Four Enterprise Security Lessons From Maury

  /     /     /  
Publicated : 22/11/2024   Category : security


Four Enterprise Security Lessons From Maury


Popular daytime TV show Maury offers some surprisingly apt lessons for enterprise IT leaders for keeping their data protected and their networks secure.



Who would have thought that daytime TV and enterprise IT security have so much in common?
I confess that Ive picked up a guilty pleasure: watching
Maury
-- the 20-year-old daytime talk show hosted by former
A Current Affairs
anchor Maury Povich. The show is notorious for generally sticking to paternity tests and infidelity-related polygraphs -- deadbeats and deceivers. And I find it compelling for one simple reason: At the end of almost every
Maury
segment, there is a clear, binary resolution. You ARE the father or You ARE NOT the father. That was a lie or You are telling the truth.
Recently, as I was catching up on episodes of
Maury
during a lazy weekend, I had a stunning revelation -- about how I could make my cable and DVR costs completely tax-deductible.
Er, more specifically: I realized that, every day, Maurys guests get in trouble and wind up on his show by doing the same things that get enterprise IT organizations companies in trouble with hackers and regulators. Just as
Maury
guests find themselves on TV for making the same ridiculous and outrageous mistakes over and over, so too do IT and security leaders at major enterprises.
Learn from the best...

(Source:
Twitter/The Maury Show
)
For a data-protection geek like me,
Maury
is chock full of data-stewardship lessons if you pay attention to the patterns. Below are four of the most exemplary -- and most common -- problems that routinely crop up for IT organizations and
Maury
guest alike:
Practice good data-storage hygiene
Maury
guests suspected of infidelity are often first suspected because of evidence theyve left lying around. Sometimes, its physical: a condom, a set of underwear, a telltale beauty product. Other times, its digital: Everything from a revealing picture on Instagram to an incriminating text message.
Major enterprises are similarly careless in how they leave their data lying around. In 2013, Adobe presented a textbook case of this by leaving extra copies of data they didnt need lying around on a poorly secured backup system set to be decommissioned -- but not before it was breached. Adobes data hygiene was so bad that they initially grossly underestimated the number of compromised user accounts; meanwhile, companies like Anthem, Yahoo, and Equifax have found themselves in similar situations recently. (See:
My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption
.) Moreover, as InfoSec experts and government agencies alike have
pointed out
, data that isnt retained (i.e., because it is not needed) cant be compromised.
To wit, IT organizations not keeping track of, managing, and restricting all the places their data lives and how it is handled throughout the secure development lifecycle (SDLC) are just as foolish as a
Maury
guest who leaves his mistresss lingerie in the backseat of his SUV. The lesson: Keep track of what you store where, and for how long.
Of course, if some of Maurys guests were exercising best practices when it comes to what they put where, they wouldnt be cheaters to begin with -- but I digress.
Use intelligent solutions to detect malicious activity
The use of honeypots is not restricted to IT security. Consider the astounding frequency with which male lie-detector show guests on
Maury
are taken in by them. The mark, accused by his wife or girlfriend of infidelity, waits in the
Maury
green room for a polygraph or pre-show interview or whatnot -- where a young, attractive woman in a revealing outfit is similarly waiting to speak to a
Maury
staffer.
The two get to talking -- and, eventually, kissing (and, in some cases, more).
The following day, the mark goes on
Maury
-- pleading his innocence and fidelity. At this point, Maurys producers play the video of the mark
in flagrante delicto
with what was actually a Sexy Decoy. His unauthorized network activity has been caught. Honeypots work.
Yet thats not the only network-security lesson here. It would not have taken a lot of intelligence to figure out that these are not the kind of data assets to which the user should have had administrative access in the first place. A comparison with typical network activity (Do young, attractive, libertine women Ive just met often throw themselves at me?) would have revealed to these dupes that deception was afoot. And, indeed, numerous machine-learning and deep-learning enterprise networks security tools are available to analyze employee and other user activity -- distinguishing between normal and abnormal data access and network-traffic patterns, and finding malicious, compromised, and sometimes simply careless users. These simple comparison checks are all that is needed to save yourself from saying, I should have known.
Dont take their word for it
One of the rules of thumb about
Maury
is that, when a mother offers a percentage of how certain she is that a given man is the father of her child, that number is inversely proportional to the actual probability that the man is the father.
I am 100% sure.
I am 110% sure.
I am 365% sure. (Really.)
I am 1,000% sure.
I am 5,000% sure.
I am 10,000% sure.
I am 1,000,000% sure.
To be sure, there are
exceptions
that prove the rule, but in general, this phenomenon is a reminder of a Cold War-era lesson: Trust, but verify.
As Ive previously noted here at Security Now, it is no secret that vendors may give assurances that they are adequately secure when, in fact, they are not -- and that this can be true of even cybersecurity vendors. (See
CFOs: Cybersecurity Is About Risk, Not Vendors
.) Previous IT administrators and even current colleagues should likewise have their work
double-checked
for security and consistency.
Dont just take their word for it without question. Otherwise, like many a
Maury
guest, you risk winding up looking like a sucker.
End willful ignorance
Of course, this kind of certainty is often born -- pun unintended -- of wishful thinking. On many a
Maury
, despite oodles of compellingly exculpating evidence to the contrary (including, in at least one case, a child having a rare genetic disorder for which neither mother nor putative father were a carrier), a mother will insist that a particular man is the father of her baby -- only to run backstage screaming and crying after Maury reads DNA results to the contrary, unwilling to accept this most definitive of indicators that she has fought so hard to ignore.
A lot of IT organizations are the same way; enterprise executives may similarly wish for the unlikely best-case scenario, ignoring and denying all evidence to the contrary, when it comes to information-security and data-protection matters. Chris Richter, senior vice president of Global Managed Security Services at CenturyLink (and formerly at Level 3 Communications) tells Security Now that, because it sees traffic crossing approximately 75% of global IPv4 address space, CenturyLink is able to detect malicious activity occurring in enterprises before they know of it themselves -- and they are not always grateful when given a heads up.
Weve called up companies, thinking [that] were being good network citizens and good stewards of the Internet, saying, Hey, youre hosting a major botnet inside of your organization, Richter related to me in an interview. And this has actually happened: Theyll say to our security team, Thank you for the phone call. Thank you for letting us know. Dont ever call us again. And you, as a lawyer, know why.
Indeed, knowledge of a breach may instantly trigger breach-notification duties and other liabilities -- duties and liabilities that Uber apparently tried to avoid when it reportedly covered up a major data breach in 2016. (See
Uber Loses Customer Data: Customers Yawn & Keep Riding
.) But the kind of willfully ignorant, see-no-evil approach to cybersecurity and data-protection compliance that Richter has so often seen is like assuring passengers of the Titanic that everything is fine. Its not fine, and enterprise IT must face the music when things go sour.
As an old saying goes, Every large problem started as a small problem. Dont make it worse.
Related posts:
Predicting Russian Cyberwar: A Look Back
My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption
My Cybersecurity Predictions for 2018, Part 3: Protecting Killer Cars
My Cybersecurity Predictions for 2018, Part 2: GDPR Hype Is Hype
—Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Last News

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Four Enterprise Security Lessons From Maury