Security through transparency

April 23, 2019 | Javvad Malik

There are many things within Information security that pundits have been claiming are dead, or should be killed by fire - passwords are usually found at the centre of such debates.

But this isn’t a post about passwords, it’s a post about honesty, and trust. But let’s first take a look at the other side of the coin.

Security through obscurity

From the beginning of time security through obscurity has been a thing. It’s the misguided belief that as long as people don’t know about a weakness in a system, it won’t be exploited by bad people.

I think it’s about time that we lay ‘security through obscurity’ to rest once and for all. Kill it with fire, nuke it from orbit, drive a stake through its heart, do whatever it takes.

To be clear, I don’t believe it’s the security industry that is largely pushing obscurity as a control, but rather it’s a decision that comes from the business, and sometimes enforced by external factors such as auditors.

What I mean by this is that security isn’t about preventing some bad event from happening, neither is it about ensuring bad people don’t attack you. It’s about minimising the risk of these events - and that’s what needs to be understood and shared.

Where it falls apart

However, much of this good will fall apart, and companies revert to obscurity, denial, or bare-faced lying in a feeble attempt to save face.

For example, a company may disallow passwords to be pasted into their web application. Time and time again we see an exchange on social media which goes a bit like this

Customer: You don’t let me paste my password, which is inconvenient and stops me from using a password manager and a strong password.

Company’s social media team: We preventing pasting for security. It’s good security to prevent pasting passwords.

Customer: No it’s not

Company social media team: Yes, it is.

Customer: No, it’s not. And now I’m going to mobilise all my followers to say mean things about you.

Company social media team: You’re all wrong. It’s for your own safety.

And this descends into a massive brawl for all, and nothing gets resolved.

angry people on social media - frustrated

Now, maybe the company had good reason to block pasting passwords. Perhaps they were being targeted by a certain attack and this was the easiest way to block it. Simply saying it’s for security doesn’t cut it. Now imagine if the conversation went a bit like this,

Customer: You don’t let me paste my password, which is inconvenient and stops me from using a password manager and a strong password.

Company’s social media team: We feel your pain, and apologise. But we keep getting attacked by x and to prevent it we disabled pasting passwords. It’s not ideal, but we’re working towards y solution. 

​Yes, I realise you can never truly satisfy angry security people on Twitter, but this kind of honesty can go a long way.  

Internally, the issues get even more complex when trying to adopt an open and honest approach. A story shared by Soldier of Fortran, he related that auditors were reviewing logs for some appliance that used a default account. Every time the account was used it wrote the username and password in the logs each as an easy to identify log entry. Hundreds of entries a day. So how did they fix it?

They changed the password to ******** and then when the auditors reviewed it they just assumed it was fixed because it looked masked now.

A pretty ingenious way to fix a problem, if the auditor was defined as your problem. From a security perspective the vulnerability still exists.

I get it, when there are so many things to balance, it’s tempting to go down the path of least resistance. A quick fix to get the monkey off your back and allow you to move on with real work.

A little white lie, or a bit of auditor deception may work, or is indeed needed occasionally, but the problem really begins once it becomes the norm. What started off as a casual comment can well escalate into a ‘Comical Ali’ style denial that breaches haven’t occurred, and any fraudulent activity is the fault of the customer. 

A brave new transparent world

I was speaking to a CISO recently and asked their view about delivering bad news to their superiors. They responded by saying, “The board doesn’t mind bad news; they dislike surprises.”

And that is a sentiment that rings true for most.

So, what am I proposing here? Most of us can probably agree that security through obscurity never did provide the security it promised to begin with.

Does that mean you publish every detail about your systems for everyone to scrutinise? Of course not, that would be impractical.

What I suggest, in this brave new transparent world, is that companies take a risk-based decision on what their security is, and own it. Be bold, be confident. No security setup will ever be foolproof, and therefore, nothing will ever be good enough to pacify the naysayers. However, with the right level of transparency, trust can be gained.

One of the ways this manifests itself is to face any shame one may believe exists. If a criminal threatens to leak the customer list of a company, one should resist the urge to negotiate. Rather, you can take control of the situation by going public with the information, with clear steps as to what the company is planning to do next. This takes away power and control from the criminals.

Several years ago many celebrity iCloud accounts were compromised and personal photos were distributed. Actress Jennifer Lawrence gave the perfect example of taking control of the narrative by stating that the only people who should feel ashamed were the criminals and those sharing her photos.

When Timehop suffered its security breach, it did the opposite of what most companies did. It didn’t send a generic email saying they took security seriously. It published a full and transparent timeline of the incident. What was happening, how many records were breached, the whole nine yards.

It serves as one of the prime examples of how companies should look to adopt disclosure practices in the future.

Because the days of burying secrets are long gone. In today’s day and age, be transparent is what will gain the trust of users regardless of the severity of the incident. And trust will be the dominant currency that will keep companies afloat.

Javvad Malik

About the Author: Javvad Malik

The man, the myth, the blogger; Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.

Read more posts from Javvad Malik ›

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe via Email

Watch a Demo ›
Get Price Free Trial