Remember the board game Mouse Trap? The objective of the game was for the mouse to capture the board, while other players defended the board by trying to manoeuvre the mouse onto trap space to prevent it from securing a win.
Well, let us think of cyber criminals like the board game mouse. Most are attacking organisations for commercial gain. The easier the course laid out before them, the quicker they’ll advance, securing a bigger win. Make something tough and it’ll take so much time and effort to break down, that it will no longer be financially viable.
Unlike the eager board game participant who’ll keep starting over in desperation for a win, the cyber criminal will move on to a new challenge elsewhere. So why use the Mouse Trap analogy in the first place? Too many organisations are inviting cyber criminals to play against them with an “if it’s going to happen it will” attitude to network security that can be self-fulfilling.
Organisations commonly exhibit this defeatist attitude, thinking it’s only a matter of time before they suffer a network security breach and only focusing on how they will clear up the mess after it happens, rather than carrying on trying to prevent it.
However, there’s no point just increasing the size and scope of an organisation’s perimeter defences. I like to think of a castle. There’s little to gain by just widening the moat or building thicker walls. What if the drawbridge is down and the guards asleep? Or someone tunnels under the moat and walls? Or they have a friend on the inside? The most successful breaches of security are usually unpredictable and downright brazen – in the non-cyber world think of the Hatton Garden heist of a few years ago, or even the Trojan horse (the one used by the Greeks after the siege of Troy that is, not the malware).
If you keep the moat and walls but build additional defences inside the castle; ramparts, spikes, bear traps even and section if off you limit the access to each section to a small number of controlled points. In IT security terms, we’re talking about security zones, micro-segmentation, network access control, authentication-based firewall policies, SSL visibility; there are multiple options. If the malware can’t go anywhere and you have it locked down in a particular part of your network, it can’t proliferate and the problem is contained.
The defences used in mousetrap are based on a Rube-Goldberg style machine, designed to be deliberately complex in order to prevent escape, yet these defences are constructed throughout the game, gifting the mouse with an open playing field early on. It’s easy to get blinkered by focusing on new products and weighing up potential new solutions but by the time you deploy them, it could a case of too little too late.
Sometimes it’s better to step back and have a more considered wider strategic view. For example, we worked with a video games company that was being constantly hit by DDOS attacks on their live gaming site. So they did some lateral thinking and routed the gaming site through a secondary channel. The attackers have gone off and found a softer target.
So be proactive and make it hard for the attackers. Create multiple layers of defence, one-way “streets” and access control systems. They may devote time and effort to breaking down these barriers, but they too have limits to what is and isn’t worthwhile.
[su_box title=”About Dave Nicholson” style=”noise” box_color=”#336588″][short_info id=’101582′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.