Whether it’s attracting more people to the cyber-field, taking a more effective approach to preventing social engineering, or the modernization of federal IT, we need to hit the reset button and come up with better ideas.
That’s the view of Theresa Payton, president and CEO at Fortalice Solutions, former CIO at the White House and one of the stars of cyber-forensics series “Hunted”. She laid out a “newthink” approach during an interview at the Enfuse 2017 conference.
First and foremost, when it comes to human error, one of the shifts in ideology needs to be designing security so that human training is not the linchpin. For instance, weak passwords are an issue—so perhaps we should simply stop relying on humans to be better when selecting basic credentials.
“Security was not at the whiteboard session when apps and products are designed—it’s an afterthought that gets implemented after the fact in the form of a user ID and password,” she said. “Instead of bolting it on, what I think we have to do is implement behavioral-based authentication.”
For instance, if a user’s device is always at a specific location at 9 a.m. and logs into email—that’s an established pattern, so in order to log in, all that’s required is a code that’s sent to the phone. But if there’s a deviation—say, the user appears to suddenly be in Turkey, then the authentication requirements will dynamically scale to become more challenging.
“The data is there now to allow us to do this, but we haven’t changed the design of security to take advantage of it,” she said. “It’s the same idea of always relying on a human not to click on a link. What if we just changed the design so that a business says no more links. That way, if I haven’t called the recipient and specifically told them to expect a link from me and a mail with a link shows up, you know it’s not me.”
It’s not that far-fetched: Some organizations, including financial services companies and the IRS, have already established this, telling consumers that they will never send an email with a link to an authentication page.
On the jobs shortage front, much has been made of the lack of women (and skilled people in general) in cybersecurity. The shortfall of people to fill open positions is expected to stretch anywhere from 1.8 million to 3.5 million by 2021. Payton noted that for women and many others, the optics are simply all wrong to recruit a mass influx of talent.
“Think about how we portray this field of work,” she said. “Every time I see a recruitment flyer or a newspaper article, the first image is a dude in a hoodie, bent over a keyboard, and there are usually some 1s and 0s in there somewhere. We need to change the images and have more than one stock photo that only brings up fear and certainty and doubt. This doesn’t reflect how great the industry is. The labor shortage would go away if we portrayed this accurately.”
People are looking for role models, she added. “Think about Police Woman, the old TV series with Angie Dickinson. That’s an example of women portrayed in a positive way being successful in a nontraditional field—we need more of that.”
Federal Security: Building an Action Plan
When it comes to the recent Executive Order on cybersecurity in the US, the former White House CIO calls it a “step in the right direction” but noted that getting from the EO to a plan of action is something else together. And that it’s important to realize the big challenges that departments and agencies face when it comes to any IT project.
“This is an unfunded mandate—they always are—and this has to somehow become a priority. The EO puts everyone on notice that this is important, and the ideas are right,” Payton said, noting that the Obama administration also issued a cybersecurity EO, one that mandated a move to the cloud. Very few departments and agencies were able to follow through.
“A lot of the problems in federal government would simply go away if we just retired old technology, but it’s a hard mental exercise and a tough skill-set enterprise to do those conversion efforts,” she said. “Agencies need funding and skills made available to help them get from EO to plan of action.”
One sticking point for many agencies is the fact that they are inundated with requirements for reporting and compliance.
“These departments have a required OMB scorecard to fill out, FISMA and NIST self-assessments, EOs to respond to with a plan, all of the different acts to comply with—there are enormous burdens that take them away from the day job,” she said.
That all said, in terms of the top priorities in federal security going forward, Payton advises agencies to resist the temptation to implement new technology as one large project—rather the modernization effort should be undertaken in manageable pieces. This is not only better from an operational standpoint, but it’s a more responsible way to use taxpayer dollars.
“They should start this as a series of pilot projects, completed in 30-, 60-, 90-day sprints,” Payton said. “That requires a mindset shift—these departments and agencies are used to thinking in terms of one-year to 36-month projects. But they need to learn to fail small and fail fast—and the learnings from those failures mean your next project will be incredibly successful. Deciding whether to fish or cut bait is a much easier decision to make when you’re in it for a month, not three years. The focus should be on proof-of-concept pilots that allow them to determine whether they’re ready for a broader investment.”
Above all, any departments that deal with sensitive and critical infrastructure, money movements or sensitive information on people need to be doing small managed pilots with blockchain used for the movement and registration of data, with tokenization alongside—to make sure this is done correctly.
This approach not only mitigates the possibility of widespread, high-profile and very expensive failures, but it also gets around the fear of the “forklift upgrade.” Incrementally, new things can go on the new platform—then they can migrate the old functions off the legacy infrastructure in manageable chunks.
That way too, some funding will already be baked in the budget. “There’s a long lead time for funding, so if you can go ahead and get the opportunity to use a small amount of funds for now for pilots, it makes appropriations easier down the road,” she said.
Within all of this, shadow IT needs to be addressed as well, Payton noted.
“Where possible, they should look at cloud services for the basics—email, documents—if you’re not, your employees are probably using personal cloud and email services because they’re just trying to get their jobs done.”
Next-Gen Threats
According to Cybersecurity Ventures, a trillion dollars will be spent on cybersecurity by 2021—while cybercrime will cost organizations at least $6 trillion in the same period. This kind of negative ROI should put everyone on notice, according to Payton.
One of the things that must change, she says, is our approach to securing the internet of things (IoT).
“The weaponization of IoT is something I had been talking for two years leading up to the Dyn attack on Oct 21,” she said. “Everyone says, we need to secure Alexa, secure Google Home, secure Nest and that connected doorbell. But it’s an exercise in futility because securing all of the teeny tiny components and the firmware that goes into devices is nearly impossible. People don’t download updates for their home routers, why would they make the effort to do this for all of the components in all of their IoT devices?”
The attitude and the strategy should instead hinge on an assumption that IoT devices will be unsafe and buggy and cause issues, and so therefore there needs to be a kill switch.
“We haven’t been able to secure IoT because everyone is thinking about it the wrong way. We need behavioral-based monitoring that allows us to flip a kill switch when there’s a problem,” she said. “We will do the best we can to have good security principles and practices, but have a kill switch when something happens.”
This does require a consumer shift in thinking. She gave the example of the Nest connected thermostat, which went offline during the heating season thanks to a battery glitch. The company was inundated with calls from customers wondering what to do in their now-freezing homes.
“There’s an override,” Payton said. “It’s called going to the furnace and flipping it on.”
The other looming problem for the future hinges on the next NSA code release from the ShadowBrokers, which have promised a new cache of hacking weapons in June.
Famously, the WannaCry ransomware, based on two of the already-leaked NSA tools, made use of the millions of outdated Windows XP machines still in the field.
“We need to understand that the issue isn’t that people refuse to patch or upgrade,” Payton said. “The problem is that patches break things. When you get a patch from anyone, that vendor doesn’t know how your custom code works in your specific organization. You can’t just roll out the patch with production support without it impacting uptime and reliability.”
In heavily regulated industries like financial services, companies also have to follow a specific protocol that requires several steps before a patch can be rolled out.
“It’s not that people are lazy or just don’t want to patch—that’s just unfair for the CIO organization, which would love to patch quickly but just can’t,” she said. “We need to be prepared for what’s coming, but it’s going to be hard.”