Timeless Spooky Stories
Imagine that you’re sitting around a campfire with your security team. It’s pitch dark, and you can swear that little eyes are glowing at you just past the edge of the firelight. All the marshmallows have been consumed (either by the people or by the flames), the chocolate is gone, and there are spare graham crackers left over (because there always are).
What scary stories would you tell? And are any of them true? Or do we just tell them to one another to get a chill going? What’s the punchline that would make everyone jump and scream?
“The call was coming from INSIDE the SCIF!” is a common joke we’re hearing right now, but there are plenty of people who take it very seriously. Most of the true stories of espionage at that level are ones we’ll never hear, so we have to rely on stories of what could potentially happen. Some of the spooky stories I’ve heard have to do with fitness bands leaking location data near secured areas, or researchers who are able to track cleared employees based on the mobile apps they use in the parking lot during their breaks. Do these result in actual compromises? They make good tales, but those of us in the civilian world won’t know more than that.
Scary True Stories
I have a true story I tell from one of my jobs from many, many years ago. Once upon a time, one of my colleagues took it upon himself to read the instruction manual for the degausser that we used to erase old backup tapes (I told you this was a long time ago). After reading it, he came into my office and said, “I have bad news. The model of degausser that we have doesn’t actually work on tapes.”
Cue violins and screaming. How many tapes had we happily thrown away, sure that the data on them was gone? For how many years? Did that constitute a breach? Did it matter? We had no way of knowing. It’s the unknown that frightens the most.
Just about every CISO you meet has a scary tale to tell, just as everyone you meet probably has a tale to tell about a horrible accident that happened to them or someone they know. The security ghost stories are fun to tell at conferences. But telling them constantly, at length, doesn’t help us have a reasoned conversation with the business around risk. Yes, we see stories in the headlines all the time about the rising impact of security breaches, but they’re still so rare as to be newsworthy. And your management may agree that theoretically, if something like that happened, the impact would be significant — but they won’t agree on the likelihood of that worst-case scenario happening. The biggest disconnect I see between security professionals and their management is their different estimates of probability.
As security professionals, we must always be aware of the dangers of availability bias. If you read about breaches all day, you’ll be convinced that they are more likely to happen than they probably are; if you’re a firefighter running around putting out fires all the time, you’ll think the whole world is on fire. So just because we have more than our fair share of security ghost stories, it doesn’t mean that we should be telling them all at the boardroom table.
Check the Facts
If you have to relay these tales, make sure you’re including facts and analysis, such as:
Do we think this is likely to happen to us?
If so, how would it happen and what form would it take?
Are we capable of detecting (or better yet, preventing) this scenario?
What can we do to reduce the likelihood, or at least the impact? (And what will it cost?)
And if your story sounds too much like, “... Then they saw the TOTP hardware token hanging from the car’s door handle!” then rethink what you’re trying to communicate, and why.
Halloween’s over. Let’s use our stories to inform, not to frighten.