I was in a Barnes and Noble bookstore a few days go, pitching my new book, “Bullseye Breach,” to one of the folks working behind the counter. I know all the big decisions are always made at corporate headquarters, but nobody invited me to corporate headquarters and I have to start somewhere. So I started at this store.
While pitching for all I was worth, a lady who said she works at the Target Corporation Credit Department here in the Twin Cities walked up to the counter. Many have suggested I patterned my fiction story in “Bullseye Breach” after the real world Target breach – I’ll leave that for readers to judge. I had a copy of my book with me and she seemed interested. Which helped my ego tremendously. Those million book sales start with the first one.
We talked for a while and she said, “It’s a shame we’re all so vulnerable. No matter how big you are, no matter how much you’re loved in the community, no matter how much good you do, a group of crooks can still break in over the Internet and do this to you.”
That triggered a diatribe from me about believing press releases and people who should have known better not doing their jobs. I said lots of other things, most of it politically incorrect. To my surprise, she thanked me for being passionate about this topic and even insisted on buying the copy of my book I had with me on the spot. I walked away dumbfounded and grateful.
That encounter put a whole series of thoughts in motion. Since I insisted that organizations can protect themselves, that being a victim to cybercrime is not inevitable, what would I do if somebody actually invited me to corporate headquarters to provide advice and counsel to the CIO?
So here is the advice I would offer.
First is topology. Retailers, isolate your Point of Sale systems from the rest of your network and keep a whitelist for where they can interact. This is a shameless plug, but this is my blog so I can get away with it. Infrasupport builds firewalls using open source tools that can do this job nicely. Here is some information.
Set up automation to notify the right people if those POS systems try to interact with anything outside that whitelist. Other industries may have similar issues, but retail POS systems are special because untrained store clerks interact with them and they interact with payment processors across the Internet. Their interactions with the internal network and the rest of the world need to be strictly regulated and monitored. If the topology had been right, and the right people heeded the warnings, none of the sensational data breach headlines we’ve read about recently would have happened.
That leads to diligence. No matter what technology is in place, there is no substitute for human diligence. People are and always will be the last and best line of defense against attack. Train end users to stay away from the wrong websites and not to fall prey to phishing schemes. Run drills. Do probes. Test often and discuss results.
But even with the best diligence and awareness training and drills, a company with 1000 employees means 1000 potential attack vectors. Inbound spam filtering and outbound web filtering can help, but sooner or later, somebody will visit the wrong website or click on the wrong email attachment. That’s why the right people need to pay attention to the inevitable warning signs and take action when warranted.
Which leads to sharing. This is counter-intuitive, but the best way to defend against attack is to share how all the defenses work. In detail.
This comment to a Brian Krebs blog post deconstructing the 2014 Sally Beauty breach is a great example. It was a gutsy call for Blake Curlovic to publicly share the detailed information about this breach, both in the Krebs article and in subsequent comments, and the information he shared will be invaluable to future IT Departments fighting bad guys.
In cryptography, the algorithms are public. Everyone knows them. That’s why we have strong cryptography today – the surviving algorithms have all been peer and public reviewed, attacked, and strengthened. CIOs should operate similarly. Openly discuss security measures, expose them to public and peer review, conduct public post mortem incident reviews, publish the results, and adjust the methods where necessary.
Bad guys are already reviewing, discussing, and probing security in the shadows. Bad guys have a whole supply chain dedicated to improving their ability to plunder, complete with discussion forums and specialists in all sorts of dark endeavors. The bad guys have unlimited time and creativity and the good guys are out gunned and out manned.
Against such an adversary, what CIO in their right mind would want to stand alone?
This doesn’t mean CIOs should call press conferences to brag about the latest security tool. But CIOs should be visible at conferences and should contribute keynotes and other presentations in a running dialog to help continuously improve the state of the art. They should also be engaged in online forums discussing and refining the latest ideas. And when it makes sense to appear in front of the written and TV press, they should take the lead and use the forum to educate the public.
Smart good guys should join forces out in the open for the common good. Contribute to and profit from a thriving marketplace of good ideas and everyone wins.