Posted on Jun 13, 2017
Cyber Defenders Are Often Not Fired, When Others Would Be
1.87K
23
13
4
4
0
If a security guard does not make his rounds at night and a door is left open, should he get in trouble with his superiors? Should he be reprimanded?
If a robbery occurs because of the open door, should he be fired? Is it fair then that cyber defenders or information technology security specialists are not fired after a cyberattack?
If a robbery occurs because of the open door, should he be fired? Is it fair then that cyber defenders or information technology security specialists are not fired after a cyberattack?
Cyber Defenders Are Often Not Fired, When Others Would Be
Posted from rly.pt
Information Technology
Technology
Security
Employment
Jobs
Posted >1 y ago
Responses: 5
4
4
0
Oh f*** me, where to begin...
So first, the analogy is idiotic. Closing and locking a door is a proactive security measure. You have a physical entry point limiter that prevents intrusion unless extreme measures are taken. And most of PHYSEC operates like that. You have a space you want to protect, and you take measures to limit access to that space to all but authorized personnel. For example, your average bank. There's areas that the public access. They come through the door, go through roped lines to reach the teller, whom is usually behind bullet-proof glass in an area that is only accessible by an interior door with locking mechanism and possibly an armed guard nearby. Physical barriers that protect the authorized-only area from the general public area.
Networks? We don't have that luxury. Traffic flows in an out, on a regular basis, to all manners of locations, based on the company's policy. Yes, we have firewalls and we limit traffic to certain websites, or blacklist others. You have your DMZ areas that are often targets of pranksters. You have your internal networks that routinely go through attacks, and you hope you've done enough to secure from the worst threats, but you've also got a company that needs to do business. You have holes in that defense. Intentional holes, because they're needed in order to operate. And the company knows this, and has to physically sign off on accepting that risk (in something that, shockingly, is called Risk Management).
Not to mention that most of cyber defense is reactive rather than proactive. You don't often have a clue that you're being penetrated until well after it starts, if you even catch it in the process. It's not like you see packets with black ski masks traveling through your fiber. You set your defenses as best you can. You hope you got the worst of it, you document the stuff you know you don't have, and you go live.
And I won't even get into 0-day exploits... the stuff no one knows about, except the crafty asshole that figured it out and is now selling it to the highest bidders.
Now... you have a network defender intentionally punch a hole in the firewall and let someone through? And you can prove it? That's not just firing. That's a criminal charge. And trust me, it's easier to prove that they intentionally do this, than it is to prove that donut-chomping rent-a-cop wasn't just negligent in leaving that security door unlocked.
So first, the analogy is idiotic. Closing and locking a door is a proactive security measure. You have a physical entry point limiter that prevents intrusion unless extreme measures are taken. And most of PHYSEC operates like that. You have a space you want to protect, and you take measures to limit access to that space to all but authorized personnel. For example, your average bank. There's areas that the public access. They come through the door, go through roped lines to reach the teller, whom is usually behind bullet-proof glass in an area that is only accessible by an interior door with locking mechanism and possibly an armed guard nearby. Physical barriers that protect the authorized-only area from the general public area.
Networks? We don't have that luxury. Traffic flows in an out, on a regular basis, to all manners of locations, based on the company's policy. Yes, we have firewalls and we limit traffic to certain websites, or blacklist others. You have your DMZ areas that are often targets of pranksters. You have your internal networks that routinely go through attacks, and you hope you've done enough to secure from the worst threats, but you've also got a company that needs to do business. You have holes in that defense. Intentional holes, because they're needed in order to operate. And the company knows this, and has to physically sign off on accepting that risk (in something that, shockingly, is called Risk Management).
Not to mention that most of cyber defense is reactive rather than proactive. You don't often have a clue that you're being penetrated until well after it starts, if you even catch it in the process. It's not like you see packets with black ski masks traveling through your fiber. You set your defenses as best you can. You hope you got the worst of it, you document the stuff you know you don't have, and you go live.
And I won't even get into 0-day exploits... the stuff no one knows about, except the crafty asshole that figured it out and is now selling it to the highest bidders.
Now... you have a network defender intentionally punch a hole in the firewall and let someone through? And you can prove it? That's not just firing. That's a criminal charge. And trust me, it's easier to prove that they intentionally do this, than it is to prove that donut-chomping rent-a-cop wasn't just negligent in leaving that security door unlocked.
(4)
(0)
SSgt Ryan Sylvester
SSgt GG-15 RET Jim Lint - Or a screenplay? Paul Blart: Cyber Cop?! Seriously, though, I do apologize for coming off a little harsh ("...a little?"). I just get a little frazzled when people make the equivalency between physical and cyber security. They are such drastically different disciplines, right down to the basic concept. For the laymen out there, physical security is an increasing security posture usually only limited by budgetary constraints. Cyber security is typically a decreasing security posture, baselined by those same budgetary constraints, and lowered to acceptable risk levels based on operational needs ("I'm sorry.. did he say 'laymen' before all that?"). To put it in other terms... you give us enough starting budget, we can make your network so secure that even you won't be able to get in.
Obviously, that's not a good network.
Anyway, obviously you do have some good information in this article. Especially where the documentation is concerned. And obviously, there's conditions where cyber defenders probably ought to lose their jobs after an attack (seriously Sony guys? Terrabytes of data walked out before anyone noticed?). It's just that PHY/COMPUSEC that itched just the right way, heh.
Obviously, that's not a good network.
Anyway, obviously you do have some good information in this article. Especially where the documentation is concerned. And obviously, there's conditions where cyber defenders probably ought to lose their jobs after an attack (seriously Sony guys? Terrabytes of data walked out before anyone noticed?). It's just that PHY/COMPUSEC that itched just the right way, heh.
(1)
(0)
SSgt GG-15 RET Jim Lint
SSgt Ryan Sylvester I agree with you on cyber and you outline the same methods to limit access to the network. " Yes, we have firewalls and we limit traffic to certain websites, or blacklist others. " We do have ways to control the access to the network. Think of a Zero day as a guy in a tank, or hardened pick up truck driving into a bank. It has been done. They will get the money if they try hard enough. it is the same as in the cyber world. Standards are in both places. Hold to the standards, you have less chance of getting attacked. Weakness is what causes the attacks, in physical or cyber security.
(1)
(0)
SSgt GG-15 RET Jim Lint
SSgt Ryan Sylvester I just cranked out an article, and sent it to my editors. I will get you a copy in a couple of day. They are fast. Thanks for stirring my brain! I think long ago, we thought that the bad pollution problem was horse crap on the road. (That was really described as pollution!!) The earth was flat, until Chris Columbus messed around...and got lost. In time, security will evolve.
Physical security specialist are trained for many different sectors such as government security, security for intelligence facilities, shopping centers, banks, and hospitals. No one is an expert in all of those sectors. You can find experts in those sectors, but the specialization is different for each. The standards for a Top Secret intelligence facility is much different from a hospital. A hospital is different from a bank, etc. With all of the knowledge needed for these sectors, why would anyone think they can also be experts in cyber security/defense?
Physical security specialist are trained for many different sectors such as government security, security for intelligence facilities, shopping centers, banks, and hospitals. No one is an expert in all of those sectors. You can find experts in those sectors, but the specialization is different for each. The standards for a Top Secret intelligence facility is much different from a hospital. A hospital is different from a bank, etc. With all of the knowledge needed for these sectors, why would anyone think they can also be experts in cyber security/defense?
(1)
(0)
SSgt GG-15 RET Jim Lint
SSgt Ryan Sylvester - I dedicate this article to you for your comments that stirred me up for a better article. //Cyber Security Professionals Must Prevent Attacks or Be Terminated// If you don’t patch a hole in your fence, people will think you are incompetent or lazy. If you leave a large hole in your building you should be fired for cause. Why do we not hold CIOs to the same standard of responsibility? It really is that simple. There will be new innovative hacks in the future. But any security professional who does not deal with existing vulnerabilities should be fired. http://incyberdefense.com/james-lint/cyber-security-professionals-must-prevent-attacks-terminated/
Cyber Security Professionals Must Prevent Attacks or Be Terminated
My recent article, “Cyber Defenders Are Often Not Fired, When Others Would Be” stirred responses from many physical security professionals.
(1)
(0)
2
2
0
The responses are interesting. We can NOT allow the answer that this is TOO hard to do. That is not a solution and not a way to defend. That sounds like retreat.
There is no building I can not get into. I am trained for surreptitious entry, leaving no signs. I can get into a lot of buildings without leaving marks. But, for those with good Medico locks, drills, or C-4 will get me into the building and I will leave marks.
I have been attending the largest hacker conference in the USA since 2005.There are lots of systems that are easy to get into. Those I can not, I know other people with better skills. MOST hacks are because a company or person failed in their security planning, or upgrades. (Yes, we have upgrades in physical security. In the 1970s Bollards were not as popular or used often. After 9/11, you had a hard time finding them to buy and upgrade your facilities. Use of bullet resistant glass is an upgrade.)
Companies that do not upgrade their software are as stupid as those companies leaving a door open.
In a recent article, I wrote: "To better protect your own computer, update your operating system often. Microsoft issued the first patch to prevent the WannaCry attack in March 2017." (The ransomware hacks came two months later.) http://incyberdefense.com/news/wannacry-ransomware-leads-discovery-earlier-hack/
YES, that means all those THOUSANDS of idiots who got hit by WannaCry Ransomware could have prevented it by following Microsoft's update and upgrades TWO MONTHS earlier. I am not sure why Board of Directors are not firing CIOs and senior IT managers. I am not sure why they are not firing CEOs who did not ensure their CIOs and IT managers implemented the Microsoft update patches.
Now, who wants to tell me that a company that leaves a mansize hole in the building wall for two months will not be fire their Security Manager? Will that business’s insurance company still cover a stupid company leaving a large criminal highway into a company building?
Leave a hole in your fence people think you are stupid. Leave a large hole in the side of your building you should be fired. Why do we not hold CIOs at the same standard? It really is that simple, when an OLD hack is exploited. There will be new innovative hacks, but those hit with old vulnerabilities, should be fired.
@Steven Sherrill @Ryan Sylvester @LTC Michael Martin @Christopher Mueller
There is no building I can not get into. I am trained for surreptitious entry, leaving no signs. I can get into a lot of buildings without leaving marks. But, for those with good Medico locks, drills, or C-4 will get me into the building and I will leave marks.
I have been attending the largest hacker conference in the USA since 2005.There are lots of systems that are easy to get into. Those I can not, I know other people with better skills. MOST hacks are because a company or person failed in their security planning, or upgrades. (Yes, we have upgrades in physical security. In the 1970s Bollards were not as popular or used often. After 9/11, you had a hard time finding them to buy and upgrade your facilities. Use of bullet resistant glass is an upgrade.)
Companies that do not upgrade their software are as stupid as those companies leaving a door open.
In a recent article, I wrote: "To better protect your own computer, update your operating system often. Microsoft issued the first patch to prevent the WannaCry attack in March 2017." (The ransomware hacks came two months later.) http://incyberdefense.com/news/wannacry-ransomware-leads-discovery-earlier-hack/
YES, that means all those THOUSANDS of idiots who got hit by WannaCry Ransomware could have prevented it by following Microsoft's update and upgrades TWO MONTHS earlier. I am not sure why Board of Directors are not firing CIOs and senior IT managers. I am not sure why they are not firing CEOs who did not ensure their CIOs and IT managers implemented the Microsoft update patches.
Now, who wants to tell me that a company that leaves a mansize hole in the building wall for two months will not be fire their Security Manager? Will that business’s insurance company still cover a stupid company leaving a large criminal highway into a company building?
Leave a hole in your fence people think you are stupid. Leave a large hole in the side of your building you should be fired. Why do we not hold CIOs at the same standard? It really is that simple, when an OLD hack is exploited. There will be new innovative hacks, but those hit with old vulnerabilities, should be fired.
@Steven Sherrill @Ryan Sylvester @LTC Michael Martin @Christopher Mueller
WannaCry Ransomware Leads to Discovery of Earlier Hack
There is a new attack related to the recent international WannaCry (also known as WanaCrypt0r 2.0) hack that occurred last month. As of May 14, this hack had affected more than 70,000 computers and netted the hackers at least $15 million.
(2)
(0)
2
2
0
Having worked in Security and Information Technology, it is comparing apples cheeseburgers. Both involve protecting assets, and high risk high reward targets will always be under threat, that is where the similarity ends. Physical Security is about protecting physical assets through a set of procedures which when implemented and executed make the assets less desirable to the criminal element. A building can be secured. Once the building is secured, maintaining security involves having people vigilant in their responsibilities for maintaining that secure environment. Cyber security is more fluid. A system connected to the web is constantly under threat because a locked door can be worked around. Hackers will build their own entrance, use that entrance to infiltrate, then attack. Even with constant vigilance, cyber security is guessing where the next attack will come, and hoping that the defender is correct. It is a game of chess that resets on a moment to moment basis.
So in the first scenario, the breach is caused by failure to follow procedures. That can occur in cyber security too. In those instances, disciplinary action is reasonable based on the severity of the breach. In the second scenario, it is possible that all procedures were followed, but the attacker used an entry means not covered. This is also possible in physical security. When a breach occurs that the procedures are not prepared for, it is not reasonable for disciplinary action to be taken. In the case of Physical Asset Security, it is more likely that it will be a failure on the human side that leads to a breach. In the case of cyber security, it is more likely that a breach is caused by the attacker using a method that was not foreseen by the procedures.
In both cases it requires vigilance on the part of the security personnel. In cyber security, even vigilance will at times not be enough to prevent a breach.
So in the first scenario, the breach is caused by failure to follow procedures. That can occur in cyber security too. In those instances, disciplinary action is reasonable based on the severity of the breach. In the second scenario, it is possible that all procedures were followed, but the attacker used an entry means not covered. This is also possible in physical security. When a breach occurs that the procedures are not prepared for, it is not reasonable for disciplinary action to be taken. In the case of Physical Asset Security, it is more likely that it will be a failure on the human side that leads to a breach. In the case of cyber security, it is more likely that a breach is caused by the attacker using a method that was not foreseen by the procedures.
In both cases it requires vigilance on the part of the security personnel. In cyber security, even vigilance will at times not be enough to prevent a breach.
(2)
(0)
SSgt GG-15 RET Jim Lint
PO3 Steven Sherrill Interesting AMU posted this, I wrote it for them in another area. It is a good topic. As a DAME certified CI Agent, locks are a minor challenge... I do see that we can not say Cyber is different, and hard. Just as we have the ASIS Physical Security/Asset Protection, we also have cyber standards in US-CERT and NIST. Small adaptions from physical to cyber and we can do this. If not, what is the solution?
(2)
(0)
PO3 Steven Sherrill
SSgt GG-15 RET Jim Lint - The reality is that there is no solution. It is a disease without a cure. It can be treated, but it cannot be cured. The change that is happening is that the volume of digital assets is increasing exponentially, which means that the need to secure those assets is also increasing exponentially.
(1)
(0)
Read This Next
Continue with Facebook 
Continue with Google