The question seems simple enough, doesn’t it? But have you asked the question? My feeling is that not enough people actually do. Of course, a natural response may be: isn’t that a question for my IT department to answer?
Yes and no (more on that in a moment). And I promise I am not trying to play word games, but words and their meanings matter, and am therefore placing particular focus on the word trust. Trust is different than confidence. Trust is different than transparency. Trust has a much more “personal” element than the others. And so much of what we do in the world today is based on trust.
There are times where confidence may be appropriate. For example, “I am confident in Joe’s abilities, but I do not trust he will finish the job.” And there are times where transparency may be appropriate, such as, “blockchain technologies offer transparency, but I do not trust them to serve as the backbone for a currency.”
Notice where I am going? These terms are not interchangeable. Somebody can be “transparent” with you but it is quite possible you do not trust them at all. Conversely, somebody who is not wholly transparent with you may earn your trust.
And trust is a funny thing because it guides so many of actions. Simple example:
“Would you do business with Bob?”
“No. I know he has a solid track record, but something about him I just don’t trust.”
“Would you do business with Sally?”
“Yes. I know she doesn’t have the track record of Bob, but something about her that just makes me feel she’s the right person to do business with.”
In other words, we are dealing with emotion and rational action may be taking a back seat.
So let’s get back to the IT department. I am not asking: do you trust your IT department? Rather, I am asking: do you trust your network? There is a difference. It’s huge. And if you don’t see it as being huge, your cybersecurity nightmares may only be in their opening act.
If you have 20 minutes, there is a 2010 podcast worth listening to by Brian Snow, who was the technical director of information assurance at the National Security Agency. It can be found here and special thanks to my fellow #CyberAvenger Chris Veltsos for pointing out this podcast. At around the 16 minute mark, Brian Snow talks about the “trust bubble” and that while “trust” is “widely used” it is also complicated and poorly understood.
Our world operates with so much going on in the background that we seldom give thought to how complicated things can be. Therefore, the only way we can operate and conduct business is when we have levels of transparency, confidence, and trust. For example, I am confident my ISP will provide reliable service so I can get my professional work done, but I do not trust my ISP when they say they are “best service provider” or “the fastest network” or that they will “have 99.9999% uptime” or whatever else you can think of (nor do I think they make their billing particularly transparent but that is unrelated to network reliability). In other words, I’m keeping my expectations in check.
In fact, I try to keep my expectations so “in check” that I expect my services to go down from time to time because that’s just life! Bad connection, server times out, bandwidth issues, and yes, even potential DDoS attacks and hacks! I expect all of these to happen because my trust in network capabilities can only go so far. Sure, I can invest more capital and overhead, but I do not have a printing press for money, so this solution is untenable over time. You need to use your resources wisely and because my trust in network capabilities can only go so far, I do things like: regularly patch, update, have offline backups, back up devices, have alternate connectivity means, and – get ready for it – even plan for total shutdown (and sometimes the plan is “no way to do work today, find something else to do”).
In summary, I simply do not trust network reliability to be as reliable as the sun coming up from the east every morning. And keep your expectations in check: there are very very few operations that can justify the need (and cost) for 100% uptime (and even those are susceptible to the freak event that shuts them down).
As for social engineering attacks, shame on me if I get suckered into them. I don’t have the expectation that my network should protect me from them. Remember, a social engineering attack is going after YOU FIRST before the actors execute their following intent.
Side commentary: WOW! Some of these social engineering attacks are getting really sophisticated and I am impressed. One of the best I have seen in the last few months is the attacker faking that you are the initiator of the conversation and the attacker is “replying” to your original query. Be careful before you click “reply” because sometimes all the attacker wants you to do is just that, click reply, and scoop up an e-mail address, a device ID, an OS version, message headers, or the basic information on your signature line. All these information leaks can come back to haunt you.
But back to my original question: do you trust your network? If your trust in network reliability is rooted in the trust you have for your IT department, I have a car I want to sell you. I do not say this as a knock against your IT department, but if we can be perfectly candid for a moment, if your IT department has full trust in your network reliability, you should be concerned. Granted, the IT department can be confident about the network, but usually when you are confident, it means that you have done some sort of honest and thorough assessment of the situation.
Therefore, if your IT department says to you, “we’re confident we do not have any malware on our network” ask how they came to that conclusion. If instead they say, “we do not have any malware on our network, honest, trust us!” then raise an eyebrow and get your hands dirty, because you have work to do.
By George Platsis, SDI Cyber Risk Practice
September 12, 2017