Deploying three levels of security to combat cyber attacks
You've surveyed your company's digital battlezone and like what you see. The expensive, but fearsome firewalls and other tools are in place, everybody says they understand compliance, patches and vulnerabilities are closely monitored and anti-virus blocking keeps the malware at bay. The moat is full, the drawbridge is up.
But is your enterprise really secure? Don't kid yourself. It's not. Totally impregnable security does not exist. If you're putting all your hopes into these types of preventive controls, you are, in fact, leaving your enterprise at severe risk for problems when a hacker does breach the electronic moat. And that will happen.
That's the bad news. So what do you do, curl up into a ball of depression and surrender all hope of security? Of course not. The good news is that an incursion by no means results in an immediate loss of value. Getting into a system does not mean getting money or intellectual capital (e.g., processes, customer lists, production methods) out. Smart organizations are deploying security in depth as a way to slow down, identify, counteract and remove threats; grab the attackers and throw them into the moat, to continue the medieval analogy.
The emerging approach, which applies to companies of every size and across industries, involves three levels of controls. The key thought: Security can only work when you embed it in layers of enterprise policies and processes:
- Preventive. These are the opening table stakes, meant to keep the bad guys from getting in. Most companies greatly overweight these measures, which often reflect the security thinking of a decade ago, with hard passwords and firewalls. Telling them otherwise upsets them because they have an economic and emotional investment in this approach, which attackers now focus on overcoming (and they do). The result: companies become a "hacker snack," hard on the outside, but soft and gooey on the inside.
- Detective. This level of control looks to sound the alarm when a breach occurs and identify the forces behind it. On average, hackers roam around corporate systems for 200-300 days before anybody notices they're there. The sooner you can learn of the intrusion, the sooner you can decide on a course of action, and the more likely you'll push out the intruders before they can do serious damage.
- Corrective. In the last stage, your technology, risk and compliance teams swing into action to assess the damage and understand what happened, quarantine and remove threats, determine lessons learned, recalibrate all levels of security, deal with client concerns and work with public agencies on disclosure issues.
As a template, security in depth covers all aspects of security process, applicable for the largest enterprises to the smallest. The emphasis may change depending on the industry, such as disclosures in highly regulated sectors. No company is immune from cybersecurity risks. None. If you think you're a middle-market company that's of small interest to a hacker, or outside the juiciest target sectors of financial services, retailing or advanced technology, you're deluding yourself and hanging out an "open for risky business" shingle.
Traditionally, attackers went after big targets because the payday justified their investment, while small targets consumed similar resources for limited return. That model has flipped. Now, big targets are often "hard" targets, while new hacker methods reduce the resource costs required to penetrate and exploit small, "soft" targets. And what makes those targets so soft and inviting to begin with? Let us count the ways:
- Unfocused, low-priority approach toward cybersecurity, assuming that the company's size or industry sector make it unappetizing
- Use of off-the-shelf software with many basic, default settings that hackers know how to sidestep
- Lack of investment in advanced security technologies, and failing to make full use of the functionality of existing security tools
- Understaffed, underskilled security departments
- The conviction that passing a Sarbanes-Oxley Act of 2002 or other type of audit of generic controls equals real security; in fact, passing these audits creates nothing but a false sense of security
- Lack of awareness of highly valuable information, just not in the quantities of a large target
Companies also overlook the evolving nature of threats. The classic "social engineering," which involves manipulating people into providing useful information, focuses on humans rather than systems. That's still around and harder to stop. Old-school defense, like firewalls, anti-virus and intrusion detection systems, are almost worthless. Malware viruses have shifted to browsers, plug-ins and third parties. External threats now flood in courtesy of the mobile society, through Wi-Fi networks, charging stations and those services at airports and coffee shops. Direct attacks, traffic sniffing and traffic redirects are rampant threats for users on the go.
Still, the situation is not hopeless by any means. Don't be guilty of "presumed surrender." Those defending the corporate castle have tools and advantages beyond the power of security in depth. First, you don't even have to be biggest corporation to be the best on the security front. Think in terms of exposed size. Global corporations, operating across borders and divisions, are so bulky that they can easily leave chinks in their armor. Somewhere, a hacker can slip in. Middle-market companies have the advantage of what might be called reverse scale. Smaller in scope and footprint, they make up for lack of security resources by being tougher targets, with fewer points of entry and a more controllable environment. That is, with the proper mindset, a middle-market company can enforce controls across its threat horizon. Preparation and attitude, not raw spending, bolsters their defenses.
Second, look at the process from the hacker's point of view. Getting into the castle does not immediately give you the keys to the treasure room. Hackers need weeks or months to zero in on the sources of value. The exhibit below shows the steps of an attack.
The stages progress and burrow deeper into the unknowing host, but the hackers don't actually extract any value until the penultimate stage, "persistence and exfiltration." That's when they siphon the bank accounts, the credit card numbers, the production techniques, the IP address; the nightmare becomes a reality, and you won't even know it. However, defense in depth aims to slow down, uncover and thwart hackers before they grab the gold. Act decisively and stop them at any other stage, and they're the ones who lose their time and even their anonymity and, in cases of prosecution, their freedom.
For this approach to work, mindset counts for everything. Overreliance on preventive measures gives away too much once attackers are in. Even the use of defense in depth falters when teams from information technology, forensics, finance, legal and compliance fail to coordinate their efforts. Siloed functions and turf wars work to the hackers' advantage by delaying or thwarting effective responses. The exhibit that follows shows the standard security methodologies for dealing with hackers. More details about all of them can be found online.
The response goes beyond the strictly technical measures. Emerging regulatory issues to consider:
Notification. States now have notification requirements for how companies must inform customers when their information may be compromised. Nothing is standardized: timing requirements, notice contents, notification methods (e.g., email, letter, Web page, newspaper) and authorities to be notified all vary. Some states require notification to customers within 48 hours. This creates headaches and risk for companies. Indeed, many will suffer greater losses by botching the notification process (due to slow, incorrect or incomplete responses) than any business or operations loss, due to fines for noncompliance. Tracking state requirements and mapping them to those affected by breaches is a leading practice.
Insurance. Companies are discovering that their standard policies do not cover damages from breaches; instead, they now need side policies. That's one unhappy surprise. Another surprise: boards and top management members are now being personally sued for damages from hacking, on the theory that their decisions lowered security levels, such as by not investing in systems or technical staff. Whether that's true or not is a matter for courts to sort out. The blowback extends to private equity groups that place their executives on the boards of portfolio companies; if the portfolio company gets breached, the private equity board members can be on the hook as individuals. Whatever the circumstances, board members and executives should look into the fine print of insurance coverage and determine their individual exposure.
Conclusion: eyes wide open, stay on your toes
As noted above, mindset counts for more than raw investment. Build security into employee training and risk management, so everybody knows about tactics as simple as not opening unknown files, not sharing sensitive information with sweet-talking social engineers and not leaving laptops out in the open in unlocked cars. These are basic, but effective methods to thwart security breaches. On a more technical level, test your defenses with penetration exercises, to see how easily an attacker can get in, what can slow them down and how quickly you can identify and counteract a threat. Keep aware of the evolving nature of threats, as hackers evolve their tools and methods.
And remember: You'll never reach threat level zero. Be ready to fail . . . and ready to respond.