When You Have Lost the Security War, You Need a New Approach
Security and Stonehenge
Security has always been a critical part of our society.
When the human race moved from being hunters to farmers, certain information about when to plant and harvest crops was carefully gathered though observation and experience. This knowledge would help farmers work out exactly what time to plant and harvest their crops, so that the first shoots would only appear above ground after the last frost. Ensuring these plants would be healthy and knowing when the crops would have absorbed maximum energy to be primed for harvesting was imperative! If you planted or harvested too early or late and your food supply was weak, the community would suffer as a whole and face an extremely difficult year.
Basic knowledge was critical, but very hard to collect. Even the best farmers would have had to spend a lot of their time looking at the position of the sky and working out the indicators of these moments in time. The wobble of the earth on its axis meant that every year is not quite the same as the last, so you would need to observe the earth for decades to gain consistent information. Wooden and Stone circles such as Stonehenge were essentially the first calculating devices and it gave one group the first real competitive advantage.
Those that had this knowledge would have had healthier communities, and larger more robust families. However what was to stop those who didn’t possess this knowledge from stealing it by force. The old “tell me or I’ll kill you” model. The answer was simple, the community must put up barriers and have protection implemented against invaders. As everyone in society took on specific roles to support the community, a barter system was naturally created. Initially this was the movement of essential items like food and skins, but as society became more complex special items like precious metals and rare stones were used. Eventually we created notes of promise, or money to act as the mechanism of negotiation.
Today’s social framework of money, finance, and banking is still supported, which is really just an extension based from those very same simple systems. We are still in the same position and suffer from the risks of theft and corruption as we did hundreds of years ago.
IT Security Approaches for the Modern Era
Today’s IT security systems must consider the same threats the very first societies encountered, at even a more complex level.
Every security expert starts from the premise of “trust nothing, trust no one.” As we have seen recently by the international hacking of SolarWinds by foreign government agents (probably Russia according to the experts) when you trust anyone, you are relying on their security framework and ability to enforce their own security. At times, everyone’s security will have weak links and as an expert in one part of the IT stack for your organization, you likely have the ability to make your company’s security approach better than it is today. It’s the job of your CSO (Chief Security Officer) or other head of security, but many people can play a critical role.
Trust No One?
If you trust no one as a business, then you need to validate every situation yourself, which can be very time consuming. With a trust nothing and no one posture, every single line of code must be analyzed and confirmed, this takes years of work for any real change. Since that isn’t feasible you have to pragmatically decide who you will or can trust.
- Do you trust the government?
- Do you trust your OS vendor?
- Do you trust your platform vendors?
- Do you trust your application vendors?
- Do you trust your IT services vendors?
- How much to you trust them? Do you give them blind trust? Do you audit them?
The bottom line of security is whatever you know, you should question, and the more information you have to question, the better your security can become.
How can you know if you are secure?
The answer is to always assume you are under attack, continually test every vector of your business, and then retest one more time. Look for any subtle deviance from the expected outcome.
- What are the normal times people with access rights use specific systems?
- In what order are specific systems accessed?
These can provide critical knowledge that can help identify and stop intrusions. While noticing the rate of specific requests, the location where the requests originated, or the unusual levels of failures when accessing a system could all indicate attempts to intrude. It’s well known that many hacks include an element of social engineering. One needs to make sure that every request, however mundane is logged. If someone calls a receptionist asking for the name of an employee, log it immediately. Without data it can be very hard to link together all the elements of an attack.
Being paranoid is a critical security skill. If you assume everyone is out to get you, you are more likely to avoid many types of attack. Capturing data, analyzing the data and being alerted early to potential events is the strongest form of defense!