In its ongoing attempts to capture our attention these days, the media labels everything as “Xtreme” – sports, politics, automobiles and surprise: computer hacking too! But with our current preoccupation on all things hacker-related, we seem to have forgotten about the basic necessities of life when it comes to IT security work.
When my clients invite me in for a conversation these days, it often reminds me of what I refer to as the Airline Inflight Magazine Syndrome: an executive has read about some fancy new solution to a current pain point for the company, and has returned to the office wanting to show technical leadership by having the IT department implement this new holy grail of advanced business acumen (e.g., “let’s save money and move everything to the cloud”). For security consultants, that conversation often requires finding “Xtreme” solutions to the hacker threat – what magic silver bullets do you have that will kill the evil hacker vampires who are threatening us? Can what happened to Acme GmbH happen to us? What about next generation firewalls and network intrusion detection using artificial intelligence? *sigh*
Certainly the consequences of being hacked can be severe, but so can the consequences of having an out of date disaster recovery plan, passwords that don't 'age,' or an inadequate environmental control system that will fail when the next power loss, flood, hurricane or heat wave stresses your computer room’s protective systems.
This constant bombardment with news of high profile hacks, multimillion-dollar losses and executive dismissals has skewed the C-level executive’s perception of where the threats are coming from and how they should best be mitigated. Unfortunately, the same old standard security solutions that we have been selling for the past 30 years are no longer sufficient to meet the needs of organizations today. But that doesn’t mean that all of the funds for security should be going to counter the hacker threat. The money should be distributed according to expected loss and impact, not the threat’s relative profile in the media.
What that should translate into is a disaster recovery plan that includes incident management procedures for hacking and DDoS attacks, and network controls that include honeypot servers that will signal contact with both external hackers and internalemployees who should not be snooping around our security resources. There are many different controls already mandated that can serve more than just one purpose and be used as robust threat detection and alert mechanisms to help protect the most valuable assets from hackers, disgruntled employees, and random environmental failures. New hackers threats do not necessarily require new, costly safeguards that eat up the entire security budget, leaving basic security needs looking like the cobbler’s children who have no shoes.
The interesting thing is that if we make our core safeguards robust enough to handle the expected problems, they often help to mitigate losses when it come to unexpected threats as well! Perhaps by taking the point of view that we are going to be hacked some time so we might as well prepare for it now, we can build a more robust system to detect and mitigate such a threat, just like we do with all the other threats we have handled in the past. We still have to protect our most valuable assets (people, data, resources), we just need to do it by including this new threat into our existing security infrastructure. Then we make everything stronger, not just our hacker defence.