Lots of discussion in the mainstream press about every fortune 500 being hacked, the <insert name> government has hacked us into smithereens. The world is ending. We need to do <insert favorite vendor solution> to save the world.
Bull pucky. I’ll take five minutes out of my day and discuss some of the issues. I reserve the right to go back and edit this. It’s a rant so be aware I’m going to be snarky.
We only need to do a few things to secure our information infrastructure but they are radically off course from where we are today. They aren’t politically fancy. They aren’t cheap. And, you won’t get a bronze star for doing them. In fact if you suggested how to actually fix information (cyber) security you’d likely get fired. So in summary the way to fix information (cyber) security is bury defense in depth, assume breach, secure the information not the hardware, think resilient, and pay the cost.
1. Bury defense in depth
Defense in depth and defense in breadth work when you can control all avenues of entry and exit from an environment. In matrices where the connectivity options approach infinity there is not adequate method to control all mechanisms of approach. You’re wasting your money buying perimeter defense and internal mechanisms of containment. Will they stop the low level guys? Yes they will and for that reason go ahead and keep what you bought. What it won’t stop is anybody who understands hacking into networks. Not “computer” networks but the social, cognitive, technological networks of the actual cyber realm. Go ahead mister silly pants information security guru and blame the user for all of your problems. They are the reason you have a job.
Defense in depth is dead because the network structures are so inter-related that teasing out control mechanisms is outside the realm of possibility. Even air-gapped networks can be found. Accessing highly confidential systems is simply a matter of figuring out which pawn to move when nobody is looking. Artificial constructs where security is based around ONLY network accesses being considered are moronic. Bad guys will not follow your rules so you need to have flexible non-deterministic rule sets to follow. Defense in depth is based on the principle of control and that is absent in any sophisticated network.
2. Assume breach
Look at your networked enterprise environment. Assume that you have a breach at the worst level. You now know that every information asset under your control is going to be in the hands of your worst adversary. What are you going to change in behaviors and controls? How are you going to respond? You can’t possibly remove the breach so the only thing you can do is mitigate the effect on your enterprise. What kind of policy decisions would you make? How would you change your operational characteristics? This is the point where most information (cyber) security professionals start to try and change the scenario. They don’t want to even think that they have failed. Their hubris rises to the surface and they “uh huh not me”.
When your information (cyber) security professional tells you that they can never be hacked, breached, exploited, and they stand there with the smug look on their face. Fire them. They are less than useless. You want somebody who is willing to tell you bad things happen and mitigation is your only strategy. If bad things don’t happen they’re good, but there is always the possibility because bad things happen to good people too. Hubris speeds that process along because the arrogant never consider the unexpected. I want my security people to be paranoid as the day is long and hyper aware of the information environment. I kind of want them pissed that they have users but always aware that users are why they get paid.
3. Manage (secure) the information not the hardware
Government and corporate entities refer a lot to locking down computers, securing servers, and other pedantic wrong headed talk. Of course we’re going to do some level of due diligence, but go ahead and abandon hope of securing hardware. Look at the information assets whether it be databases, telemetry for medical devices, operational military plans, or photographs of aging starlets and consider securing the information.
Information is data with context. It has to mean something or have some value or you are spending money to secure the equivalent of digital diarrhea. A lot of computer information appears to have no specific worth or context so be careful that the whiplash effect isn’t enabled by not securing enough. The way you know if you’ve secured enough is when you evaluate the value of the assets.
Do you even know the value of your categories of data? Have you inventoried the security use case of your user population to consider the information flows of your environment? Do you know what really matters and what is merely ancillary to your organization? Can you tell me the flow rates of data from the cognitive potential of your user base to the operational and strategic hierarchies for decisional support? If you have no idea what I’m talking about you are working at information (cyber) security at a tactical level with no conceptual framework for actually solving the problem. You are bound to fail.
We can look at cases of resource fail pretty easily. Are you the information (cyber) security professional who diligently runs vulnerability scans against your information hardware assets? Why? Are you checking for known configuration issues and perhaps assessing that everything is in a known secure configuration? Don’t you think Sony, RSA, and Lockhead Martin all did that too? How many variances on the vulnerability assessments do you have to register because the software/hardware requires an insecure configuration? If the answer is even one then you’ve got an issue.
A common thread from government types and corporate types is that sophisticated red teams show up and get into their networks. There is nothing you can do to stop them, and these red teams are operating under rules of engagement and codes of conduct. Do you think the adversaries are so constrained? If you’re going to expend resources on securing the environment look at the information. That is what you care about. Secure the asset not the cardboard box.
4. Think resilient instead of brittle
Risk to critical information assets can be reduced if their loss is mitigated or the impact of their exfiltration is mitigated. The mind leaps to breaches of confidentiality, but we’re not saying that is even the case here. If all of my data is heavily encrypted at rest and the adversary slurps it up who cares? I will lean on the well-trod path of time-based security and not care. There is the problem of protecting the keys to the crypto server but that is a use case where I should use appropriate strategies to mitigate risk. Focusing on one central primary asset versus the peripheral multitude should effectively reduce my work factor.
We can see examples of brittle architectures in how we build network connection points. Single points of failure became high availability shared points of failure. Those became cloud points of failure. Then we snapped back and said we were going to create fewer connections points in hopes of slowing adversaries down. Unfortunately the adversaries follow us home wearing invisibility cloaks and we’re to drunk to smell their foul stench. That is just a little tiny Lord of The Rings reference there for the multitudes.
5. Pay the cost
When we talk about information (cyber) security budgets we’re often talking about less than ten percent of the entire information technology budget of a corporation. Much of that number is going to be eaten up by licensing costs and hardware costs that should be part of the information technology budget. If you have running water you don’t think twice about somebody cleaning the bathrooms and having water faucets for people to use. Yet our security budgets often revolve around fighting for that level of utility budget. The security office is often the smallest office, in the smallest corridor, in the least funded area of the company. Until the big breach happens. Then there is an impact against profit and then a bright shiny well paid computer security officer joins the company with a great big fix it, hide it, make it go away quick budget. Until they forget and cut the budget year-to-year even though the information asset base rises.
Information technology was invested in because it made people more effective, it reduced the number of people to do a job, it made industry more competitive. Lots of information technology replaced lots of people and the profits from that continued. Unfortunately in the era of knowledge economy the information technology boom was continued, expanded, and subjugated to a set of metrics never appropriate to the environment. Security was ignored though many authors pointed out the flaw to this thinking. Information (cyber) security resources were skimmed, and in a shame to industry and academia the security chapter of most textbooks is the last lecture (computer science geeks just grinned). Just like the engineering practices are last into the project plan.
The cultural and business practices in industry and government were never aligned with reality. Now the entire technology stack in the information age economy is insecure, riddled with vulnerabilities, and confidentiality, integrity, and availability are not sustainable. Acceptance of poor programming practices, vulnerable hardware, and inappropriate strategies run through the information environment like a torpid snake. You don’t really have to worry until it bites you.
Nobody likes the answer
You’ll get no traction with the above information. We’re not walking back from this abyss anytime soon. There are ways to fix it and we’re in the middle of what might be one of those change vectors. Segmentation of the software environment into single use case applications with restricted utilization vectors represent a significant leap in technical security. That kind of sand-boxing means that application exploitation should not have the whole of system effects of other less protected execution modes.
The spend more money of this argument falls equally on deaf ears, but there are rising risks and awareness that might change the equation for a small time period. This cycle runs hot and cold nearly every decade. In this small window pushing secure architectures, protection mechanisms, and holistic security inclusive of the specific security use case analysis strategies just might change things.
Sorry, it only took four minutes to make 1700 words.