The views expressed by contributors are their own and not the view of The Hill

Our cybersecurity ‘industry best practices’ keep allowing breaches

The fact that the Colonial Pipeline is slowly getting back online and replenishing the gas supply in the Southeastern United States does not diminish the financial loss and sense of vulnerability that citizens from Florida to Virginia faced last week, and still are.

The hacking at Colonial Pipeline is the latest in a series of breaches that have impacted a long-and-growing list of other businesses — all ambushed by some individual or group that managed to hack through cyber security “industry best practices.”

It is only getting worse. Reports surface daily about new incidents involving prominent health care providers, government agencies or retailers hit by hackers — thus releasing millions or billions of pieces of sensitive information all over the dark web.

Guarding over these critical resources, health care providers and government agencies are a veritable army of information security professionals. 

They sport impressive credentials and certifications like Certified Information Systems Security Professional (CISSP) and Certified Information System Auditor (CISA). Many even have academic credentials, including bachelors, master and doctoral degrees in information security. All of them embrace the latest “industry best practices.”

These impressively credentialed professionals are skilled in the art of tedium. They know all about audits. They can absolutely push paper. 

They can painfully examine endless lists of accounts and identify exactly who does, and who does not, need system or service access. They can write impressive 100-page missives justifying a proposed new password policy.

They can argue with developers as to why their job really does need to be more difficult. 

And for when their security fortress breaks down? They can eventually come up with someone to blame. They can explain what the unaware user, whose computer was exploited in a way the user can’t understand, did wrong. They can identify and blame “the vendor” of a piece of equipment for a malfunction. 

So with all of these impressively credentialed experts, we should be getting better at this “information security” business, right? So, what is wrong?

The core problem is that “industry best practices” are not.

Not only are “industry best practices” not “best” practices, but they are also dangerous practices.

“Industry best practices,” for instance, dictate that network administrators should be boxed in administratively. They should not be able to see what is happening on workstations, servers or storage resources. Server administrators, likewise, should be administratively restricted from being able to monitor network information or anything else that is not directly related to one specific niche job function.

These practices limit the opportunity for a technically skilled employee to identify anomalies — a key sign that someone may have breached security and be roaming around preparing to launch the next big cyber attack. 

A network engineer, for instance, does not have the tools or access to investigate the activity occurring on an innocuous sales department workstation at 3 a.m. A server administrator lacks the access to explore why the network throughput seems painfully slow while trying to copy files.

The “good guys” are administratively prevented from having a holistic view of systems, networks, applications, workstations and other resources — when this holistic view is exactly what is needed to prevent cyber attacks.

It seems the only person with a truly holistic view of a corporate network and data resources is the hacker. Unfortunately, hackers tend to not comply with corporate information security policy. 

What can businesses and industries do right now? 

Implement a “one strike and you are out” hiring policy for information security employees. When they fail, do not let it happen twice.

Also, never hire an information security employee who has ever worked for a firm that has had a security incident. Their “industry best practices” did not work for the previous employer, why would they work better for the next victim? These former employees bring disaster. 

As far as “industry best practices,” try going against the grain. Return to the practices that were in place before ransomware, breaches and other information security disasters became commonplace.

Embrace “holistic” approaches to information security.

Instead of impressively credentialed, paper-savvy information security professionals, hire competent technically skilled professionals. Encourage collaboration with other technically skilled professionals and give them the tools and access to protect your firm’s cyber resources.  

Grant network engineers administrative access to the server cluster. Grant developers access such that network or workstation anomalies can be fully investigated. 

The security approaches that existed before “industry best practices” really do work. Ask the next hacker who breaches security.

We can only hope the information security industry will undergo a renaissance. Until we realize that “industry best practices” continue to enable legions of hackers, we are doomed to more disruption. 

Allen Gwinn is a professor of Practice in Information Technology at the Cox School of Business at SMU Dallas. He has well over four decades of experience with systems, networks, data and other cyber resources.

Editor’s note: The author, Professor Gwinn, states that his column included “what is likely to have been the worst wording I have ever used in my life” in the 19th and 20th paragraphs, which suggested that he favored the “willy-nilly firing of a whole staff of people after a security incident. My intent was to hold leadership accountable.” He now states that businesses and industries should “implement a ‘one strike and you are out’ hiring policy for information security leadership whose job it was to secure systems and networks after a major, expensive breach. Rotate leadership and do not let it happen twice. Also, weed out and avoid hiring that former information security leader.”