This article was originally published on Linkedin on August 31, 2016 @ https://www.linkedin.com/pulse/does-your-cyber-security-rigour-match-motivation-alexander/
This question is becoming more relevant each passing day following the wave of high profile cyber attacks and data breaches reported in the media in recent times. As we all know for every reported breach there are hundreds if not thousands of unreported ones.
From analysis, most of these attacks appear to have a common underlying thread – Sloppiness!!. Of course there are the high end crypto breakers and nation state attacks but these are fewer.
When you look at the profile of a typical Cyber attack, the actors are knowledgeable and intelligent (it’s just a shame they’ll rather be on the other side of the law; the attack vectors they use and exploit are also known to us on this side of the law. There are very many of them across the world and cyber space representing a sort of “ragtag army” as opposed to a few or sometimes a single individual in an organisation with the responsibility of securing the front.
What did Alexander the great have to do to defeat king Darius III of Persia in the battle of Gaugamela? – Strategic Thinking!!!
Considering the associated cost of these breaches and the immeasurable cost of trust eroded by these events. Then there’s the value of the data stolen to the organisations.
Information security industry is supposedly worth several hundred billion pounds and organisation are spending vast sums of money investing in their cyber defences. One thing is however clear, a typical hacker is more determined and rigorous in his methodologies, than defenders are in protecting the empire!! Or is this just me moaning?. Excessive amount of faith is put into technology than human intelligence that’s why we spend so much on tools than on “cerebral” activities. Or is it because they are intangibles?
A hacker spends a vast amount of time “casing” a “joint” before he makes his move. He thinks, collates data, analyses the data; more research more reflection, then pokes here and there, before he goes for the kill and cleans up after himself leaving no trace or in some cases leaves a back door.
What methodology or approach do we utilise on this side of the fence to match the hackers rigorous process? Don’t say about risk management, how does it translate to your prevent, protect, detect, and respond processes. How does your controls framework match up to your strategy if you have one?.
In my career, have seen organisations spend millions of pounds on information security projects yet cannot articulate the central objective of all these controls. It’s a fact that most organisations don’t know where their critical data resides within their IT infrastructure or how it should be protected – shall we ask “anonymous”. Information life cycle management sounds laboriously academic but these things are central to a sound information security management. How up-to-date is your network diagram; does your security team understand the “normal” data flow? If not how are they going to recognise anomalies. Or perhaps your outsourcers, when was the last time you tested their security processes or even assessed the effectiveness of their security controls?
Information security is not just about deploying technology! technology deployment requires thinking too it doesn’t deliver out of the box, technology configuration is also iterative!! Indeed, all of the processes and mechanism of Preventative, Protect, Detection, and Responsive controls require continuous “cerebral” application. I don’t mean don’t do anything because you are thinking or that you have to be 100% accurate all of the time neither. Again it needs to be iterative.
Let’s stop giving the game away, engage security professional services, if you are struggling. The alternative is to wait till you get breached or hacked before you act.