Once upon a time, humans lived in small bands, huddled together for warmth and security. We defended ourselves against predators by establishing secure perimeters – the cave-mouth, the palisade of stakes – and keeping close watch on the unfriendly night outside the radius of our firelight.
This tendency to defend a perimeter against external threat seems hard-wired into our genome. Even as the threats we face evolve, we stick to manning the fortifications, always looking outward.
What’s wrong with that?
Ask the Trojans – who willingly but unwittingly brought the attackers inside their own walls. Trojan horses are alive and well and attacking a computer near you right now. They rely on you compromising your own perimeter.
Ask the Norwegians. Thanks to Quisling, they never got to test their perimeter because their government was compromised from the inside.
Ask the French. The Maginot Line was state-of-the-art, for the time, and cost so much that other elements of defence suffered. The Germans just went round it, choosing a route of attack that was unexpected and a method that was novel.
How is this relevant to IT security? Because many organisations still take the same approach to securing their IT assets. Install a good firewall, add some antivirus and antispam, maybe pay for an occasional automated penetration test, sit back, relax and enjoy a refreshing cool beverage.
Why isn’t this good enough any more?
Actually, it never was. Three points:
- Hackers aren’t stupid. They won’t keep beating against your secure perimeter if they can find a way around. Whether it’s targeting specific users with tailored Trojan horses (“spear-phishing”) – as happened to RSA – or compromising devices and services outside the perimeter to take advantage of your BYOD policy, they’ll find a way in.
- External threats aren’t your main risk. Just ask South Carolina Health and Human Services, to pick the most recent incident I could find in a 60-second search. 228,000 records compromised, external cost already in the millions, all from one trusted internal malefactor.
- Intentional threats aren’t your only risk. Will your secure perimeter protect you against fire, flood, earthquake, power-outage, hardware failure?
So what do I do about it?
You will be compromised. You are already compromised. Accept this.
What you need to do is minimise the level of compromise, and minimise the damage a compromise can cause.
- Segment your systems and data, so that breaching one does not mean breaching all.
- Train your staff to act as your police force, constantly on the alert for suspicious behaviour – inside and out.
- Stick to the principle of least privilege – only give people the access rights and data they need to do their job – and try to implement other good practices, like job rotation, two-person controls and mandatory vacation.
- Secure and encrypt sensitive data even inside your network. Because there is no real “outside” any more. With BYOD and the growth of web-based software-as-a-service, half your network is outside your perimeter, and half the internet is inside it.
- Build in resilience in multiple ways at multiple points; don’t rely on a single monolithic solution. Tailor your resilience provision to the value of the data or processes it’s protecting, and make sure your risk assessment looks at all the threats.
We have to change to a pervasive model, where we build security into every process, every datastore and every job description. We have to be paranoid because they are out to get us. But we still have to do our day jobs, so we also have to accept that some of the time, they will get us. Provided we don’t keep all our eggs in one basket, we can weather some compromise and emerge stronger.
Humanity survived losing occasional cavemen to Smilodon.
The Trojans went on to found Rome.
The Norwegians have a robust democracy and the most valuable sovereign wealth fund in the world.
The French…well, they’re still French.