Why Corporate Security Should Be Like Museums? Edus Are.

I was preparing a talk for the 2018 Educause Security Professionals Conference and was trying to think of ways to show how EDU networks are really microcosms of society. I wrote in an earlier blog that EDUs are small cities. I've said that our network security strategy is a blend of commercial and ISP requirements. It was wasn't until I ran into my friend, Christian Schreiber, who gave me the best analogy so far. As a CISO, I have to give a presentation to our Board of Visitors, our version of the corporate board of directors, every now and then. I like to use real world examples to explain our security strategy. Most board members come from the corporate world and want to know why we don't follow a corporate IT security strategy.

Well, Christian was working on a talk and he said EDUs are like a museum. At first, I thought he was going to tease us about being quaint, staid and stuffy. Rather than state the obvious :-), he pointed out the following:

1. Museums allows all sorts of individuals into their building.
2. Museums have high value assets and protect them with a variety of tools, technical expertise.
3. Key assets are highlighted to make them more accessible to the public.
4. Museums cover their interiors with a wide variety of tools.
5. Museums focus on detecting malicious operators who may be already inside the building.

 Christian went further and give some examples of museum defense in depth:

1. Museums have few access points but they allow free flowing access to anyone.
2. Museums erect additional barriers around high value assets.
3. Museums have pervasive monitoring tools: video cameras, motion detectors, laser detection systems, visitors logs.
4. Museums have numerous active response capabilities such as: uniformed guards, on-demand barriers, fire suppression systems, moving doors.
5. Museums have recovery systems such as insurance and tracking devices embedded in high value assets.
6. Museums assume there are hostiles inside their buildings.

As you can see, there are Continuous Monitoring, Zero Trust Network, network forensics components embedded in the bullet items above.  They allow visitors to bring their own devices, take pictures, buy souvenirs and wander freely within public spaces. They also have restricted areas that require additional authentication and authorization.

IoT, BYOD have been forcing orgs to reconsider how their network security should be implemented. The traditional border security model will fail in the new technology model unless they adapt to a mobile user environment. I used to say the device was the border. Nowadays, I believe there are 2 new borders that need to be considered:

1. User identity - users access their work/home assets from all over the internet. For example, EDUROAM allows members of one EDU connect to the internet using another EDU's net and the member's home institution credentials.
2. Data - If data becomes the new border then does it matter where it's stored? If its protection schemes focus on the data element itself, then I don't believe it matters.

Given these 2 new borders then the museum defense model makes a lot of sense. This doesn't mean that you should discard the older perimeter style defenses but it does mean the combination of these layers forms the basis of a reasonable, successful  museum defense.

Cybersecurity's Biggest Mistake - The Daystrom Syndrome

I've been very fortunate to be part of the design team of the Virginia Cyber Range (www.virginiacyberrange.org). The range is designed to a) be a course repository (full course material,  individual course modules, individual lab exercises) for NSA CAE schools in VA and K-12 school in VA and b) provide an environment to run these classes and exercises from any location in the world. I'll have more on that in a later blog. One of the unexpected surprises in the project is the enthusiastic adoption of the Range by the K-12 schools. K-12 teachers were caught in the middle of a number of competing worlds:

• Federal and state political pressure on school systems to include cybersecurity concepts in K-12 classes
• School system pressure on K-12 schools to do the same
• Local (principal) pressure on local faculty to develop these courses
• Teachers are unable to create these environments because of school system and local IT resistance to build the environment needed to teach these classes.

That last bullet item turned out to be the major stumbling block in implementing these education programs. Why? As you probably know, local school systems have tightly regulated, locked down and restricted access to the internet from their school networks. Some of the reasons have to do with parental concern on questionable material/people on the net getting access to K-12 students; general concerns of the school IT staff to protect systems and data from unauthorized access. I suspect the real reason is a lack of funding to increase IT staff sizes  and provide training to said staff. When you're 1 admin for 1000 machines, you're not going to allow special cases simply because you don't have the cycles to provide the required support.

I came from the sysadmin world and remember the "prime directive" of sysadmins: "Keep the systems running at all costs". This directive, while noble, has caused more security headaches over the past 25 years. Simple things like patching OS, applications and hardware for security issues run into the sysadmin prime directive which resulted in security vulnerabilities not being corrected in a timely manner.

This reminds me of the "Ultimate Computer" episode of Star Trek (TOS). The Enterprise was fitted with the new M5 computer which automated the ship's handling, offensive and defensive capabilities. When things went south quickly because the M5 started behaving in a dangerous manner, Dr. Daystrom was blind to what the machines was doing because of his loyalty to a particular train of thought ("You don't shut a child off when it makes a mistake. M-5 is growing, learning."
"Learning to kill." "To defend itself. It's quite a different thing.")

 Sysadmins were infected with the "Daystrom syndrome" where we became so involved (enamored?) with our technology that we lost sight of the real goal of our technology: to allow people to use the technology in a meaningful way to themselves and to business.  Some examples of this Daystrom Syndrome variant include:

• making systems harder to use for the sake of "security" of the system
• restricting how users can access information that is "questionable" to the IT person but not the user. We're not talking about porn here. We're talking about using the Internet as a research tool to get software, algorithms, etc. that make our business more efficient and how this behavior is restricted by IT because of security issues.
• not patching systems because that would required them being unavailable for a period of time. This downtime violates the 24x7 availability rule that is one of the governing things that sets sysadmin behavior.
• Anything that causes the user to say "IT won't let me do this"
• Anything that causes sysadmins to say " users will wreck our security, availability, stability".

Sysadmins and their upper mgt have forgotten the prime reason why IT exists in business is to allow the business to make more money (grow the business) by making business processes more efficient.

Let me come back to the Range and K-12 scenario. The conundrum is the K-12 teachers need to build machines that can connect to the net and be able to be configured, modified by teachers and students. Let's also face the fact that most school IT suffers from low budgets and the IT machine/staff ratio is frighteningly high. These factors combined with the Daystrom syndrome means the K-12 teachers are told they can't use the school systems or net to build these cybersecurity classes. The Range provides an environment that allows teachers to actually create a space for their classes without IT interference. The school IT just have to allow web access to the Range. Unfortunately, this sometimes is easier said than done.

This brings me back to my premise - IT has created a worse security problem than the one they were trying to solve by imposing unnecessary restrictions on user behavior thereby preventing them from doing their jobs which encourages them to bypass these restrictions.

It's time for us to rethink the model.