This article can also be found in the Premium Editorial Download "Information Security magazine: The top 2011 security products: Information Security Readers' Choice Awards."
Download it now to read this article plus other related content.
I’m writing this column for the lulz.
I have a cause, see. And my cause is the lulz.
Security needs more lulz. You’re too uptight. We’re too uptight. We’ve all got whiplash trying to duck-and-cover from all these APTs flying about. Your shoulders ache because your trusty SecurID token could be pwned. You don’t sleep because some hacker with a cause might not like your CEO’s politics and could try to take down your network, or worse, leak data and maybe even put lives in danger.
You’re a mental and physical wreck. You’ve got the thousand-yard stare. The jungle is full of bad guys out there, and the problem is you don’t know who’s shooting at you. Today’s creep could be some Russian mobster stealing credit cards to pad his online marketplace. Tomorrow’s creep could be some Anonymous type with some SQL injection code and an agenda.
The buzzing in your head is the sound of change. All that defense-in-depth and perimeter-based stuff you spent hundreds of thousands of dollars on may be just security theater as Bruce Schneier likes to call it. Hackers are hacking your people. Hackers are scammers first and they’re after legitimate credentials. Legitimate credentials make hackers, well, legitimate insiders. Good social engineering is worth as much or more than good code. With credentials, you can hop from system to system until you find what you want. Some guys want payment card info. Some guys want HR records. Some guys want to be noisy; others don’t want
You? You need some lulz.
This is serious stuff, what’s happening out there. Hacktivists cannot and should not be ignored. You can’t go off the deep end every time there’s a new Sony-esque exposure, but at the same time, you can’t write these guys off as a nuisance. For the first time, enterprises have to consider their adversaries. A very short time ago, it really didn’t matter where attacks came from. Unless you’re a government agency or deeply rooted in the defense industrial base, it didn’t matter if the hacker stealing your stuff was in Beijing or Baltimore. The important thing was to keep stuff safe.
Now it matters. Experts say your information security model has to change. You need to defend against adversaries. You need to defend against the latest threats in circulation. Patch everything every Patch Tuesday? Forget that. It makes no sense, we’re hearing. Who has the time or the people for that? Security managers have to live by two principles: 1) You’re already pwned. 2) Know how your company makes money.
That’s the only way you’ll be able to map your security model to threats and adversaries, and still have a fighting chance. If you know your business and understand how your organization profits, then and only then will you understand your high-value assets and where they may be exposed. You need to understand who could potentially attack you and why, and then have a response plan that can adjust on the fly according to who or what is taking aim at you.
This isn’t easy, but it’s easier than burying your head in the sand and thinking you’re small enough or don’t handle the types of data and information that would be of interest to a hacker. That kind of security by obscurity endangers companies and even people’s lives.. Think about adversaries first, model your programs according to current threats and prioritize your higest-value assets, and you’ll have a better chance to moving hackers off your network before real damage is done. It’s better than going cross-eyed looking at firewall and IDS logs all night for anomalies, especially when these logs can be altered by any attacker worth their salt.
Again, this isn’t easy. But it’s the only way to bring the lulz back to security. Right now, the bad guys are having all the lulz – and there’s nothing funny about that.
Michael S. Mimoso is Editorial Director of the Security Media Group at TechTarget. Send comments on this column to firstname.lastname@example.org.
This was first published in August 2011