“The future is not set, there is no fate but what we make for ourselves.” John Connor, Terminator 2
There is a prevailing viewpoint among security professionals that security breaches are inevitable. They have adopted the mantra, “It is not a matter of if but a matter of when.” As recently as the day I wrote this post, I attended a meeting where this attitude was used to justify accepting easy to mitigate security risks. This attitude is nothing new and it has a name: “fatalism.”
Merriam Webster defines fatalism as, “a doctrine that events are fixed in advance so that human beings are powerless to change them.” Ask yourself as you read this, is that the truth? Are you powerless to change events or do you make your own choices?
When you make the choice to choose compliance over security, that’s not fatalism but a mixture of choice and will. It’s a decision to be good enough to escape liability without being good enough to escape fate. It’s a trap! Many of the big credit card breaches of the past decade occurred while an organization was PCI compliant. Target was certified PCI compliant weeks before it was hacked in 2013. Verizon has breach data that supports the fact that although companies become compliant they often do so in a way that is unsustainable. Do not take away the wrong lesson. The lesson here is not if Target couldn’t fight the hackers then I can’t either. The lesson is that the culmination of their decisions resulted in an environment that made it possible.
You make choices every day that impact your personal and professional destiny. I promise you security is not an expensive goal attainable only by the super-rich. It is far more about the knowledge, dedication, ingenuity, and heart you put into it.
As a blog post, I have to keep this short so please forgive me for not addressing every area of focus you need to cover to commit to security. There are four phases to the model I recommend for IT security: identify your environment, categorize your risks, know your enemy, and test your solutions. This model is a cycle designed to repeat itself again and again without end. Each cycle informs upon the information gathered in the last and grows more mature with each revision.
Identify your environment
Phase one sounds simple. It’s the same advice given by sages, oracles, and war philosophers for thousands of years, know thyself. It is the foundation upon which all else is built. What systems are on the network? What systems are in your inventory? Where is your sensitive data? What is your sensitive data? What is the normal traffic of your network? What is the normal operating usage of your systems? This is a collection of facts, without judgment, about the environment. A single missing piece here may cause your entire security structure to crumble.
For example, I did a penetration test for a bank several years ago. They had a secure system for their account data. However, one of their account representatives wanted to do something nice for their clients by recognizing their birthdays. They took the information from the secure database, including the account numbers and safety deposit box information and put it in a spreadsheet. I found that spreadsheet with an unprivileged account sitting on their internal SharePoint platform. They did not know where their data was, and had I not found it they would not have known to address it.
Categorize your risks
Phase two is about putting those pieces together to figure out what it all means. What do you get when you assess the systems on your network with the systems in your inventory? Rogue device detection and loss prevention. What does it mean that I found account data in SharePoint which itself has its own set of environmental facts to classify? If you’re missing process A how does that impact procedure B? Lining up these bits and pieces and connecting them in meaningful ways results in a holistic assessment of organizational risks.
Some frameworks for security and most organizations stop here and go no further. HIPAA for example does not require anything more than a knowledgeable assessment of risks. Several years ago, I conducted an assessment at a medical insurance processing company and found that less than 40% of their systems were defensible, but they were all assessed for risk. The only question about risk is if it meets the standard for legal and insurance purposes. If a reasonable person thinks nothing more could reasonably be done to prevent, detect, or deter the breach, the assessment stops. They never carry that forward to build out the final two critical components.
Know your enemy
We can’t stop people from trying to break into networks. That truly is inevitable. Just like in war you can’t stop the fight from coming, but a good defense does not simply stop at the perimeter. Should an enemy breach those defenses there are more defenses designed to deny them whatever objective they seek to obtain. In order to do that, you have to know how the enemy works, how they think, and how they operate. You have to take a realistic look at the world around you to identify your actual threats. What do they want? Why do they want it? How are they likely to try and get it?
Knowing these things is not about knowing every potential attack vector that could ever be weaponized. It’s about knowing the likely attack vectors and how they operate in order to establish methods to detect, deter and mitigate attacks. I have tested several companies via social engineering scams including phishing scams. I would send a link to a VP with some message telling them to log in to the new portal to activate their accounts for remote work. After they did I was able to log in via those accounts to the real portal. This attack pattern is simple, but within it are several points where organizations could have detected mitigated, or even prevented my success to limit or prevent any success. Here is an example, after a phish is reported can you remove and block access to the email and the fake site?
Test your solutions
The few companies that go beyond categorizing risks typically skip the third phase and go straight to testing their solutions with things like penetration tests. However, what good is a penetration test that’s conducted with no actual direction or bearing on reality? When was the last time you invited a stranger to plug into your network for a week unsupervised? Never. So why would you test this way? What threat are you so concerned about that mimics this behavior? More often than not the first comment I hear after delivering my results after a penetration test is, “we saw you, but we just didn’t stop you.” Would you let a hypothetical stranger do it? Or let an employee do it? Why are you letting a tester do it? Detecting, deterring, and preventing an attack is the primary responsibility of security. Training only makes sense when you train the way you fight.
Every time I conducted a penetration test, I advised the client to watch, track, and detect my movements through the systems. I shocked one client after less than 3 hours when I showed them how far I had made it into their networks. They could not believe it, could not detect it, and requested we talk with my manager to verify my identity. They thought I might have been too good to be a real consultant. The results of this testing show not only where plans fail, but where they go right. It is important to understand and identify not only the things that need to be improved but the things that worked. Building upon each phase culminates in this real world testing which gets real results and provides real world data for building better programs.
When you put all of these together in a continuous cycle you get an IT security program that understands what it has and knows its own strengths and weaknesses. The program can detect and prevent an enemy and it trains each cycle of its growing maturity model using real world tactics, techniques, and procedures. Military veterans may find this four-phase process familiar; it’s the same process for developing and refining intelligence planning products.
There is no doubt that hackers will try, have tried, and are trying to breach anything connected to the internet using automated and manual methods. That is something beyond our control to change. You can impact the outcome through dedication, understanding, and hard work. You have to know your environment, understand your risks, identify your opponents, and train the way you fight.
So long as you’re willing to go the distance - your fate is not set. You can write your own destiny.