As long as there have been computers, there have been individuals who have been willing and able to compromise them. It was true yesterday, it is true today and it will be true tomorrow. In fact, the fundamental issues that lead to compromises, large and small, have been very consistent over the years. They fall into the following five categories:
If you are going to successfully take on an opponent you’ll have more success if you know a lot about them – who they are, what motivates them, what tactics they use and what they are capable of. If you don’t understand those things and you don’t have a strong sense for how best to use your advantages against them, you probably are going to have hard time defeating them.
Further, if you need to collaborate with other parties to be successful, they need to understand these same things. So employees, senior management, suppliers and clients need to have the same level of awareness or they become a weak link in your defense.
If you understand what you are up against, you have to be able to see where your opponent is and what they are doing in order to be able to counter their actions. Boxing with your eyes closed doesn’t end well. Knowing where your most valuable assets are, having information that tracks suspicious activity, alerting the appropriate people when something unusual occurs and having the information to know what to look for all provide this visibility. In technical terms it is asset inventorying, activity logging, event correlation, alerting and threat intelligence.
If you don’t have a thorough understanding of the threat landscape and you don’t have the ability to maintain good visibility to what goes on in your environment, you probably will need to lean more heavily on regulatory guidance, standards and “best practices.” That’s fine and appropriate – as far as it goes. However it is only a foundation to be built upon. Compliance is necessary but not sufficient. To be effective, you have to go beyond compliance and also build in defenses that address the tactics relevant threat actors are most likely to employ.
If you understand the threat landscape, have visibility to suspicious activity and are focused on instituting the security measures that are most likely to defeat a threat actor, you can still fall short. That’s because some organizations feel it is too hard to take certain steps. Multi-factor authentication, password complexity requirements and network segmentation are examples of defenses that many organizations don’t implement because they feel it will have an adverse effect on productivity or morale. Interestingly, after a major breach, they tend to find a way to adopt those practices without issue – but it takes a significant event to get them there.
Lastly, even the few organizations that have the appropriate awareness, establish the necessary visibility, maintain their focus and get past their concerns about operational impact – still run into issues. Perhaps it is the appeal of having a tangible goal or maybe it is the difficulty of quantifying benefits associated with certain measures, but more often than not, organizations prioritize new technology solutions over improving their personnel capabilities or their processes. Unfortunately, poorly understood tools and inconsistent practices undermine the effectiveness of all tools. Consequently, an organization will invest in new technology, report their accomplishments to the board and then ask for more funding for more tools when a threat actor navigates around poorly implemented or maintained infrastructure. The assumption is that throwing more money at technology will eventually buy that silver bullet they have been looking for – but no one ever gets there.
Most technicians and business people who have responsibility for securing their environments may not immediately think of these factors, but few would disagree with the items in the list. However, if most people responsible for security are generally aware of the issues they need to address, why do significant compromises continue to occur? The secret, if there is one, is that execution trumps strategy.
Focus, discipline and painstakingly moving the organization forward by developing stronger personnel and improving process execution is hard and, frankly, not as much fun as implementing the latest and greatest bright shiny technical object. It is why we sometimes don’t do the right thing even when it is obvious what the right thing is. But it is what we need to do if we are going to be successful in the long term.