Security IS Part of the Business

Something I’ve written about a lot lately is how companies don’t have a real “culture of security.” That applies not just to IT, in most companies: you see it everywhere. Printouts (containing important information) lying around on printers, no widely-available shredders, cabinets not locked, that kind of thing.

We tend to treat security as something we “have to do,” and especially when it comes to IT that attitude derives in part from most companies’ regard of IT in general as “overhead.” Security gets lumped in with sexual harassment training, diversity training, and other stuff we know we have to do, but that we don’t really consider to be a part of the core business. In fact, in most companies, security is something users try to work around, rather than work within, leading to them (for example) using Dropbox to transfer files with outside contacts, instead of using a company-provided, more-secure mechanism.

That’s a shame, because security is, and should be, very much a part of the business. Unless everyone is on board with security, all the time, security doesn’t happen – and that’s when things like Target, Marshall’s, or any of the other recent debacles happen.

So how do you make security a part of the company’s culture? It’s really hard. Maintaining a general sense of security essentially means being on “orange alert” all the time, and humans just aren’t designed to stay that alert all the time. In other words, you probably can’t make your users constantly aware of security. Instead, security has to become an ingrained habit – and building habits often means breaking old ones, and that’s what’s hard about it.

Take a construction site: any worker with any experience just pops on a hardhat, steel-toed shoes, and other personal protective equipment as a matter of habit. New workers have to be trained, usually through outright and continual nagging by their boss and coworkers. But eventually habit kicks in, and they stop thinking about safety and “just do it.”

Or consider folks who know it isn’t safe to drive a car and talk on a cell phone, and who instead develop a habit of walking around with a headset sticking out of their ear. Yeah, they might look like a dropout from Uhuru school, but it’s a worthwhile habit that prevents them from doing something stupid or unsafe.

Security has to be build up as a set of habits. Habit-forming can’t happen through company memos, once-a-year classes, or ubiquitous signage. Habits form through personal experience, and only through personal experience. They’re especially tough to form in areas where users work independently, like sending e-mail. One way to start developing good habits is, not surprisingly, through game-playing. For example, if you’re trying to break users of the habit of opening janky email attachments, start sending a few yourself. Make a little “virus” that logs the fact the user opened it… and keep track of users who do, and who do not, open it. Publicly acknowledge those users who do not open the email, and award them points or something; deduct points from users who don’t follow the rules. Get HR involved, and let users redeem points for an extra day off or some other perk.

Toys ‘R’ Us used a similar program to help deter shoplifting: cashiers are supposed to open and inspect any container that a customer purchases, like a small box or a lunchbox. The idea is to catch customers who are trying to sneak other merchandise into the container without paying. To enforce the policy, the company would insert a  voucher into random containers. Cashiers who found the vouchers would receive a small cash award – enough incentive that everyone wanted to inspect containers. That want quickly became habit for most cashiers. The carrot came with a stick, too: if a customer found the voucher and brought it to the store with their receipt (meaning the cashier hadn’t checked the container), the customer got a prize, and the cashier (identified on the receipt) got disciplined.

Regardless of the political or financial realities at your company (in other words, think “blue sky” here), what might you do to entice users to develop better security habits? It doesn’t matter if you think your organization would use your ideas or not – share in a comment, in case someone else might benefit!







Why XP is “Obsolete” Whether You Like it or Not

I’ve written a bit about the end of XP lately, and several commenters in various venues have called me to task for calling the OS “obsolete.”

It is obsolete. Get over it.

It isn’t obsolete because it no longer serves a purpose. It isn’t obsolete because it’s broken. It isn’t obsolete because I say it is. It’s obsolete because Microsoft says it is.

Now, maybe Microsoft shouldn’t have done that. Maybe they should continue supporting the operating system. Maybe it’s wrong that the software industry drops support for software despite many customers’ wishes. Those are all excellent arguments, and there are a number of productive discussions that I think could be had around them. The way the software industry currently works isn’t optimal for its customers.

But none of that changes the fact that Microsoft has declared XP to be obsolete. They’ve dropped support for it – and that’s important.

And calls for guys like me to “get out in the real world” completely miss the point. “Why should we move off of XP? It still works. You don’t know what the real world is like, it’s difficult to roll out a new operating system.”


do work in the real world. Yes, I know a lot of companies don’t want to move off of XP. Yes, I know it’s difficult and expensive to roll out new operating systems – although I’d argue it’s less difficult, and less expensive, than in the past. I’d probably argue that being able to roll out client operating systems, service packs, and hot fixes is a core IT competency, and that if you find it challenging, you might not be very good at your job. I might argue that.

But none of that changes the fact that, by dropping support for XP, Microsoft has literally dropped a bomb in your organization. A time bomb.

Again, let’s be clear about something: I’m not defending Microsoft’s action, here. I’m not making a case for what “should be” or what’s Right and Just. I’m trying to make a point about what’s really here, right now, in the real world everyone claims to work in. If you think there’s no problem continuing to run XP, you’ve got your head in the sand. You don’t work in the real world.

And that problem has nothing to do with me drinking flavored soft drinks issued by Redmond. The problem has nothing to do with XP’s ability to function in an organization. The problem is that attackers are now free to unleash exploits in XP that they’ve probably already discovered, knowing that Microsoft will no longer move to patch those vulnerabilities.

The problem is that attacking organizations isn’t just something script kiddies do for fun, any longer. It’s a business. It’s a big business, with a crapload of money on the line. And like any big business, tech attackers can think long-term. They can identify OS vulnerabilities and then sit on them, waiting until they know those vulnerabilities will remain open and un-patched.

That XP-based point of sale system your restaurant uses? Yeah, I know it’s stupid expensive to replace. I used to build those things. I get it. But it’s a time bomb waiting for someone to install malware on it and start skimming customer credit card information. And it’ll never get an OS patch, ever again.

And for the haters, I want to make it perfectly clear that I’m not saying you have to immediately replace all your XP stuff. I know exactly how impractical that is. I do wish people had planned a bit more in advance for this situation, but where we’re at is… well, it’s where we’re at.

But you have to acknowledge that XP is obsolete. “Obsolete” doesn’t mean “you have to get rid of it immediately.” “Obsolete” means “you have to acknowledge that it’s a time bomb, and you have to manage it differently than you used it.” Anti-malware software becomes vastly more important than before. Locking down the local firewall for both incoming and outgoing connections becomes more important. Locking down the software that can run on the machine becomes more important.

My frustration with the “XP situation” – a frustration I’ve tried to express, with only limited success so far – isn’t that people are still running XP. Believe me, I know a lot more about business realities than you might think. My frustration is the folks who think keeping XP is “business as usual.” It isn’t. Those XP machines just became massively attractive targets. The businesses I work with every day have, frankly, terrible security on a good day. Yeah, they talk the security talk, but they don’t walk the walk.

So look… XP is obsolete. It’s obsolete because MS dropped support for it, whether or not that was the right thing for them to do. You can continue running it, obviously, and in many cases you’ll be stuck with it for a long time. Hopefully, you expected that was going to happen – and you’ve planned to put appropriate protections on those machines. Rely on XP still having OS-level exploits that haven’t yet been abused in the wild… and rely on that abuse coming to a network near you. Just plan for it, is all I’m saying. Don’t treat the old OS like you used to – give it a little more bubble wrap. A little more coddling. Get off it when you can, and take extra measures when you can’t.

It’s obsolete, but that doesn’t mean it’s going away. And that makes attackers giggle with delight.