Last week was the Rocky Mountain InfoSec Conference in Denver, where I gave a talk about BeyondCorp to a fully captivated audience – always a good feeling as a speaker. I wrote up a quick blog post about the event, with the slides from my presentation. Have a look:
https://www.scaleft.com/blog/a-call-for-proactive-security-at-rocky-mountain-infosec-2017/
Now it goes without saying that the big story over the past week has been the WannaCry ransomware attack. As he often does, Troy Hunt gives a solid breakdown of what happened (in case you’ve been living under a rock). Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware. For a deeper dive, the most comprehensive technical rundown of the malware itself that I could find came from Cisco’s Talos Intelligence. Player 3 Has Entered the Game: Say Hello to ‘WannaCry’.
Of course, when something of this global scale and impact hits the front page of the news, it brings out all the talking heads ready to cast stones every which way. Look, it’s easy to blame the users for still running old, unpatched versions of Windows. It’s also easy to blame Microsoft for allowing such insecure software to remain in use. It’s even easy to blame the NSA for developing the tools used in the exploit. This blame game only conflates the real issues, however, and we end up just spinning around in circles – until the next incident where the initial reaction is often “how did we let this happen?!”
So what should we be doing instead? As Steven Bellovin points out, patching is hard, but that shouldn’t necessarily excuse someone from doing their job, nor excuse a company from ignoring advisories. Microsoft is campaigning for a Digital Geneva Convention, but that seems unrealistic, and shifts much of the onus on our government (which is a bad idea). Who is ultimately responsible, and what should the relationship between user, vendor, and government be when it comes to cybersecurity? Well, as James Governor puts it, “The truth - it’s complicated.” Can’t argue with that, but he then goes on to say, “As a society we need to begin to understand that disruption is not always good, that maintenance is not just a necessary evil, but rather something to celebrate.” Now we’re getting somewhere.
It seems to me that like so many things in our industry, getting back to basics feels appropriate. The task of updating software is often our best deterrent, however boring it may be. Ironically enough, people need to be motivated to do the boring things in their jobs. I covered it in my BeyondCorp presentation, but a natural by-product of a Zero Trust architecture is better corporate security posture given how policies affect access controls. Let’s say the only thing stopping you from logging into the HR app you need to do your job is updating you’re software – you update your software! Boring. Easy. Secure.
As this incident passes, let’s hope we can look forward towards solving real challenges instead of continuing to recycle the same ol’ lecture series.
Here are a few additional things that caught my eye this past week.
The best security? Have Zero Trust, says expert [TechRepublic]
The co-author of the upcoming O’Reilly book on Zero Trust networks, Evan Gilman, did a Q&A with Matt Asay. They cover some of the advantages of moving towards Zero Trust, and how companies other than Google can get started down the path. Sage advice from someone who has gone through it.
Energy Is Embracing Zero Trust, All Industries Should Too [Forrester Blog]
The term Zero Trust originated from Forrester, and they continue to focus on the topic. Here Stephanie Balaouras points out what’s going on within the energy industry with regards to microgrids, and how the concept is similar to the Zero Trust model. While an interesting observation, I still believe that microsegmentation is missing the point – Zero Trust shouldn’t be about making a smaller perimeter, it should be about making a more direct relationship between users and resources.
Decomposing security risk into scenarios [Medium]
When Ryan McGeehan writes a post, you stop what you’re doing and read it - every time. Here he breaks down common threats and responses into more digestable tabletop scenarios in the hopes that the story makes the desired outcome more clear. I’m a fan of this approach, as I’ve mentioned before in the context of writing Job Stories to determine the right Access Policy framework.
What Developers Don’t Know About Security Can Hurt You [DarkReading]
Peter Chestna explains the knowledge gap many developers face when it comes to security, and what can be done to close it. Instead of playing the blame game, he shares some practical advice for training and enablement in a way that developers will welcome. Sound advice.
Third Party, Insider Access Rages Out of Control [InfoSecurity Magazine]
Yet another study pointing out the threat of insiders and third parties, this time conducted by Bomgar. Privileged access continues to be something that companies struggle with, which the data continues to reinforce. The traditional approach has been to wrap a management layer around privileged credentials using a PAM product, but that’s really just a duct tape solution in my opinion. To me, it takes a new architecture to get to the heart of the challenge, which is exactly what Zero Trust is.
That does it for this week. Check back this time next week for another set of relevant news, articles, and events. Cheers,
Ivan at ScaleFT