Waiting and Hoping is the Cybersecurity Anti-Strategy

“All human wisdom is contained in these two words – Wait and Hope”
-Edmond Dantès (The Count of Monte Cristo, by Alexandrè Dumas)

Verizon has published their Data Breach Investigations Report every year for the past 10 years, and for anyone who cares about the security of, for, and in the Web, it’s an important, insightful, research-rich document that is both alarming and hopeful. In fact, this year’s report begins with a quote from my favorite philosopher and namesake of the best IPA in my refrigerator, Pliny the Elder: “Hope is the pillar of the world.”

There is more than a tinge of irony in the air, however, as no amount of hope has spared Verizon from having more than 14 million customer records, many containing sensitive and personal information (including customer names, corresponding cell phone numbers, and specific account PINs), from being exposed to the public. As reported by ZDNet, Verizon partner Nice Systems logged these customer files into an unprotected Amazon S3 bucket. Security experts have suggested that this level and type of exposure can ultimately result in account takeovers through phone number hijacking. With access to the vulnerable data, hackers could break into customer’s email and social media accounts, even for those using multi-factor authentication. The situation appears to have been fixed (after six days of round-the-clock remediation), but the exposure could have led to extreme consequences.

The discovery of this unprotected S3 bucket is troubling, and maybe even more so because of the cause. This was a case of simple human error. Maybe it’s not even error, but oversight. As a Verizon spokesperson said, “Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project. Unfortunately, the vendor’s employee incorrectly set their AWS storage to allow external access.”

Let’s replay that last line: “…the vendor’s employee incorrectly set their AWS storage to allow external access.” I wouldn’t want to be that guy/gal, but let’s consider the situation before we get too judgy. Ok, we can be a little judgy, because first of all, we’re not talking about an employee using the photocopier for personal use. This employee exposed a major global company to the kind of risk that could wipe out billions of dollars of market share, to say nothing of the potential personal damage to millions of individuals who trust Verizon. There may be no other way to say it: it’s a screw up of epic proportions.

But let’s be clear; people make mistakes, and busy, multitasking people make more than they should. Is that okay? Well, it has to be, because humans are not infallible. And make no mistake – this very same scenario is definitely — and I guarantee this within 100% accuracy — happening to a company you have a relationship with. It may very well be happening within your own organization.

There are two unassailable factors that make the lives of CISOs difficult: 1) IT infrastructures have a massive, and endlessly growing, number of potential attack points, and 2) humans screw up sometimes. Yet, even knowing all of this, we feel secure enough to hope that checklists and quarterly audits will keep our data protected, and act surprised when an entry point to our network is discovered or access to a server was inadvertently made public. We also expect partners to operate according to the same rules we enforce for ourselves, but the Verizon breach should be a wake up call to companies that share PII, shopping cart data, and customer service data with external vendors or third parties. Do you know what precautions they take to ensure that the data is secure? Are you certain that partners are continuously monitoring their environments to ensure that mistakes aren’t made that leave customer data open to the world?

Really, this isn’t anything different from what we’ve thought about in security for the last couple of decades, but now because of the cloud, the faster pace of change in modern IT environments, and automation of everything (including attacks), companies need to step up their game to be continuously vigilant and understand how automation and continuous monitoring can replace an imperfect reliance on human behavior. The entire nature of the cloud, and the advantages that enterprises gain from the cloud are simultaneously those things that put us at risk. APIs that transact data among multiple apps allow us to deliver a more customized experience to users, but that relies on sharing of data. We will all claim we only share with trusted sources, but technology doesn’t work like a building inspector. It engages, moves, and is transacted in nanoseconds at the behest of developers tasked with solving technology and business issues. It’s fast and agile and if we don’t act the same way we lose our competitive advantage. Enterprises also must rely on the interaction with partners, customers, and other stakeholders in order to deliver what customers want. Hasn’t the time come to get a handle on how we protect our data and our people?

Verizon and its customers are just fine. It is a company that’s built a solid reputation on quality, value, and now, security. The company and its partners got a wake up call, and that will be helpful in the long run. Other organizations should see this as an opportunity to ask themselves if they have the stomach to operate on a strategy of hope and faith, however. Hope takes a lot of time, and faith may never deliver a desired conclusion. Dumas gives us an eloquent and insightful roadmap to the many vagaries of human behavior, but when you have a business to run and customers to answer to, the best bet is to know what’s going on at all times so you can take direction action as needed.