Accepting the reality that mistakes will be made, intrusions will occur and that inoculation and list updates will lag behind any new attack, will guide corporations in the establishment of realistic countermeasures which will allow them to survive systemic attacks, averting the risk of corporate-wide compromise.
Safe & Secure - For The Moment:
After months of reverse engineering, endless nights and bad Chinese food, the as-of-yet unknown hacker group, the Internet Free Radicals, has found their new attack point. Using steganography, they have devised a method of injecting malicious code into any image file which will regenerate and re-inject itself into any network. Using this algorithm, a time-delayed virus is attached to several "humorous" videos that have been posted for download on the immensely popular social website — MyCloud.com. By 5am that same morning more than 1,000,000 systems are now infected and the virus is just getting started. The virus, not due to show itself for several days, quietly spreads undetected.
Later that same morning...
International Global Finance Corporation (IGFC) completes updating virus inoculation files on all of their servers and have completely scanned over 20 terabytes of financial data on their ATM servers. The scan has taken four IO intensive hours but finally all systems are clean and secure. One minute later a third shift operator at IGFC views a video posted at MyCloud.com.
The Computer Age:
Twenty years after the release of the personal computer, the world is a different place. No one needs to point out the prevalence of computers in daily life or the inherent risk that comes with using them. The problem is simply this: these very computing systems that we rely upon were not designed with security in mind. With the growth of computing use across every segment of business operations, only now are corporate information security teams scrambling to find effective systemic security solutions.
Unfortunately there are five words that are never spoken but words whose truth is know by everyone involved in information assurance circles;
There is no 100% solution.
Every Chief Security Officer knows this to be true and every CEO should hear and completely understand this reality. Ninety-five (95%) percent is the new one hundred percent in the world of information security. This includes all security efforts: trusted computing, data integrity, identity theft, and anti-malware software. To view corporate security in any other way is to deny reality – the proverbial e-ostrich stance.
Three irrefutable facts dictate this reality:
• Hackers are consumers and purchase every version of software used in business today.
• There is no way to remove human chaos from the information security equation.
• Software development companies cannot eliminate the flaws in their code nor create quality assurance environments that emulate all of the complexities of the global business environment.
So what can be done? Go on the offensive? Not likely. Today’s attackers are well trained, agile and virtually invisible making capture almost impossible.
These facts coupled with the obvious one that corporations are in the business of conducting business not tracking down would-be malcontents serves to heighten the problem. Should UPS concentrate on getting packages to their destination on time or turn all of their resources towards tracking down hackers? Don’t bother to ask UPS, they know their mission statement. It includes boxes not bits.
That leaves a defensive posture.
Ask any General how he or she feels about defensive stances in the theatre of war (and yes, information security is a war). The answer will not be positive or reassuring. Somehow, someway the attacker will find a means of "getting inside the walls". Unfortunately for the global business community this is currently the only stance possible.
Or is it?
Much has been written about the motivation behind hackers but to be honest does it really matter? Universally they are persona non grata no matter what intent they have or attack vector they use. What all companies want is for the problem to go away.
Certainly as long as computers are in use, hackers will exist - another undeniable truth. Companies want to keep them out of their revenues, or more specifically from impacting their revenues. Security breaches are production impacting events (PIEs) that can crush revenue generation in numerous ways:
• Literal loss of revenue based on production downtime.
• Loss of customer confidence due to bad press.
• Erosion of competitive advantage due to compliance failures.
The real solution lies in the 95%. Security executives live in fear of the infamous "Sunday afternoon phone call", where the weekend IT staff informs the CSO that over half of the corporation’s resources are down due to some previously unknown hack.
A far better scenario that every CSO can live with is arriving to work on Monday morning only to find a few systems that "need attention". This is 95%.
The best position companies can hope to achieve in future security events is one that minimizes the impact of an attack by making it impossible for the mistakes of a few to cripple the revenue generating capacity of the many.
Companies need to embrace the new tact of information survivability by minimizing PIE, production impacting events.
The global business community has to change expectations to match the changes brought about by the proliferation and accessibility of computing resources.
Public and private sector organizations can create an environment in which pressure is put back on those who would seek to do damage by implementing true business continuity efforts. Nothing is more daunting to an attacker than to see their "prey" bounce right back after a blow.
Attackers will soon turn to other ventures once they realize their efforts leave their targets unfazed and nonplussed. From the view of the attackers, this is the ultimate deterrent. From the view of the corporation this drives customer satisfaction and creates a strengthened work environment.
The next security event is not an If but a When. What CEO’s and CSO’s need to implement are aggressive policy, practice and procedural measures coupled with solutions that turn a 5000 system event into a five (5) system non-event.
The real question that needs to be asked is how a company can become event agnostic not how it can be 100% secure.
We must acknowledge that the enemy will find a weakness to exploit but also realize that you can make certain that any intrusion is contained, controlled, and ultimately crushed. At every level of a company there must be a new understanding that their will be pot-holes but not sink holes. There is much to be said for the company that weathers a storm.
The good news is that there are many new techniques being made available that will help a corporation reach the reality of 95%.
Great strides are being made in malware spread mitigation, trusted computing, data portability, and network attached security solutions as well as the consolidation of effective solution sets. These efforts coupled with proper metrics and procedures will allow businesses to obtain an enterprise wide view of their security efforts thereby allowing them to easily deploy new security techniques and measure their effectiveness.
In the end, corporations seeking to create the Kevlar Company need to focus on eliminating production impacting events through survivability. Resilience is the ultimate preemptive stance when it comes to information assurance. Only from this 95% posture can the goal of 100% assurance ever be achieved.
Your Company Is Falling Prey To Unseen Attacks! Can't Someone Stop Them?
There are literally thousands of malware variants in the wild of Cyber Space and any one of them could take down your company, steal your identity or the identities of all of your customers!
Preventing Production Impacting Events Through Preemptive Security
Information Assurance is not about sitting still. True protection comes through innovation and vigilence. As you read this text, hackers are developing new techniques designed to impact your life and your company. Present day solutions put the defense of your livelihood in the hands of third party providers and corporations can only hope that these providers do not fall asleep at the switch!
