The 2016 Rocky Mountain Information Security Conference (RMISC) May 11 and 12 featured two somewhat cynical and highly perceptive keynote speakers: security industry leader John McAfee and Cyber Security Hall of Famer (and my former boss and professor at Purdue University) Dr. Eugene (Spaf) Spafford. In a conversation after the conference, Spaf said that McAfee’s opening remarks had prompted him to rewrite his closing keynote.
McAfee’s keen observation was that the Darwinian principle of “survival of the fittest” will play out as organizations and individuals come into contact with the harsh reality of malware and intercepted signals.
“All you have to say is ‘Your account has changed,’ and 90 percent of people will click on it. We have become lazy,” he said. “Our devices are doing the thinking. We don’t even know our friends’ phone numbers anymore. Part of me thinks this is just an evolutionary purge. People who don’t think before acting, they’ll eventually disappear.”1
Those who manage to adapt their behavior to changing threat environments will outperform those who persist in at-risk behavior when using technology. And that performance is not only digitally speaking. Some 81% of companies that had adopted Internet of Things (IoT) technology and participated in a survey by Neustar reported having experienced attacks in 2015. Theft of finances, customer data, and/or intellectual property resulted in 43% of the cases reported.2 Social engineering is implicated in the majority of successful, high-profile hacks—and there’s no technological fix for impaired judgment.
Spaf also looked to biological analogies to illuminate the security conundrum. In line with George Santayana’s caution about the perils of ignoring history, Spaf explored past biological contagions and the winding path that led to discoveries of root causes, infection vectors, and, ultimately, containment.
In one case, the “aha” moment came after methodical analysis and the slow acceptance of a new paradigm. In the other, the “aha” moment materialized by a stroke of fortune that was one part good and one part bad: the London fire of 1666.
Prior to The Great Fire, Londoners were being decimated by The Great Plague (i.e., bubonic plague)—approximately 100,000 (15% of the population) in 1665. By contrast, only six people perished in the fire according to official records. The real victims of the fire, temporary human homelessness aside, were the infected-fleas and flea-bearing rats that nested comfortably in the thatched roofs and dined on the scraps of food and waste strewn in the streets and cramped, squalid living quarters. Lots of prospective hosts with weak or compromised immune systems in close proximity to one another. Sound like a familiar technology scenario? Consider hotel lobbies, airport terminals, coffee shops . . . and your work and home environments. Firewalls—not fire—are part of the answer. Isolate yourself from virus nesting areas (e.g., those tempting “click me” opportunities) and insulate yourself from social engineering traps (e.g., the no-need-to-know top-secret report on company salaries).
Spaf’s other historical lesson came from the London cholera outbreak of 1854. Physician John Snow tracked the course of infection to a public water pump on Broad Street. He proposed simply that the pump handle be removed so that individuals could not make the wrong decision with respect to using the pump or not. Perhaps it’s time for manufacturers of mobile devices, for example, to step up and remove the infection-releasing handles: harden devices and applications before marketing them. Build security in before products are shipped to consumers. And perhaps it’s time for organizations to lock down potentially dangerous employee practices: implement and enforce robust security policies that cannot be subverted easily. Recruit everyone as a member of the security team.
Or maybe we just wait until those who fail to adapt to threat realities succumb to successful exploits. That’ll learn ‘em as well.
1 As quoted by columnist Tamara Chuang in Tamara Chuang (11 May 2016), “Security celeb John McAfee says rise of malware an ‘evolutionary purge’,”The Denver Post. Retrieved from http://www.denverpost.com/2016/05/11/security-celeb-john-mcafee-says-rise-of-malware-an-evolutionary-purge/
2 Neustar (April 2016), "Neustar DDOS Attacks & Protection Report." Retrieved from http://resources.idgenterprise.com/original/AST-0166853_2016-apr-ddos-report.pdf