Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

1/31/2018
08:05 AM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now
50%
50%

Four Enterprise Security Lessons From Maury

Popular daytime TV show Maury offers some surprisingly apt lessons for enterprise IT leaders for keeping their data protected and their networks secure.

Who would have thought that daytime TV and enterprise IT security have so much in common?

I confess that I've picked up a guilty pleasure: watching Maury -- the 20-year-old daytime talk show hosted by former A Current Affairs anchor Maury Povich. The show is notorious for generally sticking to paternity tests and infidelity-related polygraphs -- deadbeats and deceivers. And I find it compelling for one simple reason: At the end of almost every Maury segment, there is a clear, binary resolution. "You ARE the father" or "You ARE NOT the father." "That was a lie" or "You are telling the truth."

Recently, as I was catching up on episodes of Maury during a lazy weekend, I had a stunning revelation -- about how I could make my cable and DVR costs completely tax-deductible.

Er, more specifically: I realized that, every day, Maury's guests get in trouble and wind up on his show by doing the same things that get enterprise IT organizations companies in trouble with hackers and regulators. Just as Maury guests find themselves on TV for making the same ridiculous and outrageous mistakes over and over, so too do IT and security leaders at major enterprises.

For a data-protection geek like me, Maury is chock full of data-stewardship lessons if you pay attention to the patterns. Below are four of the most exemplary -- and most common -- problems that routinely crop up for IT organizations and Maury guest alike:

Practice good data-storage hygiene
Maury guests suspected of infidelity are often first suspected because of evidence they've left lying around. Sometimes, it's physical: a condom, a set of underwear, a telltale beauty product. Other times, it's digital: Everything from a revealing picture on Instagram to an incriminating text message.

Major enterprises are similarly careless in how they leave their data lying around. In 2013, Adobe presented a textbook case of this by leaving extra copies of data they didn't need lying around on a poorly secured backup system set to be decommissioned -- but not before it was breached. Adobe's data hygiene was so bad that they initially grossly underestimated the number of compromised user accounts; meanwhile, companies like Anthem, Yahoo, and Equifax have found themselves in similar situations recently. (See: My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption.) Moreover, as InfoSec experts and government agencies alike have pointed out, data that isn't retained (i.e., because it is not needed) can't be compromised.

To wit, IT organizations not keeping track of, managing, and restricting all the places their data lives and how it is handled throughout the secure development lifecycle (SDLC) are just as foolish as a Maury guest who leaves his mistress's lingerie in the backseat of his SUV. The lesson: Keep track of what you store where, and for how long.

Of course, if some of Maury's guests were exercising best practices when it comes to what they put where, they wouldn't be cheaters to begin with -- but I digress.

Use intelligent solutions to detect malicious activity


The use of honeypots is not restricted to IT security. Consider the astounding frequency with which male lie-detector show guests on Maury are taken in by them. The mark, accused by his wife or girlfriend of infidelity, waits in the Maury green room for a polygraph or pre-show interview or whatnot -- where a young, attractive woman in a revealing outfit is similarly waiting to speak to a Maurystaffer.

The two get to talking -- and, eventually, kissing (and, in some cases, more).

The following day, the mark goes on Maury -- pleading his innocence and fidelity. At this point, Maury's producers play the video of the mark in flagrante delicto with what was actually a Sexy Decoy. His unauthorized network activity has been caught. Honeypots work.

Yet that's not the only network-security lesson here. It would not have taken a lot of intelligence to figure out that these are not the kind of data assets to which the user should have had administrative access in the first place. A comparison with typical network activity ("Do young, attractive, libertine women I've just met often throw themselves at me?") would have revealed to these dupes that deception was afoot. And, indeed, numerous machine-learning and deep-learning enterprise networks security tools are available to analyze employee and other user activity -- distinguishing between normal and abnormal data access and network-traffic patterns, and finding malicious, compromised, and sometimes simply careless users. These simple comparison checks are all that is needed to save yourself from saying, "I should have known."

Don't take their word for it


One of the rules of thumb about Mauryis that, when a mother offers a percentage of how certain she is that a given man is the father of her child, that number is inversely proportional to the actual probability that the man is the father.

  • "I am 100% sure."
  • "I am 110% sure."
  • "I am 365% sure." (Really.)
  • "I am 1,000% sure."
  • "I am 5,000% sure."
  • "I am 10,000% sure."
  • "I am 1,000,000% sure."

To be sure, there are exceptions that prove the rule, but in general, this phenomenon is a reminder of a Cold War-era lesson: "Trust, but verify."

As I've previously noted here at Security Now, it is no secret that vendors may give assurances that they are adequately secure when, in fact, they are not -- and that this can be true of even cybersecurity vendors. (See CFOs: Cybersecurity Is About Risk, Not Vendors.) Previous IT administrators and even current colleagues should likewise have their work double-checked for security and consistency.

Don't just take their word for it without question. Otherwise, like many a Maury guest, you risk winding up looking like a sucker.

End willful ignorance


Of course, this kind of certainty is often born -- pun unintended -- of wishful thinking. On many a Maury, despite oodles of compellingly exculpating evidence to the contrary (including, in at least one case, a child having a rare genetic disorder for which neither mother nor putative father were a carrier), a mother will insist that a particular man is the father of her baby -- only to run backstage screaming and crying after Maury reads DNA results to the contrary, unwilling to accept this most definitive of indicators that she has fought so hard to ignore.

A lot of IT organizations are the same way; enterprise executives may similarly wish for the unlikely best-case scenario, ignoring and denying all evidence to the contrary, when it comes to information-security and data-protection matters. Chris Richter, senior vice president of Global Managed Security Services at CenturyLink (and formerly at Level 3 Communications) tells Security Now that, because it sees traffic crossing approximately 75% of global IPv4 address space, CenturyLink is able to detect malicious activity occurring in enterprises before they know of it themselves -- and they are not always grateful when given a heads up.

"We've called up companies, thinking [that] we're being good network citizens and good stewards of the Internet, saying, "Hey, you're hosting a major botnet inside of your organization,'" Richter related to me in an interview. "And this has actually happened: They'll say to our security team, 'Thank you for the phone call. Thank you for letting us know. Don't ever call us again.' And you, as a lawyer, know why."

Indeed, knowledge of a breach may instantly trigger breach-notification duties and other liabilities -- duties and liabilities that Uber apparently tried to avoid when it reportedly covered up a major data breach in 2016. (See Uber Loses Customer Data: Customers Yawn & Keep Riding.) But the kind of willfully ignorant, see-no-evil approach to cybersecurity and data-protection compliance that Richter has so often seen is like assuring passengers of the Titanic that everything is fine. It's not fine, and enterprise IT must face the music when things go sour.

As an old saying goes, "Every large problem started as a small problem." Don't make it worse.

Related posts:

—Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12505
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
CVE-2020-12506
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.