Should Understand
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock