Why do attackers like your current security strategy?
I just read a white paper on a security vendor’s (Prevoty.com) web site and I think they really understand the problem. I have not had a chance to review their products, so I make no claims about them, but I do recommend reading the article.
First a quote from the paper:
Traditional security is like a city protected by castle walls with a moat and a drawbridge to keep invaders at bay. But now the walls have fallen down and the invaders have sprouted wings, waving to your guards as they fly over the moat. Good luck protecting your citizens.
Now onto their 5 reasons attackers love your strategy:
1. Relying on signature and past definitions exposes applications to zero-day attacks.
Most security solutions rely on the fact that what is going to happen is the future is based on what has happened in the past. While this is partly true, it certainly isn’t exclusively true. Examples of this are what is known as zero-day attacks – something new, something different. It could be something as simple as something that was used in the past, but in a different context. Basing the future solely on the past is not a good security strategy.
2. A perimeter based security cannot protect today’s distributed world.
In olden days (like a few years ago) when mobile phones, tablets and laptops were not as integrated into the enterprise as they are today, you might have been able to at least define the perimeter of your enterprise. That would be a step towards protecting it. Today, you cannot even tell me on what devices your corporate data exists – never mind whether you own or control those devices (the misguided principle of BYOD is the primary cause of that, but that is the subject of an entire post by itself).
3. Any attempt at active prevention that occurs outside of the application has no context
This one I might argue with a tiny little bit – but only a tiny bit. The key point being that you MUST mitigate risk in the context that the risk exists in. Risk is always context sensitive.
4. Developers are not, and should not be, security experts
If you are counting on your developers to protect you, you already have a problem. This is not meant to reflect negatively on them. That is not their focus. Their focus is to create great applications that satisfy your business requirements. Security is a discipline of its own and should be treated that way.
5. Your business is not application remediation
Boy, howdy! As I said above, application, system and network security is a discipline by itself. Hackers are working 24×7 to break into your world. You need someone on your side that thinks the way hackers think. Any doesn’t have to do that as a sideline.
One of the interesting things about digital attacks is that unless the attacker is unskilled or wants you to know she has been there, you often won’t know that an attacker is inside your system. The only reason Edward Snowden is a household name today is that he ‘outed’ himself. Initially General Alexander of the NSA told Congress that Snowden took around 250,000 documents. Later the General said he took 1.7 million documents. I suspect they don’t really know what the number is. And remember, the NSA is an organization that prides itself on its data security efforts. How does your average company compare in terms of security budget, staff and expertise to the NSA? This is a difficult and never ending battle – for both you and the NSA.
According to a recent Experian report, 60% of small businesses that suffer a breach go out of business within 6 months. A strategy which depends on you not being attacked may not be totally effective.
Mitch Tanenbaum