It may be the title of a popular ABBA song from four decades ago, but it also has merit in cyber security.
Every day there is a story in the news of a security threat causing havoc. It may be web site defacements one day, denial of service the next and credit card data exfiltration the day after. It seems that we may have truly lost the cyber war to the criminals, but what if we could even the score a little. I am not saying we can put a stop to cyber crime, but what I am saying is let’s turn getting slaughtered into the odd scratch or bruise. And, I am not talking about fighting back. I am just talking about getting even.
To put it in perspective I’ll begin with a scenario. You want to cross a busy road. There are cars coming at high speed directly towards you. Whether you make it across, and live to tell the story depends on the actions of the drivers of these cars. They may speed up, or slow down or they may change lanes… actions over which you have no control. At the same time, perhaps the reason you may not make it across the road depends on your actions, which you do have control over. What if you speed up or slow down? What if you do not realize how fast those cars really are going? What if you forgot that you have a limp after a rough night playing football? What if your judgement is impaired because you had a few too many drinks, or forgot your contact lenses?
To understand your organization’s risk profile, you not only need to know about the enemy; you also need to know yourself. The question becomes: how much do you know your adversary; and how much do you know about your organization?
Let’s begin with your organization. After all, that should be the easiest place to start, because who would know your organization better than its employees? The trouble is, we tend to understand less about ourselves than we think we do. Cyber criminals have the upper hand when your weaknesses are exposed because they use those weaknesses as their strengths. The first step is to explore your weaknesses and turn those into your strengths. Why wait for cyber criminals to beat you to it? To know your organization you have to identify all of the assets. Failure to identify all assets means you are leaving your security risk management strategy partly to chance, and since when did chance do you any favors? In the same way the value of a rental property, which is clearly an asset to its owners, depends on its surroundings – land, market demand, infrastructure, information depends on other assets to help increase its value. These assets include digital assets such as applications, physical assets such as network and storage infrastructure, and yes, storage infrastructure can be a broad portfolio ranging from USB drives to a briefcase to a building, and of course humans. All of these have weaknesses and if we can identify those and turn those into strengths it is possible to stand strong and become a much more resilient adversary to cyber criminals.
The other half of the equation is knowing your adversary. It is important to know their motives and their strengths. Chances are they know quite a lot about your organization before they even begin to create a weaponized and targeted assault on your assets. They know your weaknesses and how to use those as strengths. But for all their strengths including stealthy behaviour and technical prowess, remember that cyber criminals are just human. They make mistakes; they bleed when punched in the nose, not that I am advocating you do that; and they have weaknesses. What you probably have not thought about is what their weaknesses are, but what you should know is that you can turn their weaknesses into your strengths. There are three weaknesses that you need in your arsenal against cyber criminals:
(1) Their biggest threat is you – as odd as that may seem, let’s revisit the crossing the road scenario. If you have cars speeding towards you whilst making that dash across the highway, then obviously, speeding cars and their drivers are your greatest threat, but have you considered that you crossing he road is a threat to drivers? What if they do hit you? That could mean damage to their vehicle, possibility of death if collision with you, or to avoid you, results in a multi vehicle pile-up, shock, being late for an appointment, impact on insurance, and many other inconveniences. You are as much a threat to drivers, as drivers are to you when crossing a road. Similarly, cyber criminals see you as a threat because they do not know for certain if you are watching them. You may have watched their every move for 4 months when you decide to pull the plug – for them, that’s a loss of 4 months of time down the drain; for you that’s a victory.
(2) There is very little love in the underground – though the cyber underground may be thriving and involve black markets for selling of stolen data and exploitation tools, there is very little trust among cyber criminals. As a result a number of them may be going after the same target. A year of work exercised by one cyber criminal outfit may be thwarted when a less experienced and less stealthy outfit marches in with guns blazing at the last minute, being noticed and causing security measures to be stepped up.
(3) Cyber criminals are generally lazy – they may be very well organized, very well funded and have brilliant minds, but just like typical organizations, they do not reinvent the wheel – this means that a lot of the tools that are bought and sold, swapped or bartered in the cyber underground are based on the same fundamental code and will likely show similarities to known threats. This should make it simpler to detect many new threats.
If you have that ABBA song stuck in your head now, I do not apologize. Keep it in memory whilst you ponder how to use your weaknesses as well as those of your adversaries to even your odds in these times of cyber war.
About the author
Andrew Bycroft, Director of The Security Artist, is a cyber security visionary with 20 years of experience using forward thinking risk based strategies to help organizations in the Asia Pacific region solve those “unsolvable” cyber security challenges. Learn more at www.thesecurityartist.com