I remember being young and watching Carl Lewis prepare to run 100 meters. He was very focused and very fast, and for a time, seemingly unbeatable.
This didn’t discourage others from trying to beat him. In fact it probably motivated a lot of people to try and do so. When someone’s record is all powerful and beyond most, I consider it worthy of my respect when someone tries to beat it, even if they may fail ultimately.
This is, of course, an analogy for aiming high in the defense of your work-place.
The one to beat
This isn’t an attack on the NSA. It’s also not an attack on Russia or China or on any other competent threat-actor in the C**** domain (see, I didn’t say C****).
These days, given frequent news about major hacks and faulted security systems, it seems that everything is broke. As an example, Quinn Norton’s article https://medium.com/message/81e5f33a24e1 published today, May 21st provides ample demonstration of this point.
So what are all of us working in the IT / Infosec industry supposed to do? We can’t all be rockstars, we can’t all be fantastic breakers or builders. We have three options: roll over and play dead, defend against attacks that are common and easily blockedb or aim high and try to beat everyone out there. Option 1 is obviously not a good idea, although not-defending and surviving only through security by obscurity is cheap and CAN theoretically, fingers crossed, keep you alive – maybe even profitable – indefinitely. Option 2 is the easy choice. Let’s build something as good as we can with the budget we have, sit back and watch the IPS events, maybe send an abuse report or 2 when someone tries to hack our server with an automated tool or port scans our perimeter. Put some wallets of bitcoins on chosen machines and implement some other creative defenses&tools to catch hackers who are in the game for financial gain, and kick them out whenever they show their faces. It’s doable, not foolproof even by a long shot, but doable. It’s also not very motivating in the long run. The learning curve stops way below the level where you start learning cutting-edge stuff, and you probably become complacent before too long.
Here are two things you shouldn’t do: Don’t stop at just a NGFW as Fortinet seems to advise SMB’s here: http://blog.fortinet.com/Addressing-Advanced-Threats-in-the-SMB/ Also, don’t think you have a defense-in-depth if you got this: http://arstechnica.com/security/2014/05/study-97-of-companies-using-network-defenses-get-hacked-anyway/ .
I’d recommend that you choose Option 3, no matter who you are, where you are and what your company does. Aim high. Why, you ask? Or, how can a SMB afford it? How can anyone afford it? First of all, it doesn’t have to be ruinously expensive. It’s more about the people and the skills anyway. You want a motivated team that’s challenging each other to learn, to improve together. A lot of stuff can provide good value for money, or you can use open source to your advantage in many situations. Even if you don’t consider nation states a threat to your business, aiming to block them will probably block most other adversaries as well. So, work it out with your team(s) and improve, all the time.
To speed up the process, network & share with your peers; use services like ThreatConnect to get/share indicators and match them to your environment; and use Threat Intelligence to grow your community knowledge. This will help create a security culture where messing up is ok, as long as it speeds you down the learning path. Even mistakes do that. Anything you learn now can probably be re-used 100 times the next 10 years, because the trends we’re seeing are probably not about to change. Give up giving up, because giving up is not an option.
So when the US indicts a number of Chinese hackers, in spite of proof coming out only days before that the China is doing the same, take it as not just deflection, but escalation as well. Re-do your risk assessments, re-map your adversaries and keep trying to improve. Use all the knowledge that has become publically available to make the phrase best practices mean something. You probably don’t want the CEO to use single-factor authentication. You probably want to think about what hardware and software you buy and where you use it.
Do like Carl Lewis, give it your best shot. Run like the wind.
Claus Cramon Houmann | IT Security Consultant |