An individual at a workshop recently asked if it was possible for us to get ahead of the bad guys in this cat and mouse game we see in the world of cyber security. For example, if we update our firewalls to be more intelligent, our adversaries respond with obfuscation, encryption, and/or new tactics to subvert those controls. It seems like the bad guys are always winning, always ahead, at our expense! The reality is that the way we run our businesses by default is dramatically different from how adversaries run their operations.
As a legitimate business you need to focus your resources towards the most cost effective means to grow your business and make profit. This necessarily doesn’t include expensive security solutions and staff. Naturally as a business grows, along with its assets, such things will be invested in and hardened over time. But what happens today, from an adversarial position, is that they focus on your weaknesses for their criminal gain. Here are some problems we see with the cat and mouse game concept:
- Adversaries only need ONE weakness to exploit while we must protect against them all. Just one employee to double click on that attachment; one staff member to inappropriately use web resources on a production laptop; one machine that isn’t patching right or uses legacy software that requires outdated software. Just one area of opportunity can quickly be exploited by an adversary to gain complete control over your entire network. We are a significant disadvantage!
- Adversaries are quick to communicate with one another for it helps them in their criminal enterprise for exploitation, monetization, and laundering. Legitimate business don’t want to talk about their problems or incidents, they keep it a secret. Around the turn of the century large banks were being compromised and then extorted with reputational loss if millions weren’t paid to the extortionists. Those targets that paid up were hit up again and again, becoming soft and easy targets to exploit and monetize. It wasn’t until they started talking to trusted colleagues with their competitors in the industry that they came up with a plan to better manage extortion and exploitation.
- Adversaries have a clear goal, such as criminal profit through online gaming credentials or theft of IP. Legitimate businesses often have a much more diverse and broad set of goals, which commonly gets more unfocused as they grow into a mid to large sized business. One of the main things in security that is often preached to organizations is know what your crown jewels are, how they are protected, and get a road map together to be focused upon achieving security to that end. It sounds simple but legitimate organizations are so very busy with client communications, new business, operational needs, and other things that they often lose sight of what matters most, protecting their crown jewels.
- Adversaries profit immediately, financially or through information theft for espionage, through the leveraging of their resources while legitimate businesses see the cost (resources, money, time) of security as a burden. This is a major cultural reality that must be addressed. Security must be viewed as part of prudent operations, a necessity, like breathing air – not an expensive add-on or bonus. Once an organization has a breach and stares in the face of disaster things become more clear – don’t wait for that moment to arrive. If you prioritize security as part of your ongoing operations, to protect your crown jewels, you can significantly reduce risk now and over time.
- There is a reality that fighting cyber threat is like that of fighting wildfires. In the world of fighting fires you never wonder if you’ll ever stop having to put out fires – you accept that fires will always be a threat, and sometimes you even use fire to counter fire or proactively thin and burn areas to avoid disaster. If we adopt this same attitude about security we can manage risk by talking about what we have accepted, mitigated, and experienced. Remember the days when we all thought anti-virus would one day detect the unknown or undiscovered threat? How’s that working out for you? You have to accept that you will have virus attacks and that some will be successful attacking your network. So then, what have you done to thin and burn ahead of time to lower the risk of such cyber attacks and minimize damage if such an attack takes place?
I’m sorry to say, but the cat and mouse game of our relationship with the adversary will never change. Our adversaries are intelligence, focused, and work with great velocity. We are reactive, slower to change, and are busy with different objectives in how we run business. We can make significant strides, and lower our overall risk, by changing our cultural mindset and actions related to cyber security. More importantly, we can significantly lower the risk of catastrophic incidents and reputational loss by making security a priority today instead of during or after a major incident threatening a business.