Groundhog Day Security

I woke up this morning. Went downstairs to get a cup of coffee and stepped on a piece of Lego. Why does that happen so often?

Last week I sat in a restaurant in Munich listening to a security conversation at a nearby table that felt like it was from 1998. I was simply gobsmacked at the lack of comprehension that these two people seemed to possess. This is not to say that I’m fluent in German as these two people were in fact speaking English. They were apparently in some way associated with the field of Information Security but, it sounded like cats barking or a Kardashian discussing the finer points of the works of Jean-Paul Sartre.

I was overcome by a desire to jam a fork into my leg in order to keep myself from screaming only to discover the fork was already there. But, all kidding aside, how do we ensure that people are constantly updating their skill sets so that we are not inundated by the perpetual dunking birds? You know, the folks that learned a few things from the 90s but, never progressed beyond that point?

A perfect example of this is the flaming sword of justice security types. You know who I mean. If not a specific person you are aware of the personality. An information security practitioner that stands with their sword in the air and screaming “THOU SHALL NOT PASS” to the Balrog a la Gandalf really isn’t getting the point across. What were the circumstances that lead that Balrog to be there in the first place? What were the security controls which failed? Or were simply not there to begin with.

Rather than rushing in to defend the realm, we all need to do our homework. Yes, there are times where we need to defend against the attackers that crawl out of the primordial binary ooze of the Internet to assail our defenses. But, those should be the outliers. Time and again I read stories about companies being breached and their data being dragged across the Internet leaving the victim with the scarlet letter pinned to their suit jackets. These are organizations that have done the best they can with the resources that they have available to them. Or at least that is the hope.

Then we see the attack the spin motif. The CEO for TalkTalk stepped on a land mine of sorts when the statement was made that there was no legal obligation to encrypt financial information. Sadly, there is a point to be made here as the UK’s Data Protection Act of 1998 (.pdf) mentions “encryption” exactly never. It does allude to the idea but at no point does it call it out explicitly. They came out swinging using that as their defense much to the amusement of the world. That sticky bit notwithstanding it doesn’t absolve them of their need to put basic security controls in place.

We keep reading about these sort of stories. In some cases the responses make one slam one’s own head into a desk top with as much force as possible. We need to find a way to better improve our collective security posture that doesn’t include Internet shaming or anything so puerile. We need to have the flaming swords of justice beaten into clues so that we may all have them. This hamster wheel needs to stop at some point. Right? After all, “Freedom is what you do with what’s been done to you.”

How can we move forward? What are your thoughts?

I woke up this morning. Went downstairs to get a cup of coffee and stepped on a piece of Lego.