Join Paul Ducklin and SolCyber CTO David Emerson as they talk about the human element in cybersecurity in our new podcast TALES FROM THE SOC.
In this episode, our co-hosts offer their usual mix of gentle humor and sound advice to help you Beware The Snow Of Marketing.
If the media player above doesn’t work in your browser,
try clicking here to listen in a new browser tab.
Find Tales from the SOC on Apple Podcasts, Audible, Spotify, Podbean, or via our RSS feed if you run your own podcatcher app.
Or download this episode as an MP3 file and listen offline in any audio or video player.
[FX: PHONE DIALS]
[FX: PHONE RINGS, PICKS UP]
ETHEREAL VOICE. Hello, caller.
Get ready for “Tales from the SOC.”
[FX: DRAMATIC CHORD]
DUCK. Hello, everybody.
Welcome back to “Tales from the SOC.”
I am Paul Ducklin.
And I am joined, as usual, by David Emerson, CTO and Head of Operations at SolCyber.
Hello, David!
DAVID. Hey.
DUCK. That was very abrupt!
DAVID. [LAUGHS]
DUCK. David, I’m going to try out a topic on you.
It’s based on an article we published recently on the SolCyber blog entitled Encryption in the Spotlight: Cure or Curse?
Now, we can talk about encryption, but it’s actually the general feeling of this article that I want to dig into, and I’ll just read from the summary that I put in there:
“Has our widespread use of encryption given us a false sense of security by luring us into assuming that if our data is safe a lot of the time, we can pretend that it is safe all of the time?”
And I think that goes beyond just encryption to a lot of aspects in cybersecurity, doesn’t it?
DAVID. Yes, it absolutely does.
It speaks to a lot of aspects of cybersecurity; it speaks to a lot of aspects of any asymmetric defense posture that you’re going to assume.
So, physical security, as well, has plenty of paradigms that would speak to what that blog entry essentially illuminates.
DUCK. So you think, “Well, I’m surrounded by encryption.”
I’ve got encryption at rest on my hard disk; I’ve got encryption in flight, in transit, in my browser…
…what could possibly go wrong?
And yet we’re having more and more breaches, as we’ve spoken about before on the podcast, where what gets stolen is completely unencrypted data.
So what can we do about that from a cybersecurity standpoint?
DAVID. A lot of it’s education.
Some of it is marketing, and I think that the education of the population, which receives a lot of the marketing in cybersecurity, needs to take the form of, “Hey, NordVPN is on every YouTube video, but buying seven subscriptions to NordVPN for your entire family does not mean that suddenly they don’t need anything else.”
Buying NordVPN for your enterprise doesn’t mean that you’ve covered the vulnerabilities intrinsic to operating mobile devices, let’s say.
And it’s no different than anything else in the more relatable real physical world where we know, perhaps intuitively or perhaps through object lessons, that you can’t fill a toolbox with hammers and expect to do almost any project.
Six hammers is not going to get you through a day, if what you need is hand tools.
DUCK. [LAUGHTER] You can put in bolts and screws with hammers, but it doesn’t end well.
DAVID. I mean, you can secure your traffic with a VPN, but that doesn’t mean it’s going to deflect all other attacks.
DUCK. Yes, you’re securing your data in transit, but then you’re simply exposing yourself to exactly the same risks as you had before from somewhere else.
It doesn’t mean that if you visit a phishing site, the VPN will magically say, “Hey, don’t put your password in there.”
If you’re determined to do that, you can do it whether you’re using encryption or not.
DAVID. Yes, I think some of it goes back to a tendency ‘to do.’
People have, especially when they’re uncertain, a tendency to do things that they can relate to, or that they feel are necessary, or that they’ve been told are necessary.
There’s this concept in engineering, in infrastructure and software development, of bikeshedding, which is to say people will discuss the construction of a bike shed in great detail, almost to the exclusion of the possibility of actually building the bike shed because they’re so busy discussing it.
But if you propose a nuclear power plant, that won’t be up for discussion for more than five minutes.
It’s a hyperbolic example, but the point is that everyone can relate to a bike shed.
A bike shed is something that they can construct, that they have opinions about.
No one can relate to a nuclear power plant; no one person understands the entirety of what’s necessary to build one.
So, there’s a lot more surface area in a discussion about something as simple as a bike shed.
And it’s the same thing when you get to something like a VPN.
If you take a step back into the real world… I mentioned hammers.
DUCK. [LAUGHS] I’m just picturing a toolbox full of hammers!
Small; medium; large; ball-peen; lump; sledge…
DAVID. [LAUGHS] And all you needed was a Torx driver.
But yes… nine locks on a door don’t make that door necessarily safer.
I mean, perhaps it makes the specific element, the door, more resistant.
But it also could just cause a criminal to find another way around.
Or maybe the door has a window that can simply be unlocked and defeated.
But it was the thing that person could relate to: they were sold a lock; they were sold a notion that the lock was a good lock.
It might be a good lock…
There are VPNs that are good VPNs; I don’t mean to say that NordVPN doesn’t work – it might.
But it’s not necessarily the holistic solution you were looking for.
DUCK. Exactly.
You’re not saying there’s anything wrong with the idea of using a VPN.
There’s something fantastic about encrypting all your network traffic.
But it doesn’t stop you going to the wrong site.
It doesn’t stop you allowing people into your computer from the other end.
It doesn’t protect you from those scammers who call up claiming to be from Microsoft, getting you to install TeamViewer and letting them in over the VPN, fully encrypted and fully protected.
As you say, it’s not a holistic solution.
DAVID. But it’s the thing that someone could relate to, or it’s the thing that they felt like they understood.
DUCK. Exactly.
Although the details are important, the bigger picture and how we all interact is just as vital, isn’t it?
DAVID. It is, and there’s a lot of surface area to it.
Bikeshedding is an accessible example.
But in many other forms of technical practice, you see the same thing, even among technical people.
If you’re building a back end, perhaps for a web app, your team can debate all day whether they’re going to use Go, or whether they’re going to use Rust, or whether they’re going to use Perl, or whatever.
I mean, there’s a million different ways to solve that problem.
DUCK. And you know what will happen, David?
They’ll end up using all three of them.
Plus Java, of course.
DAVID. [LAUGHS] The real debate needs to take a step back, right?
DUCK. Yes.
DAVID. It needs to acknowledge that there’s an architecture here, and that it doesn’t necessarily matter if you’re using…
…well, maybe Go is a lot easier to deal with the back end of an API, and maybe Rust is a little bit safer, and whatever.
But the point is that it isn’t necessarily the minutiae that are going to matter, the minutiae that these people can relate to, or have opinions about.
It may be the architecture.
And it’s the same thing with cybersecurity.
You have to take a step back and think about what you’re doing to protect the surface area you have, not just what you’re doing to protect the one thing you feel like you know what to do about… VPNs, or encryption, or whatever it may be.
DUCK. Yes, and the classic problem with encryption is that it’s not a complete solution on its own.
It’s part of what you need to do.
But as the old saying goes, “You’ve done the first 90% of the work; you still have to do the other 90% of the work.”
DAVID. And sometimes it’s not even implementation.
One of the things that we talk about in our security awareness training is to check the lock for encrypted websites, right?
As in, “Don’t engage with a website in a sensitive context that isn’t using SSL, HTTPS.”
But that’s a little misleading.
It’s not to say that if the padlock’s there, you’re absolved of all further critical analysis.
DUCK. Absolutely!
You want the encryption in transit, whether you’re talking to a criminal or not, so that the other 7.9 billion people in the world can’t read what you’re doing along the way.
And, importantly, so that all the people along your network path can’t just randomly modify what you get back and trick you into seeing fake content, or inject malware into any old site you visit.
So it’s a vital part of what you’re doing, but it doesn’t complete the picture.
DAVID. So, turning the discussion around a bit, what can a user do?
What are they to do?
If it isn’t, “Buy 7 VPNs”?
If it isn’t, “Make sure you get an almost unusable Android phone running GrapheneOS where you can’t install any apps”?
What is it they can do to holistically protect themselves?
I think that’s the fundamental problem, and I don’t know that there is a clean answer to this.
DUCK. Thinking about the problem as a whole is very important.
And also remembering that, even though you can’t solve the problem on your own, you can help everyone else get along a bit.
The give and the take is really, really important, and living entirely by rules is not going to get you there.
Following the things that feel like they’re great because, hey, you’re seeing ads for them all the time, and the industry is talking about them all the time, doesn’t necessarily solve your problem either.
In fact, it could make it worse.
DAVID. I always advocate that people think about disclosure, that they think about confidentiality and the data that they’re handling.
And that’s what we advocate for in our trainings, mostly because it breaks you out of this prescriptive mold of doing it by rote.
And even if you could, what would be the point?
Is there a situation that exactly aligns with one of the ones that has already been contemplated and is in that matrix?
Think about it as, “What is it I’m doing?”
What is on that laptop, for example, that I’m thinking about encrypting the base disk of?
Encrypting the base disk of a laptop is easy to do.
It’s computationally inexpensive nowadays; it’s a great idea; you should just do it.
But it doesn’t absolve you of any further action, right?
And the reason is that there’s something on that laptop that one day you will want to power the laptop on and access.
And in that moment, it is unencrypted.
DUCK. Absolutely.
DAVID. Instead of thinking about it as, “Oh, I have encrypted my base disk of my laptop, I’m done”…
…think about it as, “What is it I do on that laptop? What are the activities I’m performing?”
And if those activities include casually surfing the web, watching YouTube videos, and not much else, maybe there’s not much to protect.
Maybe you don’t really have a lot of concerns.
But if those activities include exchanging client lists and personal information, and maybe sensitive or proprietary information, it’s an entirely different threat profile.
And so, without getting very technical, you can make a lot of very informed decisions about the measures you need to take to protect that information.
You don’t necessarily need to know much about how a VPN works, about how disk encryption works, or about how two-factor authentication works.
You need to know a lot about your job, and about the data that you handle in the course of your job, and what its disclosure could potentially mean.
So that’s usually what I advocate.
I know that that’s a lot, and it’s not a clean answer.
But it’s a lot cleaner answer than, “What 62 products do I need to buy?”
Because there might be that many!
It’s going to be really hard to cleanly tell people what those are, and which ones are going to be best for their situation.
The mentality that I would espouse is really just higher order than any one measure.
Think about what is on your laptop, and what’s going to become of the stuff that’s on your laptop if you left it unlocked, or if you left it in a public place.
And again, the answer sometimes is nothing.
There are definitely situations where I think the cybersecurity industry as a whole overcooks the vulnerability intrinsic to most people’s data.
But there are also times when that is wildly inappropriate in the other direction.
You have people that have credit card numbers on their machines, or have personally identifiable information on their machines.
And their machines are stolen and, lo and behold, now they have a breach or a disclosure that they have to make.
DUCK. The aim there is almost to ‘protect you from yourself.’
Getting you to work in an environment where you expose no more than you really need to, as a simple way of managing risk.
DAVID. Yes.
You’ve broken out of the technology a little bit into policy, but even that is relatable to the non-technical world.
We have all manner of policy in our daily life that is well-intentioned, sometimes inconvenient, and often incomplete.
We have speed limits, but that doesn’t result in zero pedestrian deaths, sometimes because people don’t follow the speed limits, and sometimes because they do follow the speed limits, but some other factor contributed to an accident that they had.
We have all manner of policy decisions that we make, sometimes because we’re bikeshedding, but also sometimes because that was the only cause we could identify.
So we did what we could, knowing that it might not be comprehensive.
I think it’s absolutely the state of almost any policy that there will be incomplete implementations or incomplete solutions to a problem that is identified correctly, but the causes contributing to that problem are not necessarily identified comprehensively.
DUCK. David, do you think the extent to which a lot of IT, and in particular the cybersecurity industry part of IT, love their jargon and talking things up in fantastical ways makes this harder for people?
That they kind of don’t want to say, maybe, that they don’t know what VPN, or DNS, or HTTPS stands for?
It takes useful initiative out of the equation, doesn’t it?
DAVID. Yes, but it takes two to tango.
You see that in public policy as well.
When writing policies or laws, there are incentives to have those passed, so they may not be aligned with an incentive to solve a problem.
In cyber, you have the same sort of issues.
NIST just… well, yesterday or the day before, released a new draft on password security.
And it finally writes down something that has bothered me for pretty much my entire career in technology, which is the notion that a password has to have a prescribed number of characters of a certain kind, and that it has to be a certain ‘complexity’ irrespective of length.
No!
They’re finally doing what makes sense: the length of a password and the number of character sets involved in creating that length are what matters.
That produces the bit depth of a password.
Not whether or not you put in one ampersand and, you know, half a hash.
DUCK. [LAUGHS] Exactly.
DAVID. It’s so irritating.
It drives me nuts every time someone has really prescriptive password rules, but NIST is finally saying that’s not necessary, that’s not mathematically sound…
And that’s true, but how long did it take them to say that?
It hasn’t been mathematically sound since ever, but it was ‘in policy’ and so everyone was doing it.
And systems were implementing it: automations, and tools that you use – they had implemented that because NIST said so.
Not because it was a good idea!
That kind of incentive permeates into behavior, and then that behavior…
…honestly, it feeds back up into the incentives regarding policy.
Once people have all these password practices, they don’t necessarily want to change those.
DUCK. Yes.
And I think for at least some IT departments, having rules that are complex kind of makes you feel like you’re doing something when you’re not.
So, David, how can businesses build a culture where cybersecurity can grow and thrive, and not be bogged down by regulations like the one where NIST has finally said, “Look, you’re wasting your time if you think that just throwing in punctuation (in a very structured way because you always put a dot at the end, don’t you) can help?”
DAVID. There are a few things we mentioned already.
Behavior change.
Thinking about confidentiality and disclosure ramifications of the data, of the process.
Thinking less about the ‘snow of marketing’, or the technological feats that you could be implementing, or minutiae that you could be tweaking.
SolCyber, the company that we are at…
…some of that is in the thesis of our main product, Foundational Coverage.
The reason we have Foundational Coverage is to guide our customers into that which will keep them reasonably safe.
We don’t get into the minutiae of tweaks.
We already did that, and so we apply that to your environment.
We don’t expect you to know everything about, let’s say, anti-malware, because we already built that profile; we already built that policy; we’re going to push it out.
We don’t think nine locks are necessary in your front door; we’re going to put one on your front door, and if someone breaks the window, hopefully we’ll detect it.
That’s the sort of rational stack that we’ve built, and it’s something that I think is not only extensible to many environments that would otherwise simply be inadequately protected, but also it’s efficient.
It’s coverage that isn’t going to cost the earth; it’s coverage that is achievable because it’s already been built; and there’s very little project risk to implementing in any given environment at this point.
And those are the sorts of things, even if you’re not going to get SolCyber, that you should be thinking about.
What is reasonably low project risk?
What covers the bases of process and content, not the basis of what I was marketed to, not, “Do I have six VPNs?”
Your choice is basically to do it yourself, which is a hard thing, or to buy a canned service that already has those fixtures of good practice baked in.
DUCK. And generally speaking, would you agree, David, that if you’ve got nine locks on one door and none on the other eight doors you have…
..you would be much better off by having one half-decent lock on all of the doors, and learning how to make sure that nobody’s leaving them open, or letting their chums tailgate in, no matter how strong the locks are?
In other words, the element of culture that recognizes that, in cybersecurity, an injury to one can be an injury to all.
And if we look out for each other, then we can all do ourselves a great deal of favor.
DAVID. Yes, absolutely.
You should have a reasonable measure that reflects the actual threat profile that you face.
DUCK. Yes!
(A), so you can afford it; (B), so you can actually achieve it; and (C), so that you can build an environment in which people feel motivated to help each other do that achievement.
DAVID. Exactly.
All of those, yes.
DUCK. David, I think we’d better stop, or we could get very excited and carry on indefinitely!
Thank you so much for joining me.
Once again, let me just finish by thanking everybody who has listened, and reminding you that if you want to get in touch with SolCyber, you can simply send an email to amos@solsyber.com.
That’s Amos the Armadillo, the SolCyber mascot.
And if you want to catch up on some excellent, jargon-free, but technically-oriented articles that aren’t sales schpiel, please head to solcyber.com/blog.
Thanks for listening, everybody, and until next time, stay secure!
Catch up now, or subscribe to find out about new episodes as soon as they come out. Find us on Apple Podcasts, Audible, Spotify, Podbean, or via our RSS feed if you run your own podcatcher app.