Besides big data, machine learning and blockchain, one of the most popular technological subjects nowadays is security, I bet you a dollar that if you open twitter right now you will find a post about a “data breach” that just happened toa big a company that was compliant with all the ISO’s and standards know to man.
If so, why they were hacked in the first place? Simply because hackers do not give a damn about a paper that says that you are PCI certified, they only care about the countermeasures you have in place and most companies do not go the extra mile to protect their information assets and have what we call a “checkbox mentality”.
Why this happens? because being compliant doesn’t always mean being secure, real security goes beyond simple compliance, it integrates with validation and security processes, with a focus on pragmatic risk analysis and threat mitigation. In this sense, standards and certifications are a good starting point, but should not be treated as countermeasures or controls by themselves.
Self-deception: I’m PCI certified and have a firewall! How could I have been hacked?
It’s all Dave’s fault, really, no matter how much security infrastructure you have in place, if your security strategy doesn’t take into account people like him. Who is Dave? an attacker? a cyber activist? part of anonymous? Snowden in disguise? Not at all, Dave is your everyday user, the one that is using applications in the cloud that you do not know about, the one you didn’t take into account in your security strategy, he is the interface between keyboard and the chair, he is human error.
Standards and certifications take into account best practices, from these best practices we create controls that should be evaluated continuously, but often they aren’t. Generally this best practices are focused on protecting the perimeter of the company, what’s considered “inside” the company and “outside”.
Nevertheless, what happens nowadays is that thanks to the cloud revolution and emerging services, the perimeter doesn’t exist anymore like it used to, the lined between the inside and outside the perimeter is blurred. So, most security and/or data breaches are not where someone has breached perimeter security – people are intruding via perfectly legitimate usernames and passwords, no matter how many fancy firewalls or how much perimeter security you have, if your security strategy doesn’t take into account the most probable vectors of attack and threats, including Dave’s password sharing practices (bad, very bad Dave!), you will most likely get hacked.
Strategy: Layered security
Your security strategy should take into account all the aspects of your business, from Dave’s post-its with his password (Dave12345678) to the encryption of your confidential data in your databases in a practical and down to earth way, taking into account real risks and threats, How to do it? Combine your best practices, standards and audits with a Security Architecture.
Layered security, or defense in depth take into account several levels, that are no longer defined by the security perimeter, it doesn’t matter where your service is located,what matters is the risk level it has and the controls needed to protect your information asset.
In this case in the governance layer, that is traversal to all the other levels, we take into account compliance with a risk management approach, education, awareness and the information security policy, here is where all our standards help us to define the playing field. In this case we will train Dave to avoid using post-its to keep his passwords and try to have good password practices such as using an alphanumeric password ( this subject to debate of course Strong Password).
In the central security services, we will provide basic services such as a central authentication schema that is common to all the enterprise applications and is monitored, so if Dave’s types wrong his password 3 or more times he will get blocked in all the applications, but why? wouldn’t this prevent him from working?
First of all he doesn’t work, second of all this might be a intruder that is trying to access other systems with Dave’s password. It is better to have a strong central schema of authentication that is monitored than many others that might not have enough protection.
In the IT infrastructure patterns we see the classical defense measures such as perimeter protection and so on, but we also include application level controls such as database encryption, taking into account the specificities for each technology (are you using helmet to protect your node.js header security?), here standards such as OWASP are wonderful because they define best coding practices with concrete information. So Dave we will not be able to connect to critical enterprise mission applications from outside the network and if he manages to do, he will not be able to dump the client’s database. With this we will make our application Dave proof, I mean fool proof from the beginning.
IT Service Security patterns will provide us with monitoring, service level agreement, secure development life cycle, change management and so on. Everything from providing guidelines that will help developers build more secure software and address security compliance requirements to monitor all dave’s activities, we know that he has been trying to access the payroll database and we will inform his manager in due time.
This is just a example of how to combine best practices with a logical structure that models our security strategy and makes it easier to implement, monitor and evaluate.
Risk analysis and the art of war
There was no greater war leader and strategist than Chinese military general Sun Tzu, with a layered security strategy we have the guidelines and controls to protect from threats and to minimize our vulnerabilities, but there’s one step to do before even dreaming implementing all this best practices, like Sun Tzu said “Know yourself and you will win all battles”.
Thus, before going to war we need to know very well all the threats and vulnerabilities that can harm our business, we need to evaluate all possible risks, and we need to know what Dave’s going to do even before he does it, you need to implement a good risk management methodology and best practices that will allow you to establish an objective measurement to understand the risks to critical information assets both qualitatively and quantitatively, in an agile and practical way.
Which in simple english it means, list all your information assets (systems, data, infraestructure, etc), analyse the possible threats such as disgrutend employees, backup and restore fails (it’s always a fun day when the backup doesn’t restore), using a simple formula:
The risk is related to the threat level, how probable it is and the business impact, if we have a high risk but the probability is low and there is now business impact, we can take that risk, it doesn’t mean it will never happen, but we can re evaluate it and when we think that the risk is important, then we can decide to mitigate it by establishing a control so our client’s database will not be showing up inside 4chan in .csv format on sale for a buck for example.
On a second thought, don’t over do it.
Indeed Dave has given us a lot of headaches (and will continue to give), but even if he is just an hypothetical example of the typical user you might encounter, believe me, Dave does exists and he might be sitting next to you or even he might be reading this article at this precise moment (go away Dave), so in order to save your business from him and all the external actors that are trying to hurt your business 24/7 you need to go further, do not rely only on standards and a goddamn checklist, get real, be practical and be one step ahead of Dave, he is just one step away from clicking a link or a mail attachment and getting this wonderful screen:
If you like this article click this link: bunnies