Four Enterprise Security Lessons From Maury

Who would have thought that daytime TV and enterprise IT security have so much in common?

I confess that I've picked up a guilty pleasure: watching Maury -- the 20-year-old daytime talk show hosted by former A Current Affairs anchor Maury Povich. The show is notorious for generally sticking to paternity tests and infidelity-related polygraphs -- deadbeats and deceivers. And I find it compelling for one simple reason: At the end of almost every Maury segment, there is a clear, binary resolution. "You ARE the father" or "You ARE NOT the father." "That was a lie" or "You are telling the truth."

Recently, as I was catching up on episodes of Maury during a lazy weekend, I had a stunning revelation -- about how I could make my cable and DVR costs completely tax-deductible.

Er, more specifically: I realized that, every day, Maury's guests get in trouble and wind up on his show by doing the same things that get enterprise IT organizations companies in trouble with hackers and regulators. Just as Maury guests find themselves on TV for making the same ridiculous and outrageous mistakes over and over, so too do IT and security leaders at major enterprises.

Learn from the best...
\r\n(Source: Twitter/The Maury Show)\r\n

For a data-protection geek like me, Maury is chock full of data-stewardship lessons if you pay attention to the patterns. Below are four of the most exemplary -- and most common -- problems that routinely crop up for IT organizations and Maury guest alike:

Practice good data-storage hygiene
Maury guests suspected of infidelity are often first suspected because of evidence they've left lying around. Sometimes, it's physical: a condom, a set of underwear, a telltale beauty product. Other times, it's digital: Everything from a revealing picture on Instagram to an incriminating text message.

Major enterprises are similarly careless in how they leave their data lying around. In 2013, Adobe presented a textbook case of this by leaving extra copies of data they didn't need lying around on a poorly secured backup system set to be decommissioned -- but not before it was breached. Adobe's data hygiene was so bad that they initially grossly underestimated the number of compromised user accounts; meanwhile, companies like Anthem, Yahoo, and Equifax have found themselves in similar situations recently. (See: My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption.) Moreover, as InfoSec experts and government agencies alike have pointed out, data that isn't retained (i.e., because it is not needed) can't be compromised.

To wit, IT organizations not keeping track of, managing, and restricting all the places their data lives and how it is handled throughout the secure development lifecycle (SDLC) are just as foolish as a Maury guest who leaves his mistress's lingerie in the backseat of his SUV. The lesson: Keep track of what you store where, and for how long.

Of course, if some of Maury's guests were exercising best practices when it comes to what they put where, they wouldn't be cheaters to begin with -- but I digress.

Use intelligent solutions to detect malicious activity

The use of honeypots is not restricted to IT security. Consider the astounding frequency with which male lie-detector show guests on Maury are taken in by them. The mark, accused by his wife or girlfriend of infidelity, waits in the Maury green room for a polygraph or pre-show interview or whatnot -- where a young, attractive woman in a revealing outfit is similarly waiting to speak to a Maurystaffer.

The two get to talking -- and, eventually, kissing (and, in some cases, more).

The following day, the mark goes on Maury -- pleading his innocence and fidelity. At this point, Maury's producers play the video of the mark in flagrante delicto with what was actually a Sexy Decoy. His unauthorized network activity has been caught. Honeypots work.

Yet that's not the only network-security lesson here. It would not have taken a lot of intelligence to figure out that these are not the kind of data assets to which the user should have had administrative access in the first place. A comparison with typical network activity ("Do young, attractive, libertine women I've just met often throw themselves at me?") would have revealed to these dupes that deception was afoot. And, indeed, numerous machine-learning and deep-learning enterprise networks security tools are available to analyze employee and other user activity -- distinguishing between normal and abnormal data access and network-traffic patterns, and finding malicious, compromised, and sometimes simply careless users. These simple comparison checks are all that is needed to save yourself from saying, "I should have known."

Don't take their word for it

One of the rules of thumb about Mauryis that, when a mother offers a percentage of how certain she is that a given man is the father of her child, that number is inversely proportional to the actual probability that the man is the father.

To be sure, there are exceptions that prove the rule, but in general, this phenomenon is a reminder of a Cold War-era lesson: "Trust, but verify."

As I've previously noted here at Security Now, it is no secret that vendors may give assurances that they are adequately secure when, in fact, they are not -- and that this can be true of even cybersecurity vendors. (See CFOs: Cybersecurity Is About Risk, Not Vendors.) Previous IT administrators and even current colleagues should likewise have their work double-checked for security and consistency.

Don't just take their word for it without question. Otherwise, like many a Maury guest, you risk winding up looking like a sucker.

End willful ignorance

Of course, this kind of certainty is often born -- pun unintended -- of wishful thinking. On many a Maury, despite oodles of compellingly exculpating evidence to the contrary (including, in at least one case, a child having a rare genetic disorder for which neither mother nor putative father were a carrier), a mother will insist that a particular man is the father of her baby -- only to run backstage screaming and crying after Maury reads DNA results to the contrary, unwilling to accept this most definitive of indicators that she has fought so hard to ignore.

A lot of IT organizations are the same way; enterprise executives may similarly wish for the unlikely best-case scenario, ignoring and denying all evidence to the contrary, when it comes to information-security and data-protection matters. Chris Richter, senior vice president of Global Managed Security Services at CenturyLink (and formerly at Level 3 Communications) tells Security Now that, because it sees traffic crossing approximately 75% of global IPv4 address space, CenturyLink is able to detect malicious activity occurring in enterprises before they know of it themselves -- and they are not always grateful when given a heads up.

"We've called up companies, thinking [that] we're being good network citizens and good stewards of the Internet, saying, "Hey, you're hosting a major botnet inside of your organization,'" Richter related to me in an interview. "And this has actually happened: They'll say to our security team, 'Thank you for the phone call. Thank you for letting us know. Don't ever call us again.' And you, as a lawyer, know why."

Indeed, knowledge of a breach may instantly trigger breach-notification duties and other liabilities -- duties and liabilities that Uber apparently tried to avoid when it reportedly covered up a major data breach in 2016. (See Uber Loses Customer Data: Customers Yawn & Keep Riding.) But the kind of willfully ignorant, see-no-evil approach to cybersecurity and data-protection compliance that Richter has so often seen is like assuring passengers of the Titanic that everything is fine. It's not fine, and enterprise IT must face the music when things go sour.

As an old saying goes, "Every large problem started as a small problem." Don't make it worse.

Related posts:

—Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.