Going pear-shaped

Blogs
(Source: Stockfresh)

19 March 2014

Whenever one attends an IT security focused event where experts share their experiences of an increasingly complex world of technology, players and motivations, one comes away scared.

That’s exactly what happened when I attended the Secure Computing Forum 2014 recently.

You can see the main report here, but needless to say, various experts scared the bejesus out of attendees as they discussed the capabilities of attackers and the fact that so many attacks go undetected for so long, with the majority of organisations discovering attacks through a third party.

But another significant change that has been highlighted at such events is the changing attitude within information security (infosec) away from prevention to being better able to deal with intrusion and data loss — it will happen so deal with it. This change was evident in the way that the infosec tech vendors described their products and services, but also in the way that advice was given in general, not least from the representatives of legal firms in the area.

However, what set me thinking in particular were the comments made by the security expert and retired US Marine Lieutenant William Hagestad. Hagestad has particular expertise on the cybercapabilities of China, both its government and its military, if such a distinction is not redundant. He asserted that many of the hacking tools used by state-sponsored hacking, whether citizen or organisational, were undetectable by current intrusion prevention systems (IPS).

Hagestad also opined that Secure Sockets Layer (SSL) traffic was readily decrypted by the Chinese, with the implication that such capabilities were well within the reach of Western organisations such as the National Security Agency (NSA) and MI6.

Coincidentally, a question from the floor during a panel session asked about the security of email and whether it could be read en route to recipients. As the moderator of the session, I recounted some advice I was given as green web developer: never put your picture on the Internet, and email is like a postcard, assume it will be read by parties other than the recipients.

Now, times have changed somewhat in relation to the picture on the Internet bit, but the situation with email has not. As Dr Robert Griffin of RSA Security confirmed, unless using a secure email service, then yes, email can easily be read en route.

But reflecting later on these various points, SSL traffic being decryptable, undetectable hacking tools and insecure communications in widespread use, it struck me that perhaps organisations should modify their attitudes even further.

Now that we have come round to the idea that we will be breached at some point, we must also assume that someone is watching, they know what we are saying and they are willing to use that information.

Think the worst, hope for the best — plan for the former

This has some very deep implications for how we do business, but let us focus on the infosec issue first.

Imagine that your network passwords are in the wild, what would you do to protect the network in the event of someone using that knowledge? How could you compartmentalise and segregate the various zones to minimise what could be taken? How would you ensure that only the very highest level of admin users could do any real damage?

If you assume that your users are not necessarily malicious, but may try to subvert some elements of your security systems and procedures that they consider onerous, how can you minimise any damage from that? If you know it will happen, how can you mitigate?

Similarly, extending outwards for a moment, if you assume that your suppliers, irrespective of your diligent third party assurance actions, are going to reveal access details to your networks or systems, how can you limit the damage possible?

From a business perspective, what are the implications of the assumption that your competitors know what you are doing internally? If you were going to try to gain competitive advantage against your own organisation, what would you do? Where would you start?

In the current climate of constant data breaches, espionage (from whatever quarter) and intellectual property theft, we must assume the worst, at least in a notional way, and begin to mitigate at every point for that perfect storm situation. Despite the focus on unimpeded user experiences, exposing data sources and unfettered mobile experiences, organisations must face the reality that to a determined attacker, and even to those with just a modicum of skill, there are effectively no secrets.

By coming around to this ‘think the worst, hope for the best — plan for the former’ attitude, it means that we are at least prepared for when things go pear-shaped — and they will go pear-shaped.

Though I challenged them on the day, the sentiments expressed by Andrew Harbison of business advisory Grant Thornton rang truer with every reflection.

“Security should damn well get in the way of users doing their job,” he said. “Security should not be afraid to get in the way where it needs to.”

To extrapolate further, security should not be afraid to take the necessary steps, but the assumption must be that whatever you are protecting has already been compromised and be able to deal with that fact.

Read More:


Back to Top ↑

TechCentral.ie