Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

1/31/2018
08:05 AM
Joe Stanganelli
Joe Stanganelli
News Analysis-Security Now
50%
50%

Four Enterprise Security Lessons From Maury

Popular daytime TV show Maury offers some surprisingly apt lessons for enterprise IT leaders for keeping their data protected and their networks secure.

Who would have thought that daytime TV and enterprise IT security have so much in common?

I confess that I've picked up a guilty pleasure: watching Maury -- the 20-year-old daytime talk show hosted by former A Current Affairs anchor Maury Povich. The show is notorious for generally sticking to paternity tests and infidelity-related polygraphs -- deadbeats and deceivers. And I find it compelling for one simple reason: At the end of almost every Maury segment, there is a clear, binary resolution. "You ARE the father" or "You ARE NOT the father." "That was a lie" or "You are telling the truth."

Recently, as I was catching up on episodes of Maury during a lazy weekend, I had a stunning revelation -- about how I could make my cable and DVR costs completely tax-deductible.

Er, more specifically: I realized that, every day, Maury's guests get in trouble and wind up on his show by doing the same things that get enterprise IT organizations companies in trouble with hackers and regulators. Just as Maury guests find themselves on TV for making the same ridiculous and outrageous mistakes over and over, so too do IT and security leaders at major enterprises.

Learn from the best... \r\n(Source: Twitter/The Maury Show)\r\n
Learn from the best...
\r\n(Source: Twitter/The Maury Show)\r\n

For a data-protection geek like me, Maury is chock full of data-stewardship lessons if you pay attention to the patterns. Below are four of the most exemplary -- and most common -- problems that routinely crop up for IT organizations and Maury guest alike:

Practice good data-storage hygiene
Maury guests suspected of infidelity are often first suspected because of evidence they've left lying around. Sometimes, it's physical: a condom, a set of underwear, a telltale beauty product. Other times, it's digital: Everything from a revealing picture on Instagram to an incriminating text message.

Major enterprises are similarly careless in how they leave their data lying around. In 2013, Adobe presented a textbook case of this by leaving extra copies of data they didn't need lying around on a poorly secured backup system set to be decommissioned -- but not before it was breached. Adobe's data hygiene was so bad that they initially grossly underestimated the number of compromised user accounts; meanwhile, companies like Anthem, Yahoo, and Equifax have found themselves in similar situations recently. (See: My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption.) Moreover, as InfoSec experts and government agencies alike have pointed out, data that isn't retained (i.e., because it is not needed) can't be compromised.

To wit, IT organizations not keeping track of, managing, and restricting all the places their data lives and how it is handled throughout the secure development lifecycle (SDLC) are just as foolish as a Maury guest who leaves his mistress's lingerie in the backseat of his SUV. The lesson: Keep track of what you store where, and for how long.

Of course, if some of Maury's guests were exercising best practices when it comes to what they put where, they wouldn't be cheaters to begin with -- but I digress.

Use intelligent solutions to detect malicious activity


The use of honeypots is not restricted to IT security. Consider the astounding frequency with which male lie-detector show guests on Maury are taken in by them. The mark, accused by his wife or girlfriend of infidelity, waits in the Maury green room for a polygraph or pre-show interview or whatnot -- where a young, attractive woman in a revealing outfit is similarly waiting to speak to a Maurystaffer.

The two get to talking -- and, eventually, kissing (and, in some cases, more).

The following day, the mark goes on Maury -- pleading his innocence and fidelity. At this point, Maury's producers play the video of the mark in flagrante delicto with what was actually a Sexy Decoy. His unauthorized network activity has been caught. Honeypots work.

Yet that's not the only network-security lesson here. It would not have taken a lot of intelligence to figure out that these are not the kind of data assets to which the user should have had administrative access in the first place. A comparison with typical network activity ("Do young, attractive, libertine women I've just met often throw themselves at me?") would have revealed to these dupes that deception was afoot. And, indeed, numerous machine-learning and deep-learning enterprise networks security tools are available to analyze employee and other user activity -- distinguishing between normal and abnormal data access and network-traffic patterns, and finding malicious, compromised, and sometimes simply careless users. These simple comparison checks are all that is needed to save yourself from saying, "I should have known."

Don't take their word for it


One of the rules of thumb about Mauryis that, when a mother offers a percentage of how certain she is that a given man is the father of her child, that number is inversely proportional to the actual probability that the man is the father.

  • "I am 100% sure."
  • "I am 110% sure."
  • "I am 365% sure." (Really.)
  • "I am 1,000% sure."
  • "I am 5,000% sure."
  • "I am 10,000% sure."
  • "I am 1,000,000% sure."

To be sure, there are exceptions that prove the rule, but in general, this phenomenon is a reminder of a Cold War-era lesson: "Trust, but verify."

As I've previously noted here at Security Now, it is no secret that vendors may give assurances that they are adequately secure when, in fact, they are not -- and that this can be true of even cybersecurity vendors. (See CFOs: Cybersecurity Is About Risk, Not Vendors.) Previous IT administrators and even current colleagues should likewise have their work double-checked for security and consistency.

Don't just take their word for it without question. Otherwise, like many a Maury guest, you risk winding up looking like a sucker.

End willful ignorance


Of course, this kind of certainty is often born -- pun unintended -- of wishful thinking. On many a Maury, despite oodles of compellingly exculpating evidence to the contrary (including, in at least one case, a child having a rare genetic disorder for which neither mother nor putative father were a carrier), a mother will insist that a particular man is the father of her baby -- only to run backstage screaming and crying after Maury reads DNA results to the contrary, unwilling to accept this most definitive of indicators that she has fought so hard to ignore.

A lot of IT organizations are the same way; enterprise executives may similarly wish for the unlikely best-case scenario, ignoring and denying all evidence to the contrary, when it comes to information-security and data-protection matters. Chris Richter, senior vice president of Global Managed Security Services at CenturyLink (and formerly at Level 3 Communications) tells Security Now that, because it sees traffic crossing approximately 75% of global IPv4 address space, CenturyLink is able to detect malicious activity occurring in enterprises before they know of it themselves -- and they are not always grateful when given a heads up.

"We've called up companies, thinking [that] we're being good network citizens and good stewards of the Internet, saying, "Hey, you're hosting a major botnet inside of your organization,'" Richter related to me in an interview. "And this has actually happened: They'll say to our security team, 'Thank you for the phone call. Thank you for letting us know. Don't ever call us again.' And you, as a lawyer, know why."

Indeed, knowledge of a breach may instantly trigger breach-notification duties and other liabilities -- duties and liabilities that Uber apparently tried to avoid when it reportedly covered up a major data breach in 2016. (See Uber Loses Customer Data: Customers Yawn & Keep Riding.) But the kind of willfully ignorant, see-no-evil approach to cybersecurity and data-protection compliance that Richter has so often seen is like assuring passengers of the Titanic that everything is fine. It's not fine, and enterprise IT must face the music when things go sour.

As an old saying goes, "Every large problem started as a small problem." Don't make it worse.

Related posts:

—Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...
CVE-2021-3197
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.