Who doesn’t love a good computer security “cowboy”? That’s a man or a woman who is a recognized authority in their field of expertise, who groks their subject, who is truly a subject matter expert.
When there is a crisis, everyone wants at least one cowboy on the solution team. They are usually passionate at what they do and love and seem to have a natural ability to recognize and fix whatever the problem is faster than most.
The more experienced I’ve become, the more I also like the exact opposite – the competent generalist who sees the big picture. Every team needs a bit of both.
I’ve come to better appreciate defenders who can see beyond the current crisis, who look for the ultimate reason for how the current problem became a problem and then suggest how to fix it.
Good defenders like to map an organization’s individual computer security defenses to a capability maturity model. Capability Maturity Models (CCMs) ask observers to rank how well and mature a particular process or control is as compared to the best imagined process or control for mitigating risks. Computer security professionals can also be ranked along a CCM continuity scale from immature to completely mature. The best computer security professionals are highly technical, but look at all problems in a highly mature, broader way.
The best defenders ask the right questions. What was missing that allowed something to become a problem? Was there a missing policy or tool that could have helped? Why did that person make that mistake? They wonder, if I change nothing, can a similar mistake happen in the future?
The Best Computer Defenders
The best computer security defenders always look past the current problem and ask, how did it get this way? The better they are, the further they look up the chain of causation. Here’s the basic maturity steps with any computer security issue:
- Detect the risk/threat/damage
- Stop damage from spreading
- Stop damage from happening again
- Close vulnerability
- Examine how vulnerability happened
- Look for additional, related vulnerabilities with same causation
- Implement new controls (policies, tools, education) to stop it from happening again
- Automate process or control so the vulnerability cannot happen again
Examples
Let me give you three real-life examples:
- Software Vulnerability
I worked at Microsoft for 12 years (and some years before that as an external consultant). As anyone knows, Microsoft is constantly challenged with closing known vulnerabilities. In any given year, they will have at least 100 to 120 separate publicly announced security bugs they need to close.
One of the things that Microsoft is good at is in evaluating a reported bug across their entire software universe. It wasn’t always that way. Over two decades ago, someone would report a bug in Microsoft Outlook and Microsoft would fix “that bug”. But then, someone would find the same or very similar bug somewhere else in Outlook, and Microsoft would have to patch that problem with a second patch. And then someone would find the same bug in Internet Explorer or Microsoft Word, and so on. It seemed that some of the bugs reported to Microsoft would be found over and over again in the subsequent months. It was a hassle for everyone involved, including Microsoft and its customers.
Microsoft still has some of those issues (i.e., similar bugs found over and over), but in most cases Microsoft now does an excellent review of any reported bug. First, any significant, critical bug gets reported to all the programming teams. They have an at least weekly, if not daily, call where all the major software development teams are on to hear each reported critical bug. Each team is tasked with making sure they don’t have a similar issue in their software development code, and to share and fix it if they do. These days, if someone ends up having a similar bug found in their code as was previously reported, everyone is asking how and why it didn’t get discovered and fixed previously.
Further, if the bug is fairly common and re-occurs a lot, Microsoft places it on its official list of banned things and often tries to update their software development tools so it can’t happen in the first place. This leads to the second example. - Hard-Coded Passwords
During one risk review, it was found that hard-coded login credentials were a top reason for malicious compromises in Microsoft’s sites and services. This is where the developer either accidentally leaves login credentials in their code, which others can see and/or use, or they intentionally put them in the code and don’t realize how risky they are.
When Microsoft found out that hard-coded credentials were a top risk, they did the following:
- Placed hard-coded passwords on their list of banned things
- Educated developers so that they knew hard-coded login credentials were bad as part of their Security Development Lifecycle (SDL) education campaign
- Created corporate policies against hard-coded passwords
- Updated software tools to avoid allowing hard-coded credentials (where possible)
- Updated vulnerability finding software to look for and alert when hard-coded credentials were found
- Updated the code repository software so that developers could not even “check- in” code that contained hard-coded login credentials
And just like that, Microsoft software has far, far less hard-coded login credentials in their software.
What you see is a maturity in the response. Microsoft went from merely education and policy to looking for and eradicating other instances of the same problem, to stopping it from ever being able to happen in the first place.
3. Phishing Campaign
All our organizations get besieged by phishing and social engineering every day. And despite our best policy and technical controls, some of it slips by to end users. In fact, phishing and social engineering are responsible for 70% to 90% of all successful malicious data breaches. You need a great security awareness training program which teaches everyone in the organization to have a healthy level of skepticism and how to spot and react to phishing attacks. That’s job number one.
Defenders must monitor and tabulate incoming phishes to note whether or not they have a new, persistent, phishing campaign that is secretly trying to break into your organization. If all you do is successfully block phish-after-phish, you might miss the bigger picture. I was at one Fortune 5 company last year and because no one was reporting or noticing a particularly new spear phishing attack, the foreign attackers were able to get dozens of legitimate login credentials before the company shut it down. It was only on the 900th person who attempted to respond to the phish that someone in the organization noticed that the phishing campaign was targeting C-level employees more than most and someone decided to check to see if employees were being fooled. They were.
If you use our products, you can use PhishER, reporting, and other components we have to get that sort of data and put a quicker end to them. But even if you don’t use our products, you need to approach your organization’s phishing activity in a mature, thoughtful way. What subjects are you seeing being used against your organization? What new tricks are you seeing? What is most successful and why? Use those subjects to educate and train your end-user base. Don’t just stop phishing one-at-a-time. Use developing trends to put down new phishing sooner and better.
My Challenge to You
Any time you come across a security issue, be it a misconfigured firewall, a phishing campaign, a turned off security service, or whatever, ask yourself, “How did this happen?” Don’t just fix the issue and move on with life. To be the best computer security defender you can be, ask yourself, what missing things allowed this to happen? Is it happening anywhere else? How can I find out? What policies, tools, or training can I implement to stop it from happening again?
And you should do this across all controls and defenses the same way you naturally think. Because it turns out those hot-shot, computer security cowboys who seem so natural at being smart and solving those difficult issues…they got there by thinking about the problems more and better than anyone else. They weren’t born smart. They got smart by not stopping at resolving “just” the issue at hand. You, too, can be a leader of the pack (if you aren’t already) by looking at the big picture and solving the problems more completely than others.
“If I had an hour to solve a problem and my life depended on the solution, I would spend the first 55 minutes determining the proper question to ask, for once I know the proper question, I could solve the problem in less than five minutes.” – Albert Einstein.