Anyone who tells you that your IT network is “100% secure” is either a fool, or greatly mistaken. Security is a moving target, and unfortunately, this target is being manipulated by the bad guys.
- Forget the rearview mirror: The bad guys are ahead of you
- Leave the lights on — always
- Don’t forget the boiling oil! Your mom was right: change your underwear, often
- Don’t let vendors put you in their box
Forget the Rear View Mirror
You may not know the intent of those attacking your systems; however what you should know is that they probably know more than you. The security industry does not innovate; we simply chase behind the true innovators and try to keep up.
Zero-day attacks and unknown vulnerabilities. Malware and botnets. There is no magic crystal ball to tell you what’s coming next, but you need to be looking to secure your future.
Looking in the rearview mirror you will see investment in network controls that stop simple mass attacks. But the attackers have evolved and “moved up the stack” going after applications and host systems with targeted attacks. Commercial and custom software that run on these hosts contain thousands of vulnerabilities. Using simple, widely-known techniques, hackers can exploit these vulnerabilities and easily gain complete access to the hosts.
It always will be important to keep current with the latest patches to remediate vulnerabilities. However, the lag time between discovery of a vulnerability and an exploit is rapidly dwindling.
Zero-day (and zero-hour!) attacks are a reality: you are hit before you even know there is a problem. This renders traditional signature-based, reactive protection inadequate. A proactive protection stance is now necessary. What I mean by this: you need to find ways to apply compensating measures to shield vulnerabilities immediately. This will buy your organization the time needed to wait to receive, test and soak the patch appropriately before deploying.
As the threats continue to evolve, we need to evolve our controls, and the mindsets behind them.
Leave the lights on — always
TJX has become a household brand, for all the wrong reasons. The UK Foreign and Commonwealth Office was just slapped for endangering the privacy and identities of people applying for visas to enter the UK.
Security is about vigilance. You need to leave the lights on, or in other words, do everything you can to dissuade attackers by making it difficult for them to attain their goal. You don’t have to be perfect; you just have to be a little bit more secure than the neighbour, as attackers will go after easier targets first.
You need to recognize that the new age of information technology tools means that the average security levels in software is going down. It was hard enough to find application developers who understood security, but now we see web applications built by amateurs using scripting languages, and you can appreciate the problem. In the web 2.0 world, these applications execute across firewall boundaries, opening more seams for clever attackers to exploit.
A mistake made by one, has consequences for all.
Don’t forget the boiling oil!
Defence-in-depth works. Castles historically had strong perimeter defences, but the buckets of boiling oil were on standby to discourage attackers that got past the moat and drawbridge.
Traditional perimeter defences for our networks are necessary, but now not sufficient. There are so many ways to get though the perimeter. An attack might originate from an end user lured to a malicious site compromised by malware. The resulting downloaded malware tunnels in through the HTTP session, ready to launch exploits from within your network perimeter. More frequent use of encryption is problematic, as it can blind network scanning tools, and be a nice tunnel for malware to enter the enterprise.
Security professionals, and indeed most business executives, fundamentally accept the basic premise that it takes multiple layers of defence to protect against the wide variety of attacks and threats. A single product or security layer is not sufficient. A layered, defence-in-depth approach gives multiple lines of defence that will allow one product to catch things that may have slipped past the outer defences.
Learn from the past to secure the future.
Your mom was right: change your underwear, often
Let’s talk about what “vigilance” in security really means. Regulations are popping up in every industry and country or region around the world. When it comes to security, much of these regulations, in particular prescriptive regulations such as PCI, are advancing security in leaps and bounds.
The problem with these regulations is how we (organizations collectively) are dealing with them. Official audits cause mad panic as we rush to apply all security patches and controls to comply with regulations. Shortly thereafter, complacency and forgetfulness allow controls to lapse and patches to be avoided.
Compliance is more than just for the auditors; it will help protect your business. But, compliance does not equal security. Only you can be responsible to keep your house in check.
Don’t let vendors put you in their box
This is not about thinking “outside the box” unless of course you use these as code words for saying “works with more than just Microsoft.” One of the most common complaints that we have heard from CIOs and CISOs around the world is the prevalence of Microsoft-fanatical vendors — even worse, those that support singular versions of Microsoft products.
Look for security vendors and products that work (well) across the broadest range of platforms. There are extremely varied opinions on the security of open source operating systems and applications, but regardless, you should not let a vendor tell you how to run your business when you are asking them how to secure your business.
You need to be wary of vendors that claim to provide a “one-stop shop” for all things security. There is significant value in a diversity of security approaches to match the diversity of approaches to malware and other forms of attacks.
Security needs to be able to be deployed where and when you need it. As embarrassing as it sounds, this fundamental fact seems to have been forgotten by the majority of security vendors around the world. The forklift approach to security installation does not work when you are protecting mission critical systems. Security mechanisms need to complement existing systems and should not disrupt your business.
Great security + poor deployment = bad security
Good security + good deployment = great security
Looking to the future
From London, to Frankfurt, or even Beijing, the security game being played has new players and new purpose. Today’s cybercriminals are organized, ruthless, and financially or politically motivated. Your best line of defence is a defence-in-depth approach to security.
Make sure you choose vendors (not vendor) that are willing to chase your attackers as much as they chased you for your business.
Brian O’Higgins, CTO for leading intrusion defence firm, Third Brigade, is best known for his role introducing PKI products to the security landscape. http://www.thirdbrigade.com/
