Ransomware Rapidware Edition
Previously posted 2015/01/06
I once noticed an article called the “The 5 Stages of Security Grief” in (In)secure over at Help-Net Security. The author based his article on the ” 5 Stages of Grief” model by Dr. Kubler-Ross, which framed the series of emotional stages experienced when faced with impending death of oneself, or another loved one. The five stages are denial, anger, bargaining, depression and acceptance. That article prompted me to re-visit a similar, personal exercise that I did some time ago, only my purpose was to group reactions, attitudes and trends I’d been observing in infosec to see if they fit into some defined stages indicating approaching a point of “adapt or die”. Of course, this is all just a bit of fun conjecture on my part and the stage mapping below is more or less subjective.
1) Denial: Blissful (or Willful) Ignorance?
Despite early warnings by very smart people warning about broken model, it’s business as usual due to not knowing any better, or by choice. No reason to consider change, yet, unless one really has to. Things aren’t really that bad, right? There might be problems with the model, but customers still need security; the model might be problematic, but it’s still the only game in town. Why not stay the course, rationalize fails, address niche problems with point solutions, blame users, etc., continue selling/billing because hey, business is good. These problems aren’t even on the radar of regulators or politicians yet. The C-Suite will support as little as they have to, because security is a cost centre.
2) Anger: Growing Discontent
Reports of breaches indicate emerging cracks in the foundation of the infosec model. Publicized accounts of breaches increase in frequency and volume. More thought leaders chime in on suspect status quo tech/model. Severity of damage also increases. Victims start to express Anger. The rise of breach, privacy lawsuits starts. Complaints to government and law enforcement start to rise. Pressure starts to build. Rumblings, discontent and burn-out from the trenches on the rise. Confidence that the status quo will work starts to erode. Customers begin to question value, complexity, over-promising and under delivery of performance of current technologies.
Denial still abounds. Many in the herd still believe, or want to believe, that more of the same can work. (Still an easier path than real change) Besides, one can still blame the victims, whether they be dumb users, lazy techies or cheap executives.
3) Bargaining: Calls to do Better
Worries are expressed that the gap between adversarial advantage and defender capability is too wide. Attempts made to play catch-up with broken model, adding layer of complexity to slow down attacker onslaught with speed bump and other temporary barriers. Efforts start to try and fix problem, but most early attempts start with pressuring better basic hygiene and doing basics better. Some start re-organization of boxes and furniture (re-arranging the deck chairs on the Titanic) in the hopes that the reason the model isn’t working is because of some overlooked detail that will somehow fix itself. Informal Bargaining between government, industry and public increases with more visible promises to try harder, devote more resources in attempt to ward off major threats and mitigate risk to “acceptable” levels. The notion that “ we can and will do better “ is clung to because it’s all there is. Execution just has to get better. However, government bureaucracy won’t grow a sense of urgency very quickly, unless something goes terribly wrong.
General consensus and knowledge of issues starts to spread among industry players, customer base, media, mainstream public, corporate governance levels, government and politicians at accelerating rate. Lone voices sounding warnings become choirs. Calls for supplementary actions such as international law enforcement collaboration, political alliances (internet playground monitors), improvements for attribution, etc.. The blame game picks up, expressed by a growing litigious climate as parties try to transfer risk and cost of damage to others.
Compliance and regulations turn the heat up on end users, vendors, integrator to do better, show proof of security efforts, code reviews, efforts to ramp up assurance of offerings. Status quo with variations of a theme continues as there is nothing disruptive to motivate change. Industry frameworks, compliance, etc., usually slow to adoption in the first place, anchors the status quo and likely resists movement to possible disruptive paths of change. Denial in the form of rationalization continues.
4) Depression: Growing Recognition and Admission of Model Failure
Security hits everyone’s radar. Frequency and size of breaches increase for enterprises and government networks. Volume of sensitive data leaked grows rapidly. Depression starts to set in, even though denial and bargaining still prevail. Realization that the status quo actually never worked that well. Attacker advantage over defenders is accelerating, and stopgap measures are less effective. Attackers have too many options for attack vectors. Admission spreads from early alarmists and thought leaders, to rank and file. Attackers continue to up the ante; attacks become more automated and more malicious.
Increasing recognition and admission that broken chain of trust and omission of actual security engineering from the get-go has jeopardized chances at defending. Defensive efforts re-focus on resilience, faster breach detection/incident response, with goal to contain costs and ensure business continuity. Post breach forensic analysis, disaster recovery, cyber insurance, and crisis PR begin to become the order of the day.
Privacy violations start to drive consumer interest. Customers voice demands for change, question technology assurance, start to query product assurance and security and begin to demand control over issues that may impact their environment or lives. Risk of breach, data leaks and privacy invasion begin to threaten the existence, and benefits of the internet of online commerce. Some people may reject use of certain technologies. Further erosion of trust in institutions that society and economy is built on. Pressure begins to build on politicians, bureaucrats and management responsible for the protection of digital assets that make up critical infrastructure, who in turn places more demand on industry.
Offshoots/extensions of current failed model are suggested, but without any real effort to actually address or fix the root problem in the first place. (Lack of scientific and mathematical rigour behind technology to provide assurance) Diversionary tactics, attempts to reduce windows of exposure, mitigate damage, disaster recovery, public relations become order of the day. New frameworks attempted, but with no real pushes for innovation yet.
5) Acceptance: Embrace New Directions
Status quo seems unable to stop the onslaught of automated, malicious attacks. Every single link in chain of trust is potentially a target for compromise. The “It only takes one” Achilles heel of the vulnerability-centric model becomes overwhelming. There is finally realization and Acceptance of the fact that threat environment and risk has been under-estimated, and that under-investment in infosec has gone on for years. Despite a remaining struggle to see value in security investment (denial) Boards of Directors and executives hit panic mode and increase security budgets. Will it be a case of too little – too late, though?
In order for infosec to actually enable business and e-commerce survival, what will be necessary? More of the same? Or will attitudes shift and people seek out technology innovations and require verification of product protection performance? Will buyers look for truly innovative and alternative models that might actually address root problems (security engineering), in order to actually fix things? New models begin to appear, and those disruptive innovations that work are not only welcomed, but embraced with relief.
What do you think?
As I mentioned, this was originally just a personal thought exercise. You might arrange it all differently. Certainly there is quite a bit of conjecture by myself in the last part, because we aren’t quite there yet. So are we racing towards a tipping point? No one really knows. The point was just to take a step back and consider what might happen. In my own mind, I’m really surprised that things have accelerated so rapidly. I believe that we’ve gone from stage 3 and are firmly entrenched in stage 4 already, in only a year.
Failure to embrace step 5 adequately may lead to a 6th stage: – Abandonment, due to the belief that there is no longer any point in trying as all efforts will prove futile. There is no such thing as privacy, information ownership; everyone can access everything.
Added April 9, 2016: It will be interesting to see were we stand another 6 months to a year further into the ransomware crime epidemic. It’s accelerating so fast that I’ve noticed it getting worse just while I’ve been writing our ransomware series. Hence, I’ve dubbed it rapidware in the bi-line at the very top. How much bleeding are we going to see with this?