What is the REAL issue with the SANS data breach…
By Ehden Biber
SANS has been breached and everyone seems to be missing the real issue. The real issue with the data breach is not that it occurred but it’s the way SANS acted afterwards, which makes one wonder… where is the awareness?
So OK, SANS has been hacked, and there was a data breach that included Personal Identifiable Information, impacting various data subjects, perhaps also Europeans.
Pretend you’re shocked. I mean, what’s new in the kingdom of cyberspace?
What really worried me was the way the incident has been communicated so far. SANS train its employees, I am sure, but how does it measure them? How many other attacks that failed took place in the last quarter or the last year? How many of them failed due to measurable improvement in the performance of the individual who stop it? What were the individual cybersecurity awareness metrics of the person that has been hacked, and were they providing any indication? If not, why? And what about the security of the system themselves – why did the people who designed the solution which was used (office365) did not prevent it from happening? Could that incident be prevented based on the current score of the Software Assurance Maturity Model that SANS (I hope) following? Was that a deviant of normal security performance of the individual? Was the vulnerability a result of a failed project, and if so, what is the TRUE root cause of the failure? Was there any privacy impact assessment relating to the service that was being used? If it failed to identify the risk, why? What was the quality of the assessment? Did the risk registrars of both the privacy and the security teams identified it? if so, was the risk measured correctly? was it communicated? at what forum? I can really go on and on and on here…
What the incident so far has demonstrated is that even organisations which provide professional services in the domain of cybersecurity awareness are failing to demonstrate that their own models provides a “good fit for understanding, predicting or changing cyber-security behaviour” (Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity”, ENISA, 2018).
Here is a quote that summarises how I feel about the current approaches:
“Here’s the funny part. Imagine a conference where the world’s top experts on human sexuality are convened. One after another these doctors, and specialists in human behavior, and research psychologists, go to the podium to deliver scholarly lectures on the subject of orgasm. As the conference goes on, it might become obvious that none of these experts have actually experienced orgasm themselves: it’s all intellectual. ‘After long years of arduous research and many austerities I can now tell you that I have finally achieved full orgasm. And I can confirm what all the ancient texts have said: that the very essence of orgasm consists of getting red in the face and screaming, after which you become a perfect person and everybody thinks you’re wonderful.’
Huh? But wait: nobody in the audience has experienced orgasm either, so how would they know that the speakers are all hot air? After all, these specialists are presented as the ‘experts,’ and another ‘expert’ has certified their expertness, and they certainly sound impressive, so… they must be right! So everybody asks questions and takes notes. And later they all sign up for the advanced seminar, in which it is promised that they too (for a few hundred dollars) can learn the disciplines necessary to get red in the face and scream; at which time they will enter the ranks of those who have been certified as having attained full orgasm and become perfect wonderful people.
Of the thousands in attendance at the conference, there are just two people in the back of the hall, with absolutely no scholarly qualifications at all, but with a different kind of knowing; who look at each other, laugh, and walk out.”
From “Perfect Brilliant Stillness”, David Carse, 2006
Or, as I’ve written in 2015:
“What most of us are doing is measuring the surface of awareness, the signals, rather than investigating the real nature of awareness. Our measuring attempts are similar to the way Franz Joseph Gall, who invented phrenology did in the 19th century while trying to solve the mystery of the mind. First named “cranioscopy” by Gall, and later changed to “phrenology” by his followers, this method was supposed to allow the scientist who used it a way of understanding the state of mind by measuring the scalp. Driven from Greek words phrēn (“mind”) and logos (“knowledge”), Phrenology claimed that certain brain areas have localized, specific functions or modules and thus by measuring the scalp one can have an understanding of the performance of the brain and the mind…What we do isn’t measuring awareness at all.”
The good news (at least for me) is that it opens up a space for new ways of approaching this problem. More on that in … my upcoming dissertation. Stay tuned… 😊
Till the next now,
Ehden Biber
© All rights reserved 2020
