Eight cyber security tips I learned from The Walking Dead
by Corey Nachreiner - Director of Security Strategy and Research, WatchGuard Technologies - Tuesday, 18 March 2014.
Infosec professionals need a good team, too. In big organizations this might mean having security specialists who allow you to concentrate on each layer of information security. For instance, you might have a perimeter guy, a mobile security gal, a forensics and incident response person, a secure webdev code-monkey and so on. However, even at a small company where youíre the only security professional, or maybe even a traditional IT guy who has to do security on the side, it helps to recruit a team of allies to help you achieve your goals. This may be as simple as helping educate and build security awareness among normal employees so they have the skills to make your job easier. Think of how Rick taught Carl (and then later Andrea taught the group) to shoot. The more trained guns you have, the less you worry about cyber outlaws.

6. Donít be a jerk! Ė Every zombie apocalypse story has that guy. The antisocial, disagreeable jerk who just continues to bicker and bring the group down. This guy is a lightning rod for disaster and tragedy. For instance, remember Carolís abusive husband, Ed? His bad decisions put the group, and ultimately himself, in harmís way.

Donít be that guy at your organization! Cyber security has risen in prominence the last few years. Itís left the LAN room closet and entered the business mainstream, and even the boardroom. Whether itís educating users, helping HR, or campaigning for an increased budget, good infosec professionals should find themselves interacting with people from other departments more often. Unfortunately, technical security experts have the reputation as sometimes coming off as cynical know-it-alls, who just impose draconian rules for no perceivable reason. Donít be that guy.

Gaining allies rather than enemies is often more about how you communicate, not necessarily what you communicate. If you take the time to listen to your co-workers, educate with patience, and communicate in a friendly manner, maybe the next time you have to impose a new security policy, your co-workers will recognize it for the well-intentioned security strategy it is, rather than interpreting it as a heavy-handed roadblock. Furthermore, if you spend time making friends rather than enemies, you might find the purse strings a bit looser the next time you need budget for some new security project.

7. Malevolent humans are scarier than zombies Ė In my opinion, TWD isnít a story about zombies, itís a story exploring human sociology in extreme situations. While you may think zombies are the biggest threat at first, you quickly realize that humans whoíve suddenly risen to positions of power can be much more evil, and less predictable, than any walker. Case in point; The Governor (need I say more?).

Now just imagine the walkers as automated, opportunistic cyber threats (such as botnets, worms, and viruses), and imagine the evil human characters as the advanced human attackers targeting our companies today, and you have the same situation. The latter concerns me much more than the former.

The tip here is, spend more of your time and money trying to defend against advanced targeted attackers. In the end, any security solution that protects against the more sophisticated attacks dreamed up by human hackers will easily block your run-of-the-mill automated attacks as well.

8. Security is all about trust Ė One of the biggest lessons TWD characters learn time and time again in the series is to be careful whom they trust. Meeting new people in this fictional apocalyptic environment is dangerous. Strangers can either be for you or against youótheyíre rarely neutral. You have to quickly figure out who you can trust, in order to set your proper guard. Thatís why Rick designed a three-question test to quickly assess new people: How many walkers have you killed? How many humans have you killed? Why?

Information security is also all about trust. Really, our whole job as infosec professionals deconstructs down to:
  • Figuring out who our organization trusts (and how much they trust them); then
  • Finding what data our organization values, and trying to limit access to that data to those we trust enough.
All the technical security measures we use to control access to information donít help at all without the right policies in place; and you canít write those policies if you donít know who you can trust.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th