Why there’s a place for creativity in security
09:00 Tuesday, 13 April 2021
UK Cyber Security Council
The late Sir Ken Robinson spoke at TED in 2006, opining that the world’s education systems are stifling children’s ability to be creative. “We are educating people out of their creative capacities”, he said. He argues that “the whole purpose of public education throughout the world is to produce university professors” – that is, education is entirely about the brain and nothing to do with creativity or practicality.
The training we do in the workplace is no different. I wish I had a fiver for every management or leadership course I’ve attended where the instructor was simply expounding one of the many well-documented approaches to management, or using one of the popular tools to analyse your personality or your propensity for leadership.
We do it in job interviews, too. One of the things I hate most is competency-based questioning: all that “describe a time when you had to make a difficult decision” nonsense. All that happens is the candidate (if they have any sense) prepares answers for the common questions – after all, employers are too lazy to make their own up so most of them Google some the night before the interview – and trots out something from the annals of history whose relevance to the job they’re interviewing for is tenuous at best.
Now, in the field of security there’s a lot of stuff you want people to do without being creative – by just doing what you ask, or what the policy says: not sharing their passwords with their colleagues; locking their screens when they leave their desks; challenging people who try to tailgate them through a door. And that’s fine – but without some creativity alongside the unequivocal compliance, our security is doomed.
You know why? Because hackers are creative. Every day, innovative new attacks are invented in an attempt to thwart our security defences. And these are successful because we are not creative in assessing our vulnerabilities and defending our systems. And by not being creative, we’re being reactive rather than proactive.
Let’s take an example. The Cybersecurity Capability Maturity Model, or C2M2 is one of my favourite security maturity measurement tools, and in its Threat and Vulnerability Monitoring (TVM) section it asks you to assess yourself against statements like: “Cybersecurity vulnerability information sources that address all assets important to the function are monitored” and “Identified cybersecurity vulnerabilities are analysed and prioritized (e.g., NIST Common Vulnerability Scoring System could be used for patches; internal guidelines could be used to prioritize other types of vulnerabilities)”. Notice something about this? It’s reactive, and doesn’t have an ounce of creativity in there: it simply says: keep an eye on information sources, and watch out for newly discovered vulnerabilities that someone else has found and told the world about. This isn’t a criticism of C2M2, by the way – it’s the approach across most of the security standards and guidelines.
You will never secure yourself against creative people unless you’re creative. Of course, just being a bit creative doesn’t mean you’re going become impenetrable, but your security will certainly become better as a result of thinking out of the box a bit.
So by all means do the obvious stuff – firewall reviews, keeping an eye on known vulnerabilities, all those standard tasks – because it’s easy and you’re getting value from someone else doing the heavy lifting for you. But then try to think what you’re not doing.
And this could be anything: not knowing about high-privilege logins to storage servers; not monitoring a system for illicit configuration items because you’ve disabled the ability to change them; having LAN-based stuff visible from the internet; or having single points of failure in your resilient WAN links.
You won’t be surprised to know that I’ve found all of the above over the years. The last two were similar in that the company wouldn’t have known without someone saying: “Hey, let’s go look for problems”. Example three was a company that had moved into a managed office: the managed office IT guy gave their printer an IP address which had previously been used by a former tenant’s internet-facing server, and the firewall settings hadn’t been changed to block it. The last one was discovered the hard way, when the power went out and we found that both links in a resilient pair went through a non-UPS-protected circuit in the telco’s network.
Creativity is vital to security, then. Only by being creative, inventive and innovative will we stand any kind of chance of keeping up with at least some of the bad guys. So by all means seek security staff with the right qualifications, but don’t just ask them the same old questions and expect the same old answers. Instead, probe them and try to explore how creative they are.
Because although creativity doesn’t make you invulnerable, it certainly helps you defend yourself better.