Educated and talented people don’t make assumptions, right?
Wrong.
Making an assumption is part of your everyday decision-making process. Denying that you make them is actually quite foolish as I wrote about in "How to avoid a crash landing in cyberspace."
For the purposes of this blog, let’s agree that these unconscious beliefs can be quite dangerous when they go unchecked. Consider phishing and how frequently humans open an email or social media link without thinking and then provide sensitive information assuming it’s safe, or assuming that their IoT will not compromise their security or lead to a hack.
Greg Conti, Director of Security Research at IronNet Cybersecurity, and I have been studying the role of assumptions in daily cybersecurity decisions with the goal of helping people within organizations—from CSOs and their engineers to CEOs and their policymakers—make better cybersecurity decisions. More specifically, our goal is to heighten your awareness when a dangerous assumption is in play so that it can be addressed before it leads to an unproductive action. Below are a few of Greg and my favorite dangerous cybersecurity assumptions. It would be great if we as an industry can collectively raise people’s awareness of cyber/InfoSec assumptions being made as a way to enhance overall security and defense.
Feel free to contribute your own dangerous cybersecurity assumptions at the end of this blog.
Dangerous cybersecurity assumptions
1. I have a well-trained and reliable workforce that I can trust to do the right thing
Regardless of what you think of Snowden, his action of releasing classified info was a surprise and a sever security breach. While a CSO should trust the people in his or her department, what steps is the CSO taking to explore this “trust” assumption in order to minimize damage of a rouge employee? How do you address the reality that the best cyber analysts and engineers must maintain some paranoia to think like the enemy (think of Gene Hackman in The Conversation)? Furthermore, how do you help those employees in keeping that paranoia strictly to the task at hand?
2. Biometrics are better than passwords
Say your company just made a huge investment in biometrics to deter hacking and now assumes everyone’s identify and information are safe. But as you know, anything can be hacked. Just ask German defense minister Ursula von der Leyen, whose fingerprints were digitally lifted by Starbug, aka Jan Krissler, as a way of demonstrating that biometrics are vulnerable. So how do you prepare your management to acknowledge this assumption to minimize cyber laziness? More importantly, how can you help them challenge this assumption to help the organization take more realistic, adaptive security measures?
3. Algorithms don’t make assumptions
People put a lot of faith in algorithms. Too much faith. The Economist magazine reported a study by Swedish scientists that revealed how over 40,000 fMRI studies were based on algorithms that contained faulty assumptions. This study demonstrates that damaged algorithms often go unchecked as they continue to get integrated into other programs. More frightening, there is no infrastructure in place to investigate coding-biased assumptions as it would be both costly and time-consuming. To challenge this assumption, ask questions such as: What algorithms are your firm most dependent on? How much testing do you do to affirm their accuracy? Is your culture open to challenging the accuracy of the algorithms employed?
Getting people to acknowledge that they make assumptions, helping them identify them, and then encouraging them to challenge them are important steps in any Cyber/InfoSec decision-making.
Guidelines to help address cybersecurity related assumptions
- Recognize that with increased automation comes both increased efficiency and increased security risk.
- Help others understand that your adversary is an adaptive thinker who challenges your security assumptions in new ways every day.
- Raise and challenge your organization’s important security assumptions on a scheduled basis.
- Encourage others to see the world in the context of the threat actor you are defending against versus just seeing the world from their point of view.
Helping your organization overcome the bias that making assumptions is a “bad thing” is key. Getting them to challenge their assumptions is crucial to enhancing cybersecurity success at all stages of the decision-making process.
After all, everyone makes assumptions on a daily basis, even algorithms.