Hours After The Penetration Test, This CSO Revealed Something That Will Leave You In Tears

The latest hot topics in security get the news coverage and ultimately the attention of readers. Often that filters down through corporate politics into the organization’s priorities. Sometimes that’s great. In April 2014, when the Heartbleed bug was announced, that got people’s attention for good reason. Suddenly patching became a priority and resources were diverted to addressing the threats. Though it’s worth asking why patching wasn’t such a priority previously.

Usually the latest news articles really shouldn’t affect information security policies. Occasionally during a penetration test we’ll be informed that the CEO (or other C-level) is concerned about Advanced Persistent Threats or some other random newsworthy topic, and wants to know what we have planned to simulate those attacks. Generally we find that those environments suffer from the most basic security flaws: no segmentation, lack of patching, default passwords, etc. APTs should be the least of their concerns, but because it’s in the news it directs their focus.

Whether it’s a news article, a blog post, or the build-up to the latest security conference, marketing professionals are focused on grabbing our attention. And they’re good at what they do. The problem is that very subtle manipulations, intended to make an article seem more important, have a negative effect on our credulity, our skepticism, and on the ways that we unwittingly make decisions about media-ized information. If we’re not careful, they can literally rewrite our thought patterns and change our intentions.

In reality, the security controls that made us better yesterday will still make us better today. Our focus should be on consistency and completeness rather than chasing the latest hot topic. The latest bug may mean that someone stays late to push some patches through, but it shouldn’t mean that we have to suddenly figure out how to patch systems that we never touch. Learning that Target was breached through a 3rd party HVAC vendor might prompt a review of firewall rules, but it shouldn’t cause a sudden awareness that segmentation is important.

The danger of chasing the latest threat is that it becomes a merry-go-round ride from which we can never escape. There will always be something else to worry about. Instead our corporate security programs should be well defined with intentional, incremental steps. Tomorrow’s newsmaker may warrant a review of how it fits into the plan of securing the organization, but rarely will it require us to drop everything to stave off disaster.

The oft-used adage is that security is a journey, not a destination. When we get distracted by current events, there’s a tendency to think, “We have to fix XYZ to be secure.” That thought is dangerous because it indirectly implies that security is a binary state of being. You are or you aren’t. In truth we can work towards becoming more secure, but we will never get there. It’s like a real-world example of Zeno’s Dichotomy paradox.

One last example of this false sense of importance is demonstrated with compliance initiatives. The goal of compliance is to demonstrate security through adherence to some standard. Unfortunately many organizations make compliance the end-goal instead of the security it was intended to affirm. This is often called the “Check the Box Mindset.” Corporate focus, and therefore resources, can be dedicated towards proving compliance, sometimes to the detriment of security initiatives. We often see this in assessments where clients want to significantly restrict the scope of testing to reduce the chance of negative findings. A better approach is be more inclusive of the testing scope, but allow us to write separate reports; one that covers only the compliant environment and another that speaks to the security of the entire system.

We live in a hostile world. Just as attackers are fighting for our networks, the media is fighting for our attention. And they both use incredibly creative means to divert our focus and exploit our tendencies. As security practitioners we have to intentionally set our plan and struggle to maintain it. Unexpected vulnerabilities and new attacks will occur, but very rarely should they require significant deviations to the plan.

Are you struggling to develop your security program, or not sure what to prioritize? Let us help. We work with organizations large and small to review your environment, outline areas of concern, and help build a strategy for improving your security posture.

Nathan Sweaney is a Senior Security Consultant with Secure Ideas. If you are in need of an architecture review, penetration test, or other security consulting services you can contact him at nathan@secureideas.com, on Twitter @sweaney, or visit the Secure Ideas site for services provided.