It is always interesting to see the comments that we get back from our presentations. This was especially true after our most recent RSA presentation on Advanced Persistent Security, a follow-up to our 2015 presentation, The Sophisticated Attack Myth, where we discussed that the most notable cybersecurity attacks were not due to sophisticated attackers, but rather a lack of basic security precautions.
Simple enough.
Our presentation this year provided some new case studies on recent attacks and highlighted the simple flaws that lead to or enabled major compromises. It was unavoidable to conclude that the most devastating attacks could be stopped with the application of basic countermeasures—including not putting passwords on television.
Yes, a devastating attack against a major television network, attributed to ISIS, was enabled by passwords being broadcast on television.
After we gave our presentation, the feedback provided directly to us was great, as always. People approached us to acknowledge that it was refreshing to hear that failure was acceptable. They appreciated hearing how the simple things that they try to instill in their security programs were as important as they thought. We were stopped in the hallways and in the streets and told how valuable people found the session.
It was, however, no surprise that when we received the formal evaluations that they were not all as glowing as the initial comments. (Frankly, it appears that an average of three people show up to Ira’s talks just to give him the worst possible evaluation. They are his most loyal followers.) On this occasion, there were also a handful of comments lamenting that the presentation was more basic than they would like, expressing wishes that we cover new ground or more sensational technical depth.
Our short response is this: what we proposed is an advanced method for implementing what should, in fact, be basic countermeasures. We stated during the presentation that we, on behalf of the security community, were embarrassed that we had to state the importance of implementing the most basic of countermeasures, which sadly included time-honored, but bottom-of-the-barrel controls, like preventing password sharing and posting.
This was exemplified by the broadcast of usernames and passwords during a television news program and the breach that ensued. The breach, perpetrated by ISIS sympathizers, brought a television conglomerate down for several days. We are not making this up.
We are not dumbing the security problem down or making fun of the woebegone. The simple fact is that these simple countermeasures, however pedestrian or strategic in their application, have to be stated. Organizations are not implementing them, and they are losing billions of dollars every year.
We applaud those who desire advanced technical insight, and agree that there is a need for advanced topics to be addressed at RSA Conference. However, we also need to always focus on the basics.
Failing to properly apply basic countermeasures is the source of tremendous loss in the industry.
We understand and share the fascination with the cutting edge. However, what kind of hubris does it take to believe that an appetite for the incredibly complex is the solution in an industry that demonstrates apathy and/or a lack of consistent proficiency to implement the most basic countermeasures?
We do give presentations on architecting detection systems, investigating seemingly advanced intrusions, advanced social engineering and espionage techniques, designing awareness programs, among other advanced topics. However, when we were given the honor of speaking in the Industry Experts track at RSA Conference, we wanted to deliver a presentation that would provide the most value to as many people as possible.
Many people who attend RSA Conference are well aware of the basics. But even those who are could use hearing about more effective ways to implement those basics. At the same time, they should minimally accept that the current slew of data breaches demonstrate that there is a critical need to better understand and apply the basics.
Security professionals need to acknowledge that the biggest problems we are experiencing today result not from advanced attacks that require advanced security countermeasures, but from simple attacks that were successful because of the lack of proper or poorly-implemented countermeasures.
When Rob Joyce, Chief of NSA’s Tailor Access Office (their elite hacking organization), was asked about the NSA’s use of zero day attacks, he replied, “Persistence and focus will get you in.”
The most effective hackers in the world rely upon the weaknesses in their targets, not on specialized tools. The Verizon Data Breach Investigations Report has shown this to be the case as well.
So, are security professionals too arrogant to accept that a focus on the basics is infinitely more important than any advanced tool or technique?
For some people, the answer is definitely yes. However, those people are comparatively rare. (And no, you are not automatically arrogant if you didn't like our presentation or our presentation style!) Many people understand the importance of the basics, and want to know where to start. Working with the RSA Conference editorial team, we will be writing a series of articles that highlight the advanced use of the fundamentals in different areas of security.
To that end, we welcome topics that you want to learn about.
Ira Winkler, CISSP, is President of Secure Mentem, and can be reached through http://www.securementem.com. Araceli Treu Gomes is a Subject Matter Expert-Intelligence and Investigations. They both cohost The Irari Report. They will be speaking at RSA Conference Asia Pacific & Japan 2016 in Singapore on Friday, July 22, 2016: Fighting 'Sophisticated' Attacks with Advanced Persistent Security.