It’s the holiday season, that special time of year when people all over the world celebrate compassion (at least in theory) by giving gifts to family members, friends, colleagues and complete strangers. Perhaps no one embodies this spirit of giving more than St. Nicholas.
All throughout the month of December, children write to Santa Clause and send him wishlists of all the gifts they hope he will bring if they are nice. They then spend their nights dreaming of what toys will greet them on Christmas Day. It’s something truly magical to behold.
But let’s face it: you don’t have to be a child to have a wishlist. We know security personnel work very hard protecting us online throughout the year, and we know each one of them must have something in mind that would make their jobs easier or more fulfilling. We therefore asked a number of infosec professionals the following question:
“If you had one wish for the infosec community this holiday season, what would it be and why?”
Their responses are in part provided below.
Adrian Sanabria | Senior Security Analyst | 451 Research
I think one of the things our community and industry seems to broadly lack is empathy and perspective. We’ve been saying that businesses just need to ‘do the basics’ for over a decade now. However, the basics continue to elude them.
My wish is that instead of shaking our heads, we’d spend more time understanding why businesses keep failing at Security 101. We tell ourselves that it is because there’s not enough spending on security or because executives don’t take it seriously enough. We need to consider that perhaps the basics don’t get done because they’re more difficult than we give them credit. Perhaps the basics don’t get done because the systems, processes, and assumptions we have in place are broken or insufficient.
Irfahn Khimji | Sales Engineer | Tripwire
Every culture has a staple for it’s holiday season, without which it would not be considered the holidays. For this holiday season, I think as an infosec community, our cultural staple needs to be foundational security controls. I wish we could all focus and invest on ensuring we know what is in our environment, how it’s configured, and what the risk surface of each asset is. These are the top four critical security controls, and the holidays just aren’t the same without them! (Then again, neither is the rest of the year!)
Lane Thames | Software Engineer | Tripwire
Why? Designing and implementing secure information systems is a very challenging problem. Indeed, there is no such thing as a perfectly secure system, only approximations thereof. No matter how aware a developer is of the secure software development lifecycle, mistakes will be made. I’ve always been an advocate of developing technologies that allow us to remove as much security overhead from our information workflows as possible, and proper use of architecture and frameworks provides one such avenue for reducing the overhead. The industry has made a small bit of progress in this area, but in my opinion, it hasn’t not enough.
Although there are challenges associated with integrating cybersecurity architectures and frameworks into our information workflows, I believe the overall benefits can drastically outweigh the associated costs. Further advancements in this line of thought due to increased awareness, research, and innovation could possibly shift the cost/benefit ratio even better.
Matthew Pascucci | Security Architect
One thing I’ve had on my information security Christmas list for the past couple of years is for companies to start using deception within their networks. It seems like so many people are timid to defend their networks using the strategy of deception. Guys, Santa’s not going to put you on the ‘naughty list’ if you’re misleading to attackers. It’s a good thing! Using the tactic of deception will allow you to get a jump on attackers that are in your network and to strengthen your security defenses.
Many people are worried about preventing only, and when it comes to deception, (Think honeypots, honeytokens, sink holing, rate limiting, etc.) if you’re not completely preventing attackers, management might not see this as valid form of defense. In reality, if you can have faux systems/data, or networking that will misdirect attackers and have them lose trust, which in turn allows them to stumble, is case enough to start using deception as a defense.
Andrea Simmons | Consultant
There’s a U.S. cyber security strategy, one for the European Union, and ones for a number of other specific countries. But when you think about it, so what? It’s not stopping the rot. Corporate businesses are still supporting bad design practices by not allowing their teams to design their information infrastructure both safely and securely. Everyone is stretched for time and resources beyond sustainability.
That being said, my wish for the infosec community is to STOP taking the requirement to protect the organisation – whatever sector you are in – as your soul responsibility. IT IS NOT! Security is everyone’s responsibility, and everyone needs a LOT more understanding! Procurement needs to understand the implications of the deals it undertakes. Legal should do this too, as well as learn the law and stop looking to security folks for some perspective regarding information-based legislation. HR needs to be much more engaged in helping to discipline misbehaving employees and support making good security behaviour an active element of annual appraisal processes. And IT needs to factor safety and security into all change management and future development instead of waiting until the end.
None of the above is rocket science; it’s not new news. So STOP, just stop taking on the inappropriate mantel of security being the solution. We’re not! It’s a collective.
For another day, we also need to stop believing the hype. The security industry needs to look deep into its soul and reflect on the ethics of selling layered defense pipe on top of known insecure systems. The world of the Internet of Things, this approach is going to crumble and will embarrass us all.
Zoë Rose | Commander | Glass Frog Technical Services
If I had one wish for the infosec community, it would be to stop, take a minute, and realize that not everyone’s passion is security. I know, it’s hard to believe something so amazing could be anything but the front focus of everyone’s mind!
Want to train and educate end users, instead of expecting them to understand security? As infosec is our passion and in many cases our hobby, we forget others are not as interested. End users specifically want convenience over security, which is why something like a thumbprint authentication makes them happier then setting up a unique complex password.
One way we could balance this is to look into training people from a young age, thereby helping to make security a natural part of life.
Also, we should focus on providing a wider variety to high school/college classes based on the notion of computer security. We should therefore place less emphasis on the traditional ‘Programming’, ‘Web Dev’, and ‘Networking’. More education, more information, remove the misunderstanding – that is my Christmas wish.
Jenny Radcliffe | Consultant
It’s very easy to be distracted in the infosec industry and forget what is important, so less words and more actions going forward are necessary to step up to the task in hand. We provide a service, and people have no choice but to trust in us much of the time. I think it’s important we don’t forget that as a community and work hard to justify that trust.
I hope everyone has a peaceful, safe festive season and recharges fully to face the challenges of 2016 and beyond with purpose, energy, and focus.
Richard De Vere | Principal Consultant | AntiSocial Engineer Ltd
I wish people of all sectors, ages, sexes, ability, and race stopped and took a second to sum up their digital affairs. With the technological advances over the past few decades we have all ran away with what we are doing. Ultimately, if you don’t have a technical mindset, this should be the time to learn from the many amazing resources out there, whereas if you are tech savvy, this should be the time to assess what tasks you do daily and what systems handle your data. Can you reduce the spread of your data? Can you be more efficient and secure? Do you have proper backups of everything? Christmas should be a time of reflection and not a hunt for the next gadget. Give your loved ones 2-Factor, KeePassX, full disk encryption, and open-source AV. Show them you care.
David Archer | Principal Investigator | Galois
Santa baby, slip two-factor under the tree, for me.
Worn my truly white hat, Santa baby,
So hurry down the chimney tonight.
Think of all the factors I keep,
Apps and fobs and PINs that make me toss in my sleep,
Next year we could all rejoice,
If you’ll just check off one single second-factor choice.
Santa baby, one 2FA plot,
and really that’s not a lot,
Been a white hat all year, Santa baby,
So hurry down the chimney tonight.
Santa honey, there’s one thing we really must win, buy-in —
2FA partout, mais oui, parlez-vous?
So hurry down the chimney tonight.
Santa cutie, tee us up to get all agreed on the need
For just one two-factor way, today!
And hurry down the chimney tonight.
Come and trim my bookmarks tree
With authentication images and two-factor for free,
I really do believe in you,
Let’s see if you believe in me,
Santa baby, I know I’ve got the right fob right here,
Oh dear! Don’t lock me out in the cold, Santa baby,
Give me one 2FA tonight.
I’ll choose my Sitekey image tonight.
Please stay tuned for Part II of this two-part series.
 Lee, J.; Bauer, L.; Mazurek, M.L., “The Effectiveness of Security Images in Internet Banking,” in Internet Computing, IEEE , vol.19, no.1, pp.54-62, Jan.-Feb. 2015.
 Sitekey, deployed in 2006 , provided one of the first broadly marketed financial solutions that employed site authentication images
Title image courtesy of ShutterStock