TGIF (Thank Goodness, It’s Friday)! Yes, I altered the ‘G’ to be politically correct, but being politically correct has little room in cybersecurity. Breaches and incidents are rather binary and being politically correct about how much data has been lost, the number of passwords stolen, or even that the attack used a known vulnerability has little room when triaging a situation. It happened, or it didn’t. There is very little room for tact when stating a fact.
Unfortunately, our choice of words can have an impact, and there are several words we should always avoid as cybersecurity professionals. These words are not necessarily politically incorrect, but their context can definitely make things worse when dealing with a situation. Here are my personal favorites:
- 100% protected – There is no such thing. A hacker will find a way around any defense, and to be in denial that an attack cannot occur is naïve, ignorant, and irresponsible. You are never 100% protected.
- Future proof – This marketing term is totally over used and has spilled over to security professionals now too. Nothing is future proof. It is only good for the foreseeable future.
- No competitors – Every vendor has a competitor. When choosing a cybersecurity solution make sure you look at all the competitors and challenge any claim that they are the only ones that can solve your problem.
- Air gapped – Some devices, data, and resources should never have direct (or even proxied) Internet access. Explaining the problem due to the lack of security controls that prevent Internet access will only get you in more trouble. While Internet access is generically perfectly acceptable, explaining it as a part of a breach or incident can be problematic. Some things must be 100% air gapped even though we could argue, nothing is 100%.
- No access control – The lack of segmentation, firewalls, and unrestricted lateral movement can be a deciding factor when a security incident turns into a breach. Blocking a threat from navigating around your network is just as critical as stopping it in the first place. If you have no access controls, no network zones, and allow unrestricted network communication, you might want to avoid explaining a situation without these basic tenants in place. After all, a flat network is a vulnerable network.
- Bad passwords – If describing a breach correlates to the cause of using the “same password”, you might as well forget about ethics and begin revisiting why you have a security policy and security team in the first place. Passwords should never be reused anywhere, and if a password was compromised dig deep as to why.
Therefore, for Cybersecurity Awareness Month, let us improve our communications too. As we strive for better hygiene, let us avoid the terms that make the situation worse for everyone. They are not obscene, not offensive, but definitely do not help our cause in remaining secure and keeping threat actors at bay. Precision in communication, user behavior, and reporting vulnerabilities will help you avoid these terms that plague our industry with negative opinions and poor solutions.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four books: Privileged Attack Vectors, Asset Attack Vectors, Identity Attack Vectors, and Cloud Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.