Everything is Security
Security in general, but specifically in Cybersecurity, is a discipline rife with misunderstanding, misstatement, and generally a lot of suspicion from outside individuals. Today, I would like to address a very important concept that more and more security practitioners are adopting. Security is everyone's job; every last member of an organization from the newest high school grad intern, to the CEO is responsible for good security hygiene. The corollary of this is that Everything is Security.
What is Security?
This is going to be an article of its own someday, but for today I will walk through a short primer. Security is the goals, responsibilities, practices, and ideology that go into protecting the Confidentiality, Integrity, and Availability of assets. In Cybersecurity, these assets are usually information assets, but physical assets as well. It is generally the role of security practitioners to prevent failings to provide protection, as well as investigate the occurrence of failings, and work with management or another enforcement body to enforce the consequences on the perpetrators of these failings.
Yes, Everyone. Everyone.
Now that I have your attention, I hope, we can discuss what that really means. I do not mean that everyone in an organization needs to be able to understand how to a complete analysis of the tactics, techniques, and procedures of an Advanced Persistent Threat. I do mean that everyone in an organization should generally understand the basics of why it is important not to set a simple password (see the case study below), or not plugging a random USB from the parking lot into their organizational computer. Ultimately, these basic security practices and knowledge are grouped under the umbrella of "Security Awareness". Security awareness is an important consideration for any organization, and training on security awareness should also be budgeted for and considered.
How a Giant Fell
Or How an Intern Sank Solarwinds
If the CEO of Solarwinds is to be believed, an intern made the mistake of setting an insecure password of "solarwinds123" on a production system. Personally, I do not buy that excuse, and neither do many in the community. Ultimately the accountable party of an organization is the CEO. For a lot of reasons I will not explain here the CEO has to act with due diligence, and practice due care. It is generally considered, in the cybersecurity community, that Security Awareness training is a must for all organizations. Almost every compliance framework I know has controls regarding Security Awareness training for all employees, lawyers recommend it, etc. A company the size of Solarwinds was likely providing this training. The problem with "by the book" compliance is that it leads to situations like this one.
What should have happened was the development of security culture. Security awareness training is the first step in this, it is essentially getting everybody read up on the basic knowledge of good security hygiene. This is also, generally, the intent of compliance frameworks that mandate security awareness training. It is designed to get companies past that first step. After that, the company needs to put forth some effort on their own. They need to implement strong policies and both disciplinary and encouraging measures for good practice. I do not advocate for giving gift cards as bonuses, but I will advocate for sending an employee a 5-15 USD gift card for reporting an incident or potential incident. Have security competitions like "Who can create the strongest password?". Enlist your security personnel in making fun practices with rewards for performing well. Leaving security at awareness is how you get someone who mechanically knows what a strong password is, but still implements practices like "solarwinds123".
A tale of accidental insider threats
Now, I do not work at Solarwinds, so I can not be certain the above is the reasoning. It is a common scenario, and probably the most likely, but there is another scenario that could fit this situation just as well. Let us assume there is a good culture of security, and generally strong practices at the organization, burnout leads to mistakes. In this situation we are going to use burnout colloquially, and not clinically. This is referring to the practices of organizations to have short deadlines, understaffed teams, and a profit-focus.  What these practices lead to is too few employees doing too much work to meet the deadlines that were promised to accept funding. This combination of events leads to 3 scenarios that impact security and could have impacted the above:
- Employees trying their best, but making mistakes because they are not appropriately focused on the task at hand.
- Employees who are intentionally cutting what corners they can to complete the task at hand in the time provided.
- Employees who are cognitively overloaded and legitimately think the password is either secure enough, or in some way acceptable, for the situation at hand.
All of these situations spawn from a failing of leadership, which ultimately is the accountability of the CEO. Because this lapse in security happened in one organization, we had cascading effect to the US Department of Defense, Foreign government entities, and a significant number of the Fortune 100 companies. All told, this lead to catastrophic loss and impact to national security and a significant section of a significant portion of the world economy.
What all of this points to is that security must be on everyone's minds. From the intern spinning up a production patch server, to the IT admin who really wants to be an administrator on their own box, to the CEO who thinks that clicking this email is worth it if they get 500,000 USD out of it, everyone must consider the implications to the organization and the security of the environment when they make a decision to act. A single bad password, or a single USB device can bring down an entire organization.
None of these events are necessarily the fault of the employee when they are in an environment that leads to those actions being requirements to get the job done.
- Profit-focus is bad, mmkay. Profit is an OK goal of an organization, but if your primary focus is Profit and not your mission, the organization will almost certainly fail. This is generally true of anything where the focus is the gain of capital, and not the betterment of the people. For more, go read some theory.