That Checklist Is Failing You

I work in one of the many tentacle like branches of the federal government and am not at liberty to specifically discuss the many and varied real or perceived security flaws that exist at work.  What I can talk about is the threats posed by the prescribed solutions.

The data breaches at the Office of Personnel Management (OPM) have garnered a large amount of attention.  For years we have been warned about a cyber Pearl Harbor and the OPM breach may just very well be the most significant attack to date.

As part of the response the Inspector General’s (IG) office conducted an audit of the systems in place within OPM and created a list of faults and recommendations.  That list of faults and recommendations is instantly seen as a checklist of things to do in order to assure security.  This creation of checklists is the fatal flaw of nearly all government security systems. 

Checklists are static, incomplete and dated.  Once a checklist is completed it rarely changes or gets reviewed.  Despite what you see on television people generally don’t question the rules that govern their lives.  Checklists aren’t often questioned and without being questioned they’re not often revised.  In some parts of my work we’ve been recycling the same poorly written checklists for over 25 years.

Checklists are incomplete.  There’s no way for a single list to possibly cover everything and so there are always remaining questions about the importance of what’s on the checklist and the importance of what’s not on the checklist.  Was something that appeared trivial left off based on a bureaucratic cost benefit analysis?  Are the things that are on this list still concerns in today’s environment?  Who did the cost benefit analysis to decide what would and would not get done?  In the linked video you’ll see an illustration of just how this applies to the OPM breach. 

Finally, checklists are dated.  They are written in the past as a prescribed solution to the problems of the past.  They generally define a list of to-do’s instead of encouraging and change of attitude.  One common networking practice to identify threats is to create a honey pot.  A honeypot is a computer with specific vulnerabilities placed on the network so it can intentionally get exploited.  This helps to distract an attacker from legitimate targets with real information while simultaneously gathering system log information about the attacker and the methods being used to create the attack.  A honeypot is an indication of a shift in attitude towards cyber security.  When I’ve mentioned honey pots to our network

Generally when I mention things like honey pots to our network technicians they ask me to define the term and afterwards advocate for their checklists.

The vulnerabilities we face at work aren’t just the ones you’re reading about now on the news, they’re also the ones you’re going to keep reading about because we just can’t make our checklists good enough.