The annual Las Vegas security conference DEF CON is a minefield for attendees who blithely logged on to the event's Wi-Fi network. The organizers delight in scraping username and password info and posting them publicly on the infamous “Wall of Sheep.”
This is a classic “white hat hacker” approach to the ongoing problem of security. This is what the Wall of Sheep people say about what they do: “The Wall of Sheep shows what happens when there are eavesdroppers on your network,” says their website.
The Wall is described as “an interactive demonstration of what can happen when network users let their guard down. We passively observe the traffic on a network, looking for evidence of users logging into email, web sites, or other network services without the protection of encryption. Those we find get put on the Wall of Sheep as a good-natured reminder that a malicious person could do the same thing we did...with far less friendly consequences.”
Why do this? As a public service to remind all users what can be accomplished and why it's important. “A potential attacker might maliciously and criminally use your mistakes against you,” says the Wall of Sheep website. “We do the opposite by raising security awareness.”
But when organizing collaboration efforts within your company, you can't count on a white hat hacker coming to your rescue. Nor can you dictate that everyone on your collaborating teams secure their mobile devices in Faraday cages.
To properly handle security matters when organizing inter-departmental collaboration within your organization requires an understanding of different business cultures and the realization that communication and diplomacy are key.
Security culture
Whether your business card reads “CISO” or not, organizers of collaboration events must think like a CISO. Clearly, your organization's overriding security policies must be adhered to. But what other protocols should you implement?
Security never exists in a vacuum. And fortunately, your organization prioritizes security and boasts robust secure protocols for all employees.
Your organization's security experts are likely wired a bit differently
But security culture varies from organization to organization, and within any given company, employees of different departments have different attitudes. Developers, for example, may feel that they have privileged knowledge relating to computer processes and are thus somewhat removed from “the masses.” As with professionals everywhere, they may feel they deserve certain shortcuts denied to the general public.
Before beginning any collaborative exercise, familiarize yourself with your organization's security mandates and spell them out to all participants. Don't assume that these protocols are understood by all parties — remind everyone of existing security regulations and remind them that they will be enforced. Seek advice from your CSO/CISO or relevant department if necessary.
Reverse-engineering
Remember that security professionals often employ a “reverse-engineering” mindset to examine problems. In other words, to better understand how to harden a system or process against cyberintrusion, they'll adopt the viewpoint of someone who wants to compromise that process. “If I were a bad guy, how would I break this?” best describes this approach to building cybersecurity: identify the weak points and devise defenses accordingly.
The problem here is that this attitude can spawn a sense of invulnerability in terms of security culture. The best solution is to remind everyone of the existing company-wide security guidelines — in an inclusive and friendly manner. Your security experts are likely wired a bit differently and view professional success in different ways as well.
The DevOps squad
Developers typically have different mindsets. Professionally, they value reliability and speed-to-market on their projects. They want to write the best code on the planet and often inhabit a collaborative culture — although it may not appear that way to outsiders.
Often, a clash occurs when developers (who value speed-to-market) collaborate with security pros (who prefer to check-and-test processes for flaws). This mismatch can cause friction between your teams, who aren't attuned to different work processes.
You can't count on white hat hackers
Mismatched working speeds are sometimes baked into developers' workflows. Once done with a batch of code, it goes off to security for vetting. By the time the code has been screened, the dev team is typically involved in another batch of code and not in the proper “headspace” to re-examine their previous efforts. The result can be headaches for all concerned.
This highlights the importance of in-place security policies. When there is disagreement over a process within a collaboration, take the existing policies as best practice. If nothing else, it provides a baseline.
Resolving conflicts
Sometimes, mediating between DevOps and security teams can seem like intervening between quarreling siblings. It's never one-size-fits-all and sometimes seems like a thankless task.
But remember that our goal is to smooth differences and get our teams working together to the best of their ability. As the first article in this series outlined, we strive to become diplomats as a means to this end.
Communication and diplomacy are not quick fixes. But they are tools that must be deployed to assist teams in their collaboration efforts.
This article is the ninth in a series on effective collaboration techniques for cybersecurity.
Stefan Hammond is a contributing editor to CDOTrends. Best practices, the IoT, payment gateways, robotics, and the ongoing battle against cyberpirates pique his interest. You can reach him at [email protected].
Image credit: iStockphoto/rudall30