Category: IT

In last week’s post, I covered the methodologies Mark Watney used to stay alive on the surface of Mars and how those lessons can be adapted for better cyber security back on Earth. As usual, this post will contain spoilers for The Martian, so close it now if you haven’t yet read the book or seen the movie.

This week I’ll discuss the mentalities and interpersonal skills that allowed the Ares 3 crew to successfully rescue Watney after he was stranded for more than a year on a foreign planet. Whether it is the launch of a manned space probe or defending against advanced cyber threats, these lessons can be used to pull the best possible outcome out of impossible odds.

The Power of a Cross-functional Team
In space travel, every supply and gram of weight is invaluable, much like the limited resources available to most security teams. To help cope with these limitations, every member of the Ares 3 crew served multiple functions. Watney, for instance, was both a botanist and mechanical engineer. This knowledge allowed Watney to recognize that food would be his scarcest resource, find the chemical components necessary to create arable land inside his living quarters and modify the various life support systems to make the environment suitable to plant life.

When a cyber-attack hits, you may be the only one available to address it. To be able to adequately assess and respond to the event, you need to have a working knowledge of the various tools and processes at your disposal. In addition, understanding how different systems work and how different user roles interact with the network allows you to see the security weak points and understand how an attacker may operate in your environment.

Always remember to laugh
Tense situations can have a mental toll on responders, and it is important to keep a sound state of mind to make good decisions. Watney was a serial jokester, frequently laughing at the ridiculousness of his own situation and making wisecracks about what his fellow astronauts left behind on Mars. He particularly hated disco.

Though responders are in the middle of extreme circumstances, it is important not to take yourself too seriously. Laughter helps you keep a level head and can help relieve stress, both in you and your coworkers. Then you are in a better position to make sound decisions and not to give up.

Leadership is not an option, it is a necessity
Watney never faulted his fellow astronauts for leaving him on Mars. They thought he was dead, and leaving immediately was imperative to getting the others out alive. More importantly, Commander Lewis is regretful when she finds out Watney was left alive on Mars, but instead of getting too down to do anything, she focuses on what the next course of action is.

Tough situations need leaders who will make hard calls and live with it. CISOs and other security leaders are responsible for choosing which tools to implement and what practices to employ. When a cyber-attack occurs, they need to be ready to use those tools instead of wishing they had something else.

Communication makes your job easier
One of Watney’s largest challenges throughout The Martian is his inability to communicate with mission command or his own crew. Watney goes on a cross-country trip to find the Pathfinder probe just so he can use it to establish communication. It works but only until he accidentally fries the machinery a few pages later. Fortunately, we do not have this problem, but many cyber security professionals still fail to communicate effectively in the event of an attack.

It makes sense. After all, we are usually busy investigating the attack and trying to prevent data loss. But don’t forget that good communication in an attack helps prevent duplication of efforts and generally helps the entire security team respond effectively.

In a more general sense, the security team needs to be visible to the rest of the organization. Keeping all employees abreast of ongoing security issues reminds them to be vigilant against phishing and other forms of social engineering. Remember, they may know their area of the network better than you, and might be able to identify something abnormal there before you do. Of course, there are some exceptions to this mode of communication. For instance, if an insider threat is suspected, it is likely better to keep that information to a small number of individuals until actions are taken, but for the most part, regular communication with the larger organization is a good thing.

Roles are important
While versatility is a modern virtue, it is important to understand what your role is in a given scenario, even if it changes often. The crew members of Ares 3 had specializations that enabled them to perform specific duties, but they were also general enough that they could fulfill whatever role was needed in a time of emergency. While Watney was forced to rely on his own ingenuity to survive on Mars, his rescue was left almost entirely in the hands of his fellow crewmates. Each had to perform a duty in the rescue, and several had to suddenly change that role when the rescue attempt started to go south. The important thing is they were able to shift responsibilities quickly but with a clear understanding of who was best suited to perform each role, and it was all organized with a clear order of command.

In the world of cyber security, where organizations often deploy varied tools for detection, mitigation and policy enforcement, it is essential to utilize people to their greatest strengths. Investigators, operations and management all have a role to play, and while they should be flexible according to needs, they work best with what they know.

Personal connections matter
Massive amount of money, resources, time and energy went into rescuing Watney from Mars. His struggle became a weekly news segment on Earth and no expense was spared to retrieve him alive because people feared for him, hoped for him and wanted to keep him safe. Never forget that there are real victims to data breaches. Customers, clients and employees can be deeply hurt for the simple act of doing business with your organization, so keep that in mind when you are rushing through those last few reports on Friday afternoon.

The bonds between the Ares 3 crew were unshakable, as is expected when six people spend months together traveling across the solar system to a new planet. This type of relationship should be encouraged among security practitioners because it facilitates smoother operations in the event of an emergency and reduces blaming. When a team cares about each other and their mission, attacks can be stopped and catastrophes can be salvaged.

The Martian contains many lessons that can be adapted to cyber security, but in the end it is still a work of fiction. Reality is more complex and difficult to grapple with, but we need these basic driving forces to properly prepare for disaster and to operate well under pressure. Mark Watney may not be our CISO, but we can take what he learned on Mars and use it to beat an advantaged enemy and difficult odds.

In the not-too-distant past, service providers had a tough time convincing enterprise IT departments that cloud platforms were secure enough for corporate data. Fortunately perspectives on cloud have matured, and more and more organizations are migrating their sanctioned file sharing applications to the cloud. Fast forward to 2020, when Gartner predicts 95% of cloud security failures will be the customers’ fault. Skyhigh Network’s latest Cloud Adoption & Risk Report shows the stakes are high for preventing “cloud user error.”

Enterprise-ready services have extensive security capabilities against external attacks, but customers have the ultimate responsibility for ensuring sensitive data is not improperly disclosed. Just as attackers can circumvent perimeter defenses such as powerful firewalls in favor of stolen credentials or alternate vectors of attack, secure cloud services can incent attackers to target the vulnerabilities inherent in day-to-day use of applications. In addition to compromised accounts, in which attackers gain access to a cloud service via stolen user credentials, enterprises need to worry about malicious insiders, compliance violations, and even accidental mismanagement of access controls.

The report, which analyzes actual usage data from over 23 million enterprise employees, uncovered an epidemic of file over-sharing. Whether IT is aware or not, cloud-based file-sharing services serve as repositories of sensitive data for the average organization. According to the report, 15.8 percent of documents in file-sharing services contain sensitive data. The employees responsible for sensitive data are not a small group: 28.1% of all employees have uploaded a file containing sensitive data to the cloud.

Most concerning is the lack of controls on who can access files once uploaded to the cloud. 12.9 percent of files are accessible by any employee within the organization, which poses a significant liability given the size of the organizations analyzed. Employees shared 28.2 percent of files with external business partners. Given the critical role business partners have played in several highly publicized breaches, companies should closely monitor data shared outside the organization, even with trusted partners. Although they make up only 6 percent of collaborations, personal email addresses raise concerns over the recipient’s identity and necessitate granular access policies; companies may not want to grant the ability to download files to personal email domains, for example. Finally, 5.4 percent of files are available to anyone with the sharing link. These documents are just one forwarded email away from ending up in the hands of a competitor or other unwanted recipient.

Breakdown of Sharing Actions

 

What are the different profiles of sensitive data stored in the cloud? Confidential data, or proprietary information related to a company’s business, is the biggest offender making up 7.6 percent of sensitive data. Personal data is second at 4.3 percent of said files. Third is payment data at 2.3 percent, and last is health data at 1.6 percent. The majority of these files, 58.4 percent, are discovered in Microsoft Office files.

 

Files Containing Keyword in the File Name

Furthermore, a surprising number of workers violate best practices for securely storing important information in the cloud. Using keywords such as ‘passwords’, ‘budget’, and ‘salary’ when naming files makes it easy for attackers to locate sensitive information, and IT security professionals typically advise against this practice. Convenience all too often trumps security, unfortunately. Past breaches have revealed instances in which credentials for multiple accounts were kept in folders named “Passwords”. The report found that the average company had 21,825 documents stored across file sharing services containing one or more of these red flags in the file name. Out of these files, 7,886 files contained ‘budget’, 6,097 ‘salary’, and 2,217 ‘confidential’.

 

 

Lastly, data revealed a few “worst employees of the month. One prolific user was responsible for uploading 284 unencrypted documents containing credit card numbers to a file sharing service. Another user uploaded 46 documents labeled “private” and 60 documents labeled “restricted”. In all seriousness, while it’s easy to point the finger and call these users bad employees, it’s likely they were simply trying to do their jobs using the best tools available to them. The onus lies with IT to make the secure path the easy path.

With more companies migrating sensitive data to the cloud, attackers will increase their efforts to exploit vulnerabilities in enterprise use of cloud services. Tellingly, attacks against cloud services increased 45% over the past year. Locating sensitive data in file-sharing services is step one for companies aimed at preventing the next generation of cloud-based threats.

Sam Bleiberg, Corporate Communications Manager, Skyhigh Networks

[Cloud Security Alliance Blog]

The results of the 2014 Protiviti IT Security and Privacy Survey reports that:

•  77% of organizations have a password policy or standard.
•  67% of organizations have a data production and privacy policy.
•  67% of organizations have an information security policy.
•  59% of organizations have a workstation/laptop security policy.
•  59% of organizations have a user (privileged) access policy.

Based on these statistics, the enterprise organization has plenty of IT and information security policies in place, and yet, data breaches are on the rise, doubling from December of 2014 to August of 2015. Given these statistics, it seems unlikely that enterprise security policies are, in fact, keeping enterprise organizations safe.

Human users are touted as the weakest link in an information security system. Historically, IT has taken a top down approach that forced users to work within the confines of a system that didn’t take user productivity into consideration. IT and security professionals focused on creating limits to protect the network from the user, throwing up barriers in the name of network security. This impacted user productivity but was accepted as collateral damage in the fight to keep the enterprise network safe. Users were left to choose between upholding security protocols and personal productivity.

Given the choice between job security and network security, most users will choose productivity and hope for the best when it comes to protecting the network. Christian Anschuetz on the Wall Street Journal blog, CIO Journal, agrees. “Forced to choose between disruptive, apparently irrational, and easily circumvented security directives and getting their job done, employees invariably choose to be productive,” states Anschuetz.

Changing priorities
While maintaining enterprise security will always be the number one priority of information security professionals everywhere, the modern information security professional recognizes that times are changing. Network security at the expense of user productivity is counterproductive. When threatened with limitations to productivity, users have proven that they will find ways around IT and information security initiatives through shadow IT.

Progressive, security-focused organizations must consider their users when they create security policies. Backing into security policies and initiatives based on user needs allows enterprise organizations to simultaneously meet security and user-productivity demands. Rather than forcing users to work outside of their usual workflows, modern information security secures the enterprise where and how its users prefer to work, eliminating unsanctioned workarounds and shadow IT solutions. The result is greater enterprise security and happier end users.

By Rachel Holdgrafer, Content Business Strategist, Code42

[Cloud Security Alliance Blog]