Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

1/31/2018
08:05 AM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now
50%
50%

Four Enterprise Security Lessons From Maury

Popular daytime TV show Maury offers some surprisingly apt lessons for enterprise IT leaders for keeping their data protected and their networks secure.

Who would have thought that daytime TV and enterprise IT security have so much in common?

I confess that I've picked up a guilty pleasure: watching Maury -- the 20-year-old daytime talk show hosted by former A Current Affairs anchor Maury Povich. The show is notorious for generally sticking to paternity tests and infidelity-related polygraphs -- deadbeats and deceivers. And I find it compelling for one simple reason: At the end of almost every Maury segment, there is a clear, binary resolution. "You ARE the father" or "You ARE NOT the father." "That was a lie" or "You are telling the truth."

Recently, as I was catching up on episodes of Maury during a lazy weekend, I had a stunning revelation -- about how I could make my cable and DVR costs completely tax-deductible.

Er, more specifically: I realized that, every day, Maury's guests get in trouble and wind up on his show by doing the same things that get enterprise IT organizations companies in trouble with hackers and regulators. Just as Maury guests find themselves on TV for making the same ridiculous and outrageous mistakes over and over, so too do IT and security leaders at major enterprises.

For a data-protection geek like me, Maury is chock full of data-stewardship lessons if you pay attention to the patterns. Below are four of the most exemplary -- and most common -- problems that routinely crop up for IT organizations and Maury guest alike:

Practice good data-storage hygiene
Maury guests suspected of infidelity are often first suspected because of evidence they've left lying around. Sometimes, it's physical: a condom, a set of underwear, a telltale beauty product. Other times, it's digital: Everything from a revealing picture on Instagram to an incriminating text message.

Major enterprises are similarly careless in how they leave their data lying around. In 2013, Adobe presented a textbook case of this by leaving extra copies of data they didn't need lying around on a poorly secured backup system set to be decommissioned -- but not before it was breached. Adobe's data hygiene was so bad that they initially grossly underestimated the number of compromised user accounts; meanwhile, companies like Anthem, Yahoo, and Equifax have found themselves in similar situations recently. (See: My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption.) Moreover, as InfoSec experts and government agencies alike have pointed out, data that isn't retained (i.e., because it is not needed) can't be compromised.

To wit, IT organizations not keeping track of, managing, and restricting all the places their data lives and how it is handled throughout the secure development lifecycle (SDLC) are just as foolish as a Maury guest who leaves his mistress's lingerie in the backseat of his SUV. The lesson: Keep track of what you store where, and for how long.

Of course, if some of Maury's guests were exercising best practices when it comes to what they put where, they wouldn't be cheaters to begin with -- but I digress.

Use intelligent solutions to detect malicious activity


The use of honeypots is not restricted to IT security. Consider the astounding frequency with which male lie-detector show guests on Maury are taken in by them. The mark, accused by his wife or girlfriend of infidelity, waits in the Maury green room for a polygraph or pre-show interview or whatnot -- where a young, attractive woman in a revealing outfit is similarly waiting to speak to a Maurystaffer.

The two get to talking -- and, eventually, kissing (and, in some cases, more).

The following day, the mark goes on Maury -- pleading his innocence and fidelity. At this point, Maury's producers play the video of the mark in flagrante delicto with what was actually a Sexy Decoy. His unauthorized network activity has been caught. Honeypots work.

Yet that's not the only network-security lesson here. It would not have taken a lot of intelligence to figure out that these are not the kind of data assets to which the user should have had administrative access in the first place. A comparison with typical network activity ("Do young, attractive, libertine women I've just met often throw themselves at me?") would have revealed to these dupes that deception was afoot. And, indeed, numerous machine-learning and deep-learning enterprise networks security tools are available to analyze employee and other user activity -- distinguishing between normal and abnormal data access and network-traffic patterns, and finding malicious, compromised, and sometimes simply careless users. These simple comparison checks are all that is needed to save yourself from saying, "I should have known."

Don't take their word for it


One of the rules of thumb about Mauryis that, when a mother offers a percentage of how certain she is that a given man is the father of her child, that number is inversely proportional to the actual probability that the man is the father.

  • "I am 100% sure."
  • "I am 110% sure."
  • "I am 365% sure." (Really.)
  • "I am 1,000% sure."
  • "I am 5,000% sure."
  • "I am 10,000% sure."
  • "I am 1,000,000% sure."

To be sure, there are exceptions that prove the rule, but in general, this phenomenon is a reminder of a Cold War-era lesson: "Trust, but verify."

As I've previously noted here at Security Now, it is no secret that vendors may give assurances that they are adequately secure when, in fact, they are not -- and that this can be true of even cybersecurity vendors. (See CFOs: Cybersecurity Is About Risk, Not Vendors.) Previous IT administrators and even current colleagues should likewise have their work double-checked for security and consistency.

Don't just take their word for it without question. Otherwise, like many a Maury guest, you risk winding up looking like a sucker.

End willful ignorance


Of course, this kind of certainty is often born -- pun unintended -- of wishful thinking. On many a Maury, despite oodles of compellingly exculpating evidence to the contrary (including, in at least one case, a child having a rare genetic disorder for which neither mother nor putative father were a carrier), a mother will insist that a particular man is the father of her baby -- only to run backstage screaming and crying after Maury reads DNA results to the contrary, unwilling to accept this most definitive of indicators that she has fought so hard to ignore.

A lot of IT organizations are the same way; enterprise executives may similarly wish for the unlikely best-case scenario, ignoring and denying all evidence to the contrary, when it comes to information-security and data-protection matters. Chris Richter, senior vice president of Global Managed Security Services at CenturyLink (and formerly at Level 3 Communications) tells Security Now that, because it sees traffic crossing approximately 75% of global IPv4 address space, CenturyLink is able to detect malicious activity occurring in enterprises before they know of it themselves -- and they are not always grateful when given a heads up.

"We've called up companies, thinking [that] we're being good network citizens and good stewards of the Internet, saying, "Hey, you're hosting a major botnet inside of your organization,'" Richter related to me in an interview. "And this has actually happened: They'll say to our security team, 'Thank you for the phone call. Thank you for letting us know. Don't ever call us again.' And you, as a lawyer, know why."

Indeed, knowledge of a breach may instantly trigger breach-notification duties and other liabilities -- duties and liabilities that Uber apparently tried to avoid when it reportedly covered up a major data breach in 2016. (See Uber Loses Customer Data: Customers Yawn & Keep Riding.) But the kind of willfully ignorant, see-no-evil approach to cybersecurity and data-protection compliance that Richter has so often seen is like assuring passengers of the Titanic that everything is fine. It's not fine, and enterprise IT must face the music when things go sour.

As an old saying goes, "Every large problem started as a small problem." Don't make it worse.

Related posts:

—Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...