Security needs to learn from the aviation biz to avoid crashing
'Until someone has to go to jail for doing it wrong the teeth are not going to be the same'
Black Hat video The security industry needs to take a leaf from the manual of an industry where smart incident response is literally life and death, if it is to fix systemic problems.
In a presentation at the Black Hat security conference in Las Vegas Tarah Wheeler, a senior fellow to the US Council on Foreign Relations and founder of security startup Red Queen Dynamics, and Harvard Kennedy School researcher Victoria Ontiveros, unveiled a project that takes the exhaustive incident investigation processes used in the aviation industry and apply them to information security.
Wheeler spoke to The Register about the concept before the show:
There's too much concentration on a single point of failure as an explanation for security failing, she said, but that's almost never the case. When a security system fails massively, like in the case of the Equifax hack, the point of blame is too often a single or small group of employees who are fired and too many people see that as the end of the job.
But when an aircraft crashes professional investigators spend time going over the incident to backtrace what exactly went wrong and why, and then advises all those people and companies involved of the findings, so they can be addressed. The same needs to happen in security, she argues.
To that end the two have now released the Major Cyber Incident Investigations Playbook, which is based on Harvard research and provides a structured format to log facts about a security incident, that can be analyzed and shared. The results can then be fed back to organizations to implement and fix long-term issues rather than relying on spot fixes.
- Major IT outage forces UK emergency call handlers to use 'pen and paper'
- Hi, I'll be your ransomware negotiator today – but don't tell the crooks that
- Robinhood's crypto unit hit with $30m fine over security, anti-crime misses
- Weak data protection helped China attack US Federal Reserve, report says
Cyberinsurance is mostly a positive thing, Wheeler said, because it's a massive driver for change without strict government enforcement. But criminal negligence is a thing and one day the teeth could get sharpened.
"Until someone has to go to jail for doing it wrong the teeth are not going to be the same,"she pointed out.
The fact that government is finally hiring proper engineers to key posts was also a hopeful sign for better security, as was that the industry as a whole is getting better at communication between technical and non-techie audiences. Bur there's still a massive skills gap, she said, in a wide-ranging interview. ®
And as post-credit scenes are now the vogue, there's a small one at the end of this interview that may amuse fans of the mini-panther life.