Why Bad Security Can Happen to Good People
Sometimes you can do everything right and still run into trouble. To see this in action, pay attention the next time you're driving at dusk -- for example during an evening commute, if you have one.
If you do this, chances are good that you'll notice at least one person with their headlights turned off. It's not that they're doing anything malicious -- they've just probably been driving for a while and haven't yet noticed that it's darker than prudence allows for engaging the headlamps.
Now, of course, this a safety hazard for the driver -- but it's also a safety hazard for everyone else, too. Their behavior -- unintentional though it may be -- puts the other drivers they share the road with at risk.
There's a lesson in this for information security practitioners. Specifically, those of us responsible for keeping enterprises secure need to be aware not only of our own security posture -- a hard enough job -- but we also to some degree need to be aware of the security posture of others around us.
Just like the drivers blithely tooling along with their headlights off are a safety risk to others besides themselves, so also do other firms potentially represent a risk to us. Even though we may be doing everything right or have a low risk of direct attack -- we're not a high-profile target, we have robust countermeasures in place, we manage our risk, we employ continuous monitoring, etc. -- we're still sharing the road with others who might not be equally diligent.
In practice, this can be a difficult situation to prepare for. After all, isn't it their own job to secure their own environment and don't we have limited options to effect change in someone else's environment? It is and we don't. However, rational self-interest dictates that, because of the impact to us, we should at least plan for what impacts there could be because of this phenomenon.
Of course, we can't ever make the problem go away entirely, but there are few things we can do to help quantify the problem so we can prepare.
Systematically Evaluate the Supply/Delivery Chain
First and foremost, it's important to recognize that the closer a relationship we have with an outside entity, the more likely it is that a security failure they have will have detrimental impact to us -- and the greater the magnitude of that impact. So the most obvious takeaway relates to those parties that are mostly directly supportive of our business: the vendors and service providers that help our business do what it does, and the customers and partners that we work with most closely.
For some industries -- particularly for those that are fairly rigidly regulated -- the supply-chain side of this isn't a new consideration. However, it's important to note that I'm not talking about vendor management exclusively, but instead about shared risk.
These are related, but still different. Why are they different? Because to analyze shared risk, we need to look at the supply chain, but we also need to look at business partners and customers as well. Because keep in mind that a customer's security misstep could put you at risk just as easily as a supplier's could. For example, consider back-channel communications you may have with a customer and the impact it could have in the wrong situation.
Because the supply side is easiest to address, a useful way to start is by evaluating the vendors and partners you are most dependent on and analyzing under what circumstances a security failure could impact you. Look at what mechanisms you have in place already to evaluate them, monitor their risk, receive notification of a security failure should it occur, and take appropriate action in response.
Use the Tools
If you already have a formal vendor governance or risk review initiative under way, maybe you're already done here. If you don't, leverage tools and methodologies to assist: efforts like The Santa Fe Group's Shared Assessments initiative and the Cloud Security Alliance's GRC Stack, for example.
For customers and partners, risk evaluation is harder, though still possible. It's harder both because it is probably uncharted ground -- since it isn't covered by a vendor-governance initiative -- and also because you don't have the same "I'm the customer, so make it happen" leverage. While you can use the same tools to do the analysis, you'll also need a bit of salesmanship to get a customer or partner to open the kimono to you.
However, by explaining to them what you are hoping to accomplish, why it might also matter to them, and what data they might expect to get back from you in return, you might be surprised at their level of receptivity and responsiveness. There will, of course, always be some firms you won't ever get traction with -- this happens -- but every firm you can get to work with you helps forward your position. So even a subset is a win here.
Understand Your Industry
However, looking at just the firms you are closest to isn't a full solution to the problem. In point of fact, even organizations to which you have no direct connection -- either as supplier or customer -- can have a security impact to your operations.
Don't believe it? Consider cascading failures in the power grid. As we all know, one generating facility going offline unexpectedly can, under the right circumstances, cause failures at otherwise-unrelated utilities. Likewise, a big-enough failure at one financial services firm can have impacts on other firms -- just look at the Great Depression. These are large-scale examples, but impacts can be caused in numerous smaller ways.
Of course, circumstantial differences will play a role in how these risk dynamics will play out in your particular organization and your particular industry, but one way to keep abreast is to keep an eye on industry-specific information-sharing resources related to information security.
For example, if you're not already participating actively in your industry's ISAC (Information Sharing and Analysis Center), now might be a good time to start. Industry-specific resources like HIMMS (healthcare) or EnergySec (power) -- to name just a few -- can be beneficial for peer networking and joint planning around cybersecurity. Active participation in these forums -- or even casual lurking -- can help you build an awareness of factors that impact your organization's risk profile.
The meta-point is, even if you are doing everything right -- and most of us are far, far from being in this state -- you can still be impacted by someone else's blunder. What this means is that, to minimize the impact if and when this occurs, we need to plan ahead.