Hakuna Matata, what a wonderful phrase.

When I think security, I think Hakuna Matata.  Imagine the harsh African desert, hyenas and lions coming to kill you at any turn. Drought or floods waiting to end your existence.

In the midst of this, a happy, safe oasis.  Secure by design.  No worries.

Security by design, no worries, no rules.  Just safety.  Freedom from fear.  Freedom from harm.  This is what we seek to create as security professionals.

Why do we fight our our end users, our developers, our customers?  Because we fail to embrace this.  As a member of the security profession, someone has transferred risk to you.  You are their Hakuna Matata.

Wear it with pride.  Make their world safe by design.  Don’t seek retribution for mistakes, seek to make a world where they aren’t vulnerable to their own mistakes.  Protect them. Let them have an oasis in the desert, a place that Hakuna Matata lives.  Accept that transferral.

Wear it with pride.  

Hakuna.  Matata.

What a wonderful phrase.

(Image Credit: Image Credit)

Happy Mother’s Day!

Moms tend to pass things on to us.  Genetic disposition, food allergies, values…  These come from moms (amongst others, but let’s stick to moms).  Moms watch over us, keep an eye on us when we’re vulnerable.  We learn safety and security is with our mom.  Over time these values become our own, until we turn around to our own children.

This inheritance fits the security world too.  Good security makes for better security, and poor security makes for worse security. We amplify what we were passed, for better or worse.  Whether this is adherence to a security policy, piggy backing doors, or re mediating the latest Intel vulnerability that’s crashing the healthcare industry…  What we come from is what we bring.

I often hear security professionals complain about the childlike decision making of other IT professionals.  Maybe we can learn something from our mothers.  We knew exaclty what would happen if we climbed that slide, and exactly who’s eye would get poked out.  

Learn something from our moms, and pass it on to our profession.

Remember that your customers, your coworkers, your employees…  They amplify the culture you bring to the table.  What they come from they amplify too.  Be careful about who you bring in, maybe their security culture doesn’t line up to yours.  Not everyone had a great mom, and not everyone had a great security culture.

Let security start from the beginning of a project.  Let security hold the hand of new initiatives.  Let security be trusted, safe, nurturing.  Let security learn from moms, because they can be the best example of how to do it right.  Like a mother nurtures and fosters a child waiting to be born, we too can dream of and build a secure life…  From the beginning till they’re on their own two feet.

So here’s to you, moms.  Thanks for wiping our noses, changing our diapers, and instilling values that propel us through our daily life.  Thanks for giving us life.  Thanks for keeping us happy.  Thank you for all the gifts you have given us.

Hakunnah Mattata, moms.

(Image Credit: Image Credit)

A mentor at work directed me to a fascinating statistic in the 2017 Verizon Data Breach Investigations Report.  

Password security is something we rant about.  Over.  And OVER.

Yet we’re doing something wrong.  Look above:  81% of hacking related breaches leveraged stolen and/or weak passwords.  81%.

Let’s be clear:  This isn’t the number of passwords stolen, this is the percentage of passwords used to breach a company.  Our practices are failing to secure our user’s passwords, and it is biting us in the ass.

And why?  Because we’re making policies on passwords instead of imagery.  We’re teaching them passwords are a requirement.

Teach them that passwords are keys.  Would you want a simple key on your Ferrari?  A basic key for your house?  Would you accept a key that most other people have for your bank account?

Teach them then how to protect their keys.  Teach them the dangers of reuse, how attackers can use the same password for different accounts if the password is the same.  Teach them complexity, how mathematical permutations are the safeguard against cracking.  Teach them to use password management software , and guide them in picking good solutions.  Use breach notification services.  Stop making them change passwords if they use good practices!  We’re confusing and frustrating, we’re making FUD (fear, uncertainty, and doubt).

And when you make FUD, you fail at security.

I used to teach martial arts, and one thing that run out to me was the importance of circles.  One specific circle was the circle of knowledge, you can kind of see it in the picture.  This is the first stance a student would learn, and it symbolized the circle a student would make from student to teacher then back to student.

Our profession is dynamic.  It is also very difficult to get into.  There’s not a great college degree program, or set of certifications, or clear career path.  You develop skills, get some security certs and education, then hope for the best.  The lucky get in.

Then we look around and wonder why we’re over tapped and overwhelmed.  We’re undermanned, and don’t have the incoming professionals we need.  

We’re the solution.  We’re cyber warriors.  We can learn something from the martial arts.  

Nothing will teach you something better than to teach it.  We need those new minds, new hands, new warriors on the front lines. No one can teach them better than you.

So here’s the truth in training:  You are not the best teacher in the world, but you are the best teacher to the student who has none.  You can train the next generation, and in turn train yourself.  Embrace the circle.  

Image Credit

Free from harm.  That’s what security means these days.  Free from harm.

I secure my car to keep you from stealing it, and consequently my money and livelihood.  I secure my data, cause again my money… my resources… they’re tied to it.  You can’t have them.  Or at least you shouldn’t have them.

Is that really security then?  Is keeping something safe security?  Honestly, one decent car thief could walk away with my vehicle, no matter how many times I press lock to hear it beep.  As for my data?  Pshhh, I’ll do my best, but… At some point I’ll find my accounts on Have I Been Pwnd.

So what is security really?  Freedom from harm, well, it can’t be guaranteed.

Looking back at the root of our industry, our word, what does it mean?  The origin, “Securus”, means “Free from care”.  Is it entirely possible our industry is not centered around freedom from harm, but freedom from care?

Are we just provisioning Hakunnah Mattata?

When you think about risk assessments, mitigations, vulnerability remediation, security insurance, security training…  Are these really about securing us from harm, or about securing us from care BECAUSE we’ve secured ourselves from a specific harm?

Is security the balance of securing ourselves from harm, and our minds from worry?