This is not another article about Petya, but rather a reaction to my recent TV interview about Petya and how it showed me that information security professionals need to do better.
We all know about Petya (AKA, NotPetya or GoldenEye) as the latest ransomware attack that wreaked havoc across more than 65 countries. I am confident that many information security professionals in large organizations are experiencing late nights thinking about the critical question from their board or CEO: “Is our organization vulnerable to this attack?”
I recently offered some comments on Petya in an interview with BNN:[embed]http://www.bnn.ca/technology/video/cyberattacks-will-keep-happening-here-are-the-risks-for-investors~1156681[/embed]
During the interview, the host, Catherine Murray, asked a question that stuck in my mind:
“Having been in the security industry for so long, has anything really changed?”
I was taken aback. I know many of us in the information security industry are jaded, and feel we are not heard, we are not valued, and we are not set up to succeed. But here, someone from the outside expressed a lack of confidence and sounded jaded too.
That incident prompted me to write this article and ask readers to help me figure out what we as information security professionals can do better. I offer my thoughts. Please share yours.
At its core, the world today accepts that our software will, at some point, be hacked.
I am compelled to ask: Who is ultimately accountable? End users? The software industry? Or us, the security people?
I firmly believe that security starts with us.
We, the security people, are tasked with one of the most challenging jobs and we are failing admirably. We don’t know how to communicate with the decision makers on what they really should be spending their money on. I submit two premises to support my argument.
- We seem intrigued and fascinated by zero day exploits rather than true software security. Just look at our conferences like Defcon and BlackHat. With barely enough room for people to stand, we talk about the latest hacks or the latest techniques that we discovered breaking into a system. This zero day culture that fascinates the security community mindset communicates to the security teams at corporations that they should spend more of their budget on reactive security or penetration testing.
- Decision makers use a risk posture of the infrastructure to measure the success of a security program. But when we look deeper at how risk is truly measured, it comes down to the number of vulnerabilities found and fixed or number of patched systems. Since when does an exclusive count of the number of vulnerabilities provide assurance of secure software?
I offer the following points as a set of objectives that we, as security professionals, should all be striving toward, and accepting no compromise:
- We will ask our software vendors to produce software that is “secure by default” and not “broken by default.”
- We will build metrics that map against security requirements.
- We will educate boards and CIOs how to look at and measure security consistently.
- We will support an independent CISO function that is not hindered by a CIO’s objectives.
- We will help the end consumers actually feel that we can build a secure tomorrow.
Accepting these objectives are the first steps toward a world where we can trust software to be secure. I truly believe it is possible.