The Daily Swig Web security digest

Moving security forward by looking back

Dave Lewis | 08 February 2018 at 14:40

Infosec experts must learn from past mistakes in order to avoid the dreaded Hamster Wheel of Pain.

We seldom collectively do a good job of learning from our mistakes. Case in point: last week I was bending down to pick something up from the floor. I had calculated that there was a fireplace nearby, but I was too quick and my calculations were flawed, to say the least.

I smashed my head on the fireplace and crumpled to the floor.

A few days later, I was helping my son and leaned down to pick something up for him. Again, I was too quick and slammed my head into yet another piece of furniture. My son thought I had lost my marbles as I lay there on the floor laughing.

I didn’t know how to explain to my three-year-old the humor I found in the correlation with information security in general.

Once upon a time, Andrew Jaquith coined the term “Hamster Wheel of Pain”. This is how it feels to work in information security – we continually bash our heads into things, but seldom learn from our errors.

By way of example, in 2017 we see saw the data breach at Equifax and the catastrophic results of malicious software that utilized flaws that had lingered in systems for many years.

Security debt is a real and present danger for most large enterprises that have been operating for over a decade.

One poignant example was the Heartbleed debacle from April 2014. This is was a flaw in a library that was widely used across the internet, but no one had thought to check the safety of said software.

The upside of the Heartbleed vulnerability was that this software now has been reviewed, and the team maintaining it has money to put towards long-term development. The problem here is that it took a significant event to get things in order.

Why can we not learn from our mistakes? Why do we continue to spin around on the hamster wheel?

What is needed is a way to capture the lessons learned so that we can stop making the same mistakes over and over again. This is necessary for cybersecurity as a whole to mature as a profession.

Maturity is born out of experiences, and we can grow when we learn and share from these incidents and experiences.

The Equifax breach was a marvel on many levels. The CISO, CIO, and CEO all lost their jobs as a result of the fallout from the data breach. (But don’t feel too bad for them. The CEO left with $90 million in his pocket…)

The part that confused me most, however, was not the alleged Apache Struts vulnerability that was purported to have led to the breach. More succinctly, it was the web portal that allowed access to the exact same data with an easily guessed password, as Brian Krebs discussed in his article on the subject.

Moreover, as scope and scale of Equifax’s failings became apparent during the Congressional Hearing, it was shocking to hear the CEO blame the entire breach on one person of their 225-strong security staff.

If your entire company hinges on one person missing something in a scan, then it is entirely possible that you have been remiss in your fiduciary responsibilities.

The present does not have to be the same as the past – and in order to avoid the Hamster Wheel of Pain, we should be continually learning from the historical mistakes and missteps.

The more we allow security debt to accumulate, the greater the problems will be when the bill comes due.