• United States




Are we surrendering the cyberwar?

May 04, 20154 mins
Network SecuritySecurity

I ran across a link sent via a Twitter user the other day, quoting NIST fellow Ron Ross as saying, “The interconnectivity of the Internet of Things (IoT) leaves public and private computer systems essentially indefensible, and no amount of security guidance can provide salvation.” I confess that this comment set me off a bit, as it sounds like we are prematurely raising the white flag of surrender in the cyber war.

Even as far back as 2007, experts were warning that the security perimeter was dead, and focusing on data protection was the only approach that would work. An article in Dark Reading basically restated this, saying that “Perimeter security is no longer relevant to enterprises.” 

Notwithstanding many in my profession, I am unwilling to give up quite so easily. History was my worst subject all through school, and yet I still remember the words of Sir Winston Churchill who said, “A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.” I believe there are still many optimists in the industry that are not ready to cede the perimeter. 

One of the aspects of information security this white flag approach overlooks is that while enterprise breaches usually dominate the headlines, smaller businesses statistically are the ones experiencing the bulk of the problems. Fortunately, their exposures are somewhat easier to address, and often involve “old fashioned” perimeter security. Their issue is that they often ignore the fundamentals. 

CSID in their report Survey: Small Business Security reported that 31% of small and medium businesses suffered a security breach in 2013, a dramatic increase over prior years, despite their feeling that they are not widely known, and therefore not a big target. 

In a recent Security Week article, Rafal Los broke down attacks into three categories: 

Generic – Opportunistic, non-targeted threats. These are the drive-bys of the information security world. Hackers are looking to break into something, and happen upon your network. 

Targeted – These attacks are aimed directly at you for one reason or another. Hackers want something they think you have, and they are after you to get it.

target on shirt






Invasive – These attacks are the “in-laws” of the hacking world. They come to stay awhile. They want not only what you have today, but what they think you will have next month. The work to hide the footprints indicate their presence.

When the big name attacks such as Target and Sony occurred, the world immediately focused on addressing targeted and invasive attack types, focusing less on generic attacks. I would suggest that while generic attacks are more likely to target small and medium businesses, they are still a significant risk to the enterprise.  One of the reasons for this is that an enterprise is more likely to have a static IP address assigned, which makes them easier for the hacking world to pursue, given that they can persist over a period of time.

That brings us back to the fundamentals such as perimeter security and employee awareness, and the fact that most small and medium businesses, and many enterprises, are still ignoring them, putting them at the greatest risk for all types of attacks, particularly generic ones.

Now, I agree that enterprises must address targeted and invasive threats using means beyond the perimeter, such as threat intelligence and detective forensics. That being said, even they derive some benefit from a strong perimeter, and from not assuming that all hackers can get in regardless of what they do.

Bottom line: I don’t care whether you have a small medical practice or a Fortune 100 company — good security starts with a strong perimeter and security fundamentals. The tools available to accomplish this are evolving and improving daily. Sir Winston would be optimistic.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author