In my industry reading this week, I came across the following notion a few times: getting hacked is inevitable – therefore, work on mitigating & containing the damage as much you work on border control. I don’t suppose anyone in the security business is getting ready to chuck their firewalls and IPS units out the door on the assumption that they’ve been hacked already, but the larger question raised was still a scary one to me. Are we really giving up hope that we can prevent a breach on our networks?
Most major hacks come from inside the perimeter so to speak (even if sourced externally), and it’s tough to defend against an attack when the attack source enjoys a level of trust. An attack from someone who’s entitled to be there is the ultimate Trojan horse: they look like reasonably contented employees on the outside, but on the inside, there’s treasonous intent. Or more frequently, even when those employees mean the best, they can invite trouble in from the outside, as external agents leverage the insider’s trusted status to gain access through spear phishing, the injudiciously inserted USB stick, and other social engineering hacks. However, there are complex security paradigms that exist to keep the bad guys who’ve established a beachhead from having access to too much. Standards such as HIPAA, SOX, and PCI are all schemes intended (in part) to prevent people from having access to too much information, and thus prevent data loss, privacy breaches, and WikiLeaks. In the new security mindset, complex paradigms, while relevant constructs often with legal ramifications, are implicitly insufficient. And that reminds of my favorite mantra from a former co-worker: compliance does not equal security. But I digress.
While humans are the ones behind the hacking, they have to have some flaw to take advantage of. What neither article mentioned in detail was the root cause of many breaches: bad applications. I’d love for an experienced software developer to come on the Packet Pushers podcast to help us understand why, after all these years, we’re still dealing with buffer overflows, SQL injection attacks and the like, especially on Internet-facing applications. And although certainly a recurring theme, bad applications are far from the only causes of breaches. Bad administrative practices due to human incompetence or lax policies are also contributors. Even the best of us are guilty of leaving a password unchanged now and again.
So upon reflection, I have to agree with this new notion of inevitable hacks…not that I’m resigned to being breached, but I think there’s a tactical advantage in thinking this way. Why? If you’re not actually compromised – but think as though you were – that could drive wiser behavior on the part of we IT security practitioners. Better detection methods. More proactive thinking about “what if” scenarios. Imagining the enemy inside the gate makes one stop looking proudly at the massive walls, alligator-filled moats, and tall watchtowers at our network’s periphery that are supposed to keep the enemy out. The focus widens to include contemplation of what a miscreant might be able to pull off if they were already inside and no one was looking for them.
Hey, it worked for Frodo. Frodo & Sam managed to smuggle the ring all the way to Mount Doom right under Sauron’s watchful eye because he was too busy looking at his splendid gate and the enemies gathered there. It’s time that we do widen our focus beyond the border, assume the worst, and think about what we’re going to do about it.
Yeah, so I made us all Sauron in that analogy. Own it.
Overview of Co3 Systems, Inc. (A startup software firm addressing what to do when a breach happens.)
“Cambridge startup Co3 Systems Inc. is betting that the 3.2 million Massachusetts residents – nearly half – who have been victims of data breaches over the last four years will drive the demand for [John Bruce's] company’s data breach management software.”
CrowdStrike (A stealth-mode startup.)
Among other services, CrowdStrike will, “Identify unknown compromised systems and data exfiltration channels, determine attribution and motivation of the intruders, and provide cyber counterintelligence strategies to respond to future intrusions.”
Security’s New Reality: Assume the Worst (Part 1 of 2 by Kelly Jackson Higgins.)
“Assuming the attacker is already inside, or soon will be, is a gradual but significant mindset shift under way in the security industry, which has been built on a defensive strategy of firewalls, antivirus, and other tools. There’s now a growing sense of fatalism: It’s no longer if or when you get hacked, but the assumption that you’ve already been hacked, with a focus on minimizing the damage.”
Damage Mitigation As The New Defense (Part 2 of 2 by Kelly Jackson Higgins.)
“Attacks have become more sophisticated, and social engineering is a powerful, nearly sure-thing tool for attackers to schmooze their way into even the most security-conscious companies…Security experts say this mindset shift in security has been coming for some time, and has only recently become palpable in the way vendors are marketing their wares and in how enterprises are starting to rethink their traditional defenses.”