Frameworks fade but security is eternal – Design Monday

Frameworks fade but security is eternal. Said with apologies to Yves Saint Laurent.

Yves Saint Laurent was a dominant force in fashion from the 1960s through to end of the century. His strengths stemmed from three areas. First, seeing the underlying fundamentals and being able to re-envision them across genders, across times, and across trends. Second, the ability to cross artforms for inspiration, most notably with Piet Mondrian and geometrical shapes. Finally, the ability to reformulate high fashion at couture for mass production. Yves Saint Laurent was the first to open a ready-to-wear line in Paris. He was a designer who mastered how to take the pieces apart and put them back together for new tastes and new markets. It Yves Saint Laurent who once famously said, “fashion fades but style is eternal.”

Last week, we looked at how the adoption of a control — doing something right but rare — has surprising stopping power against common attacks. But the fast-changing early adoption must be balanced with slow-changing fundamentals.

CyberSecurity can be a bit too much like fashion. Every major event, there’s a new trend. The media buzz will say that new threats appear every day. The buzz is that our ways of defending become dated and ineffective as quickly as they’re implemented. New frameworks cry out that the old ways were wrong.

This last bit is particularly on my mind in 2020. A new version of the CIS Critical Security Controls came out late last year. NIST is releasing a new version of its standard for security and privacy controls (NIST SP 500-53B). And the new PCI DSS (Data Security Standard) for credit card security is due any time now. Each framework will be accompanied by a wave of press on how everything has changed. The last version is so last season, and simply won’t do.

But is it? Is it really?

Like style, fundamentals in security remain the same even while the specifics evolve. We need to know our people and our technology. We need visibility into what’s happening and what’s changing. We need to think in terms of lifecycles and act in terms of incidents. We need to make sure the essential habits which result in defensible positions are done regularly. Finally, we need to understand the adversary’s objectives and tactics. From mainframes to data centers to cloud infrastructures to tomorrow, the fundamentals hold true.

A security architecture is comprised of a series of building blocks. Some building blocks should be innovative and ahead of our peers. Most building blocks should do the fundamentals and broadly cover the frameworks.

Do the fundamentals well. Do them consistently. Do them with style.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

The first computer screen font predated the personal computer by a decade.

The tech wasn’t about to cooperate. For those who weren’t around during the CRT (Cathode-ray tube) screen days, here’s the thing. CRTs, in the sixties, refreshed slowly, updated even slower, couldn’t draw curves, and could barely draw a pixel. Any sane person would stay away from them.

Enter Wim Crouwel. Crouwel saw the possibility of CRTs and glimpsed the future of computers. By accepting the CRTs limitations as creative constraints, Crouwel redesigned the alphabet with straight quick lines. The resulting font, New Alphabet, displayed clearly on the limited screens. Crouwel released New Alphabet in 1967. It was innovative. It was unreadable. But it made a statement. New Alphabet informed the designers of the personal computers. It took a decade. But when the Apple II, Commodore PET, and TRS-80 hit in 1977, each computer featured a CRT screen and a fully readable font. The possibility Crouwel saw had come true.

With all the talk about cyber security constantly changing, we’re surprising slow at adopting new and innovative controls. We give the same excuses Wim Crouwel would have heard from his peers: the technology isn’t ready, it’s too hard, it’s too new. I recall running into this when deploying firewalls in the early 2000s. An excellent control was egress filtering. Most thought about firewalls protecting traffic coming in. But by looking at traffic going out, we could stop malware and attackers from calling home. Most engineers didn’t want to do this because it was too hard. We did. And until most defenders adopted egress filtering, attackers didn’t bother working around it, so the simple control caught many a bad guy.

Early adoption of a control — doing something right but rare — is super effective against casual attackers and commodity attacks. It may be easily bypassed by advanced attackers or sophisticated tools, but the majority of the time organizations face more common threats. The control continues to be effective until many have adopted it. Consider:

Example 1) Mac OS X computers were more secure on the Intel platform from Windows when released in 2006. Macs had 8% of the market share by 2014 and little malware. By 2019, the share of the desktop market running Macs climbed to 17%. That same year, Windows had 5.8 malware detections per computer per year. Macs had nearly double, 11 malware detections per computer. Macs had great stopping power for thirteen years.

Example 2) Windows 10’s market share reached 25% by 2017. Windows 10 had a feature that auto-played image files like ISO. This was a great new feature for phishers because most spam filters blocked executables like EXE. In May 2017, criminals started repackaging their malicious EXEs in ISO files and sending them on through. Sure, some organizations were filtering ISOs. But most weren’t, at least, until 2019. When spam filters finally caught up, April 2019, criminals simply switched from ISO to IMG image files. But for nearly two years, a simple ISO filter had stopping power.

Example 3) One last example that’s near to my heart. When Microsoft Office 365 email launched in 2011, the early adopters quickly rolled out multi-factor authentication (MFA). Attacks reusing stolen credentials were easily blocked, stopping phishing for passwords. By 2019, MFA adoption on Office 365 email exceeded 20%. The criminals began to switch from trying to steal passwords to trying to steal the authentication tokens, thereby bypassing MFA altogether. Eight years. While MFA still has stopping power, the threats are beginning to adapt.

Wim Crouwel was a decade ahead of his time and his font never saw wide adoption. Though it did have a resurgence in popular culture in 1988, when Peter Saville and Brett Wickens used New Alphabet for Joy Division’s Substance album cover. Wide adoption wasn’t the point. Showing others the possibility of the new medium was, and at that, Crouwel succeeded.

When designing and implementing cyber security controls, Crouwel is an inspiration. The tech will not cooperate. The result won’t look normal. But doing something right but rare, adopting a security control ahead of the pack, has demonstrated stopping power. Because it’s right, it stops the common attacks. Because it’s rare, criminals aren’t incentivized to work around it. The early adopter strategy can give our organizations and advantage that lasts years.

Being ahead of the adoption curve is being ahead of the criminals.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

IDEO has been at the center of many fundamental designs in computing history. This includes the simple and ubiquitous mouse.

Thought it was Apple? Think again. Steve Jobs came to a firm called Hovey-Kelley in the late seventies, a firm which would become IDEO in 1991. Jobs had a problem. The only other computer mouse in existence cost 16 times what people could afford. The mouse also broke frequently and was, well, ugly. None of this would work for the Lisa and Mac.

David Kelly (of David Kelley Design, Hovey-Kelley, and later one of three founders of IDEO) assembled a team. Douglas Dayton worked on the frame. Jim Yurchenco was responsible for the mechanical design. Bill Dresselhaus, with his love of Art Deco, handled the packaging. The technology of the day was finicky and “required such precision that it probably couldn’t be mass-produced.” There were practical debates about the sound of the click, or the number of buttons. Each change required every other part to be redesigned to fit in the tiny space. But even in those early days, the firm that would become IDEO had a secret weapon.

Design thinking. IDEO refined it and popularized it. Design thinking is a way of problem solving and developing solutions that’s a departure from how we in IT have long done things. Consider the following five points of design thinking:

1. Empathize – think about people who we’re serving (empathy is the heartbeat)
2. Define – think about the main problem we’re trying to solve
3. Ideate – brainstorm, mindmap, whiteboard, play
4. Prototype – build a possible solution
5. Test – sit down with the people and have them test the prototype

Now compare the design thinking steps to ITIL service design:

1. Service solution – think about requirements, deadlines, costs, budgets
2. Information systems and tools – think about the service portfolio, configuration management, capacity, and security
3. Technology and architecture – think about designs, plans, and processes to align IT policy and strategy
4. Design processes – think about the process model for operation and improvement
5. Measures and metrics – think about what we’ll measure to ensure the service is working

Notice what’s missing? People. I mean, ITIL practitioners will reply, “no, no, no. We have the 4P’s: Product, People, Process, and Partner.” Fair enough. But compare the two lists. People are not the focus. And to anyone who has been in the workforce as an enterprise end-user? It shows. We can feel it. Because people designing IT and IT security don’t think much about the people who’ll use it, the people who use it don’t think much about what we’ve designed.

Case in point: credentials. Research shows that people with more technical knowledge don’t take more steps to protect their data than people with basic knowledge (User Mental Models of the Internet and Implications for Privacy and Security). Most people know they should use separate passwords for every app (91%). But most people use the same password anyways (66%). Most people know they should use MFA. But most people don’t (66%). The problem isn’t one of awareness. (Source: LastPass and Security Ledger.) In not considering how regular people use and secure technology, we’ve created a situation where people simply opt out.

Enterprise IT is a like the original mice. Xerox, the mouse Apple copied, cost $400 or $1200 in 2020 US dollars. Doug Engelbart’s, the mouse Xerox copied, required a training course that took 6-months to master the damned thing. That’s ITIL thinking. That’s the type of technology people will be aware of, but not take steps to use.

Design thinking, the focus on people and rapid prototyping, led to a mechanical mouse setup which would dominate mice designs for the next twenty years. The original Apple mouse was $25. (Adjusted for inflation, that’s $79, which is coincidentally the price Apple charges for the optical Magic Mouse in 2020.) A child could pick up the mouse and immediately use it. Most of my generation learned in grade school. It just worked, worked well, and worked at a fraction of the cost.

In my office hangs Five Phases of Design Thinking by Maisey Design. It’s a reminder. When working on security services and specific controls, keep the focus on people.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

CyberSecurity design weekly recap for June 22-27.

This week: Peter Saville and the New Order’s Blue Monday cover. A pervasive thought in CyberSecurity is that people don’t implement controls because they’re not knowledgeable. More information means better security. The entire discipline of security awareness is based on this idea. But is this correct? I mean, Peter Saville didn’t need to listen to the music to design brilliant covers. Principle: Don’t listen to all the music.

Previously: Dieter Rams and his design principles. Be principled. Develop a small set of architectural principles to guide the technical design. Live with them. Argue them. Disagree and commit. Apply and iterate them. But be principled.

One thing more: I’ve mentioned I have Dieter Rams principles hanging in my office. The Maisey Design Shop produced the piece, which is available as a poster from Etsy or as a boxed canvas from iCanvas. It’s too late for father’s day. But, come on! There’s always a holiday coming up. Check them out.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Peter Saville never listened to the music before designing the album cover. The Joy Division’s Unknown Pleasures cover with the pulsar. New Order’s Blue Monday and the iconic floppy disk cover. Saville designed without all the information and this always bothered me.

A pervasive thought in CyberSecurity is that people don’t implement controls because they’re not knowledgeable. More information means better security. The entire discipline of security awareness is based on this idea. But is this correct? Some studies suggest otherwise. Take User Mental Models of the Internet and Implications for Privacy and Security, for example. Researchers found that people with technical in-depth knowledge of the Internet didn’t actually take any more steps to protecting their information than non-technical people.

Our capacity is finite. We can hold three ideas in our mind. We can remember seven digits in a sequence. We can maintain a hundred-fifty relationships with people. Our semantic memory can only hold so many facts. The question is how we use that capacity. The goal is to fill our lives with right ideas, the right facts, the right people. In other words, the right amount to take action.

Back to Peter Saville. Saville knew art. He knew symbols, shape, and color. He didn’t know what a floppy disk was before hanging out with New Order’s band. He certainly did not know binary. (His code was a base-10 system.) He put it this way: “I understood the floppy disk contained coded information and I wanted to impart the title in a coded form, to simulate binary code in a way-therefore converted the alphabet into a code using colours.” The resulting cover was the striking floppy disk with the color-coded wheel. In the end, Saville knew exactly what he needed to know to do what he needed to do. Blue Monday became one of the most recognizable covers in the late twentieth century.

When designing the specific security controls, the trick is to be Peter Saville. On the one end of the spectrum are those who don’t understand the technology enough to take action. Picture the clueless boss stereotype. On the other end are those who understand it too much and get too deep into the implementation. Consider a firewall engineer who moved into security and now spends way too much time on network security, at the expense of the rest of the security program.

Determine how much information you need to take steps towards implementing security controls. The CyberSecurity architect sets the requirements. The IT subject matter expert implements technology to meet the requirement. Know enough, yes. But don’t waste time listening to the music.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

CyberSecurity design weekly recap for June 15-20.

This week: Kenji Kawakami and the Japanese art of Chindōgu. From shoe umbrellas to chopsticks with cooling fans, the playful anarchy unlocks our creativity. Toss aside the checklists. Have fun with the controls. Forget being productive for a moment. Forget being useful. Join the un-useless revolution. Principle: Take controls from useless to un-useless to useful.

Previously: Bart Sights and Levi denim jeans. When planning the implementation and ongoing operations, consider how the technology can develop a patina. Think of it like denim jeans, where every day, every wear, the jeans and security becomes better molded to you. Principle: Plan to wear in, not wear out.

One thing more: Check out The World According to Jeff Goldblum on Disney. Generally, it’ll inspire you. Specifically, episode 104 is on Denim and Goldblum visits Bart Sights Eureka Labs.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Kenji Kawakami started a useless revolution. Or perhaps better said, an un-useless revolution.

The art of Chindōgu, which Kenji Kawakami invented, is the art of creative problem solving. There are principles, of course. (Aren’t there always?) Chindōgu address real problems, like the shoe umbrellas keeping the top of our shoes dry. They aren’t useless. Unlike Rube Goldberg machines, Chindōgu emphasize simplicity and practicality. You must actually build a Chindōgu design for it to be considered a Chindōgu. Oh yes, Kawakami built chopsticks with a cooling fan. “There must be the spirit of anarchy,” goes one principle, and the resulting design makes people laugh by “finding an elaborate or unconventional solution to a problem.”

CyberSecurity needs a spirit of anarchy. Security needs a spirit of play. The reason many of us got into this line of work? It was fun. Perhaps security needs Chindōgu.

There’s no place in more need of the Chindōgu spirit than control selection. We have pages upon pages of standards. We have checklists with best practices. The audit and compliance team handed over a list of regulatory requirements. Forget all that. Get together over a whiteboard and start brainstorming. How can the team meet the most controls with the least effort? What’s a fun way to do some of the controls? Remember, not useless. Un-useless.

Once I led a workshop such as this. We ended up with a game of Mousetrap implemented with a series of Python scripts. As the adversary followed their attack path, like a marble rolling down the track, a series of humorous actions befell them. We had a blast.

The book 101 Un-Useless Japanese Inventions includes a telescoping hand for taking photos. Here’s the problem. A Chindōgu is a tool that a person could use, while paradoxically, a Chindōgu is a tool that no one would actually use. But the telescoping hand, or as it is known today, the selfie stick, took off. The stick graduated from Chindōgu to being useful, a must-have for tourists. Our Mousetrap scripts met a similar fate, serving as the inspiration and starting point for an Endpoint Detection and Response (EDR) platform.

Bringing back the playful anarchy unlocks our creativity. Toss aside the checklists. Have fun with the controls. Forget being productive for a moment. Forget being useful. Join the un-useless revolution. You’ll be surprised at where the security controls end up.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Security design weekly recap for June 8-13.

This week: Paul Hekkert and the Unified Model of Aesthetics. \When work looks like work, work gets done. But there’s a problem. The best way to keep things familiar is to keep things the same. Yet we design security capabilities to push things forward. Principle: Balance familiarity with novelty.

Previously: Doug Dietz and the GE Healthcare MRI for children. We don’t talk to kids about the MRI. We talk to them about the jungle experience. We don’t talk to end-users about passwordless. We talk to them about a more enjoyable work experience. Good design begins with empathy. Principle: Empathy is the Heartbeat.

One thing more: You can watch Doug Dietz on the TED stage talking about empathy. Transforming healthcare for children and their families: Doug Dietz at TEDxSanJoseCA 2012

When work looks like work, work gets done. The concept is a cornerstone for my security philosophy. You want buy-in and adoption? Maximize specificity and familiarity.

But there’s a problem. The best way to keep things familiar is to keep things the same. Yet we design security capabilities to push things forward. When we push too far forward, when we push too hard, we lose people. Best case, we get low adoption. Worst case, we get outright revolt. So, on one end of the spectrum, we have comfortable stagnation. On the other end, uncomfortable transformation. How do we strike a balance?

Paul Hekkert offers guidance. Hekkert has been working on the Unified Model of Aesthetics. The research starts with a very simple question: why do we like things? Hekkert’s team has found that it comes down to acting on similar but opposing ideas: unity versus variety, connectedness versus autonomy, typicality versus novelty. The last pair addresses our problem as security designers.

“People find those products the most beautiful that are the most sophisticated but at the same time comprehensible and familiar. That is the boundary that designers need to work with. It’s a fine line that varies between users,” Hekkert explained to TU Delft. “It does not mean that everyone has a different idea about what is beautiful. In very many respects, we agree on what is beautiful or new, particularly if we share a similar background, come from the same culture, or have had similar experiences. A principle such as this can help us understand why and when people find the same things beautiful or, in contrast, differ in taste.”

Balancing familiarity with novelty brings joy. Previously, we talked about leveraging the metaphor to bring understanding. In both cases, the underlying idea is calibrating the pace of change to the end-user’s sensibilities. For example, rolling out a new IAM/IGA tool for managers to review and certify access (Identity Access Management / Identity Governance and Administration). If people are already doing access reviews, the novelty of an easier user interface which is consistent with the metaphor of least privilege can bring a bit of joy. It’s easier. It’s faster. At a minimum, it’s an acceptable change.

Most Advanced, Yet Acceptable (MAYA) is the name Hekkert has given this principle. How advanced can the design be while still remaining familiar, still being acceptable, still looking like work? The answer will vary from organization to organization due to culture. But the question must remain top of mind for security leaders pushing the envelope.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.