The Forum of Incident Response and Security Teams (FIRST) holds an annual conference to promote coordination and cooperation among global Computer Security Incident Response Teams (CSIRTs). This year’s conference ran from 26 June to 1 July, in Dublin, Ireland. These are Andrew Cormack’s notes on presentations relating to #FIRSTCON22’s theme ‘Strength Together’.
Trust or mutual benefit?
The theme of this year’s FIRST conference was ‘Strength Together‘. Since I first attended the conference in 1999, we’ve always said the basis for working together was ‘trust’. However, that’s a notoriously slippery word — lawyers, computer scientists and psychologists ascribe different meanings to it — and I wonder whether security and incident response would benefit from a different framing.
When I joined the global incident response community, I tried to observe behaviour, so I could fit in without causing offence. My conclusion was that relationships were actually established by ‘I will spend some time on you. If that makes my life better then I will spend more time on you’. Trust may develop as part of that collaboration, but the actual basis for it is mutual benefit. The hour I take out of my primary job of protecting my customers will be more than justified if your actions save me two hours in the future.
This may seem like semantics, but I think it’s more important. As Wendy Nather’s keynote explored, my next security catastrophe may well originate in an entity I’ve never heard of — whether an obscure software library, an organization deep in my (security!) supply chain, or a data processor engaged by an apparently peripheral organizational function. In a world where global service providers can be disabled by insecure webcams, ‘strength together’ needs to extend far beyond those we have established trust relations with. In an emergency, ‘are we trusted?’ may be too high a bar; ‘are we recognized?’ (by others and by the claimed constituency) may be where we need to start.
And, in tough economic times, invoking ‘trust’ and ‘social responsibility’ may underplay the importance of working together. It’s often said that trust is hard to gain, easy to lose. When working together is business-critical, we simply can’t afford to lose the basis for it. A panel session suggested ‘socially responsible’ as a motivation for information sharing, but if that’s the best we can do then we shouldn’t be surprised when its budget gets cut. Again, we need to frame working together as essential, not optional.
As the European Commission’s draft NIS2 Directive recognized, effective cybersecurity collaboration is now critical for individuals, organizations, the economy, and society. The opposite of ‘strength together’ is ‘weakness apart’. Unless we recognize the necessity of working with others to improve the entire digital environment then it may not be long before that environment becomes intolerable for all of us.
Security poverty: A problem for everyone
Wendy Nather’s keynote considered the security poverty line, and why it should concern those above it at least as much as those below. To secure our systems and data requires resources (tools and people); expertise to apply those effectively; and capability, including sufficient influence to overcome blocking situations or logistics.
But most current guidance, tools and practice are designed for those above the poverty line, not below. That’s a problem because insecurity now affects everyone in the digital environment. Pollution is a better metaphor than escaping hungry bears — ‘There’s more than enough bear for everyone’. Even organizations whose own security is excellent can be hit by breaches in software or services they didn’t know they were dependent on, or devices with which they have no relationship at all. In a digital world where global retailers can be taken offline by insecure webcams, helping improve others’ security may be as important as improving your own.
To do that we need to move beyond talking about ‘awareness’ and do what we can to increase ‘capability’. Small organizations, or those in sectors with low profit margins, can’t afford state-of-the-art security software or people. Dashboards that give security experts visibility of everything that is going on may be less useful to a part-time system administrator who just needs to identify and fix a problem. Open-source software is great, but it’s not free when you include the costs of the skilled people to install, configure and run it. A survey of security experts asked, ‘what is the minimum set of tools?’ and came up with lists from four to thirty-one. The baseline looked a lot like the Payment Card Industry Data Security Standard (PCI DSS), but even that may be beyond the capability of a small business using off-the-shelf security tools.
Legacy systems are a major risk factor. Organizations that proactively refresh their technology experience much better security outcomes. It may even have wider benefits — recruitment is likely to be easier for organizations that offer a modern infrastructure experience. So, what can we do to help others move at least non-core business systems (for example email and payroll) to cloud-based services where many of the security issues are looked after by the provider? When we work with our own providers, can we encourage them to make essential security functions, such as multi-factor authentication, part of the basic product rather than an add-on? Instead of bare lists of tools, could industry sectors develop their own reference architectures, aligning with business and cultural constraints, to help those with less capability implement systems that are easier to operate securely, improve interoperability, and reduce vendor lock-in? And can they work together to discover services that represent a common dependency, and help reduce the shared risk?
The pollution metaphor suggests a shared reputational risk as well as a security one. If individuals lose confidence in digital systems and services then we all suffer, not just those directly causing the problem. Over the past decade, governments have started to help with ‘ordinary’ Internet security threats not just advanced, state-level ones. If you are fortunate enough to be above the security poverty line then consider how you can contribute — help others reduce incidents, respond to those that happen, and learn from them, to improve security and confidence for all of us.
Next in this series, I’ll look at topics from #FIRSTCON22 relating to automated network and security management.
Andrew Cormack is Chief Regulatory Advisor at Jisc, and is responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. Andrew ran the JANET-CERT and EuroCERT Incident Response Teams.
This post is adapted from posts at Jisc Blog.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.