Iterative Improvement and Data Leaks
Over the weekend, social media sites lit up with news about Edward J. Snowden’s travel plans. Leaving aside the questionable “wisdom” of keeping the government tracking you informed as to which countries you plan to flee to and which flights you plan to take, the practice of “stay one step ahead of your trackers” is a time-tested technique. Though it results in some rather humorous jokes, fundamentally, it works.
What also works is learning from the mistakes of others.
In this story, we have two individuals, Edward J. Snowden and Bradley Manning. We also have a fairly large organization that first trusted, then persecuted them. We can call this “the U.S. Military,” “the U.S. Government,” “the Obama Administration” or “the Intelligence Community.” However, all of these terms, I think, suggest a level of uniformity that doesn’t really exist. The various departments involved seem to operate more as fiefdoms than as cogs in a massive and efficient machine. Why?
Let’s look at the Manning story: In May 2010, he was arrested for providing data to WikiLeaks about the way the U.S. behaved during the conflicts in Iraq and Afghanistan. After his arrest, he was jailed and, according to some, treated quite poorly. While military treatment during detention differs significantly from that of private individuals, it is seems as though he:
- Was kept in a small cell with no window.
- Forced in a regimented sleep schedule.
- Required to remain visible at all time (no sheets, etc).
Later, he was classified as a suicide risk and, according to the rumors, had his clothing and glasses taken away and was forced to remain in his cell 24 hours a day. This classification was later lifted, and he was moved to a lower security prison.
Now, if you saw evidence of what you believed to be unethical behavior and felt obligated to report it, how would those consequences affect you? For many of us, it may well be enough to prevent us from leaking the information — but as Snowden shows, that’s not the case for everyone. Snowden’s flight to Russia and, if he ever gets there, to Cuba and then to points beyond, indicates that he saw the risks of his choice and is taking steps to address mitigate them. He may not be doing it very well, but it is important to note that he has learned from Manning and is trying to do a little bit better. Odds are high that the next person in this position will do even better.
This is because attackers gravitate towards open communication and learn quite quickly.
In contrast, we have a defense side that was taken twice by the same attack — three years apart. Sure, the details vary a bit, but all in all, sensitive data was taken off a system and the identity of the person that stole it was only made public because of their own action. In other words, three years after the first attack, the distributed departments that make up the U.S. government and military have NOT learned how to protect their data and identify the individuals that have access to it.
Granted, it’s a big problem. However, it’s also a big problem to not address this problem, as illustrated by the political risks being faced by the administration today. In general, attackers learn faster than defenders and then, during an event like this, the defenders have to expend even more resources attempting to either contain or respond to successful attacks.
What will things look like in three more years? Will we have a data leaker who is better at keeping anonymous? Will the data released be even more damaging to the government?
Who do you think will learn the Snowden lesson better? The next leaker or every department of the government?
History is not on the side of the defense.
Celebrate National Steakhouse Month with RJS!
Did you know that June is National Steakhouse Month?
If you’re not celebrating with steak and eggs this morning for breakfast, why don’t you join RJS Smart Security for a Lunch and Learn at McCormick and Schmick’s in Edina tomorrow?
Not only will you get your fill of a delicious steak (or fish!), but you’ll learn about the RJS “Lean Security” approach to security projects.
Lean Security is a process we developed in response to the frustration felt by those who don’t have the time to research the newest security solution for their business and are tired of the standard big-budget, big-timeline approaches championed by other security firms and consulting organizations.
Josh More, RJS Senior Security Consultant, will present the topic, Lean Security: Practical Uses in the Real World.
You’ll enjoy a satisfying meal (while celebrating this important June holiday), and discover a cost-conscious, less-is-more security strategy that works.
Sprinting through Security
We’re all familiar with old school consultants. These are people hired at $20/hr and rented out for $150/hr. It’s good business, if you can get it. All too often, however, the work is neither enjoyable for the consultant nor useful to the client. After years of trying and failing to make the old model work, I decided it was time to throw it out and start over. Thankfully, RJS agreed. As of today, we are one year into the process of reinventing security consulting.
The fundamental difference is that we’ve fully embraced the fact that the idea of 100% security is a trap. You can never be completely secure, so why base a security project around the idea that you can be? Instead, we focus on achieving a measurable improvement over “today.” Different businesses have vastly different security needs, so once you shift the goal away from “find and fix all the problems” to “strike a balance between defense and response,” myriad solutions become available.
Having a large number of solutions is great, as we can select the one that fits your company’s unique situation the best. But remember, it’s not perfect and will need constant attention to avoid “analysis paralysis” and to stay current with new security trends. To combat this, we look at the second key difference: time-bound tasks, or as we call them, security sprints.
With anything you do, there is one resource that completely vanishes — time. Other consulting approaches focus on minimizing either money or an amorphous concept of risk. The catch with those is to clearly pre-identify “risk reduced” or “money saved,” time is required. Since time is billed, it can cost a significant amount of money to identify how much money you’re saving!
Want to know how much more secure a project will make you? Pick a small project that can be done in a week or two, do the project, then measure. There’s no guess-work, no scope-creep and most importantly, no spending more money than required to improve your defenses.
This process affords another advantage we did not anticipate. In many cases, security fails because the people put it in place to manage it are often not those responsible for maintaining it. Since security tends to weaken over time as attackers constantly improve, it is imperative that people explore alerts, identify what they mean to the business and take appropriate action. When the people who must manage the systems are not involved with the initial configuration, they tend to lose a lot of time tracking false alerts or worse, missing legitimate issues.
Since our consulting process is time-bound and focused on helping improve security after we leave, we work on a lot of small projects. These projects are designed so that, when done, they can be absorbed into the business’s existing operations. We then come back for iterative tuning engagements and, over time, help maximize the business’s use of technology. This avoids the common problem of security being “someone else’s” issue, while minimizing the disruption that new technologies can cause.
In the end, after a year’s experimentation, we’ve found that a cyclical short-project consulting model has given our clients a level of security far greater than the traditional defense-only approach. While this didn’t surprise us (after all, that’s why we did it), we were surprised to find that these engagements generally came in 25% to 50% lower in cost than the traditional model. We’ve done security assessments, implementations and strategy planning sessions and, in every case, have achieved better security at a lower cost.
Please contact us if you’d like to learn more about our sprint model and how it can help you achieve a better state of security at a fraction of the price.
Lean Security 101: The Comic Book!
Whether embracing the 80×5 rule or learning how to effectively solicit outside advice, there’s a way to make your security strategy work smarter, not harder. Perfect security is a pipedream. So use what you have and learn from what works.
Follow the principles and strategy detailed in our very own “Lean Security 101″ comic book and you can build your own lean security model within your organization!
Follow this link to download Lean Security 101: The Comic Book.
And don’t forget … you can get a lean security review for free, just by requesting one here.
RJS Smart Security “Sneak Peek”
The security wing of RJS Software is growing and it’s time to change in a big way. On April 1st, we’ll be officially relaunching that segment of our business as RJS Smart Security. Not only are we rebranding, but we’re also launching an entirely new website that better speaks to our security consulting and product expertise. Check out our new logo and a few snippets from our website … what do you think?
The core messaging of our website will focus on “RJS Lean Security,” a smarter and more affordable way of protecting your business:
Our website will also lean heavily upon hand-drawn imagery: