Think your security strategy is up to par? Think again!

2014 was the year of the breach. It included admissions from Target, Home Depot, and even Dairy Queen. The trend has continued into 2015 with a new twist. There have been an alarming number of security failures throughout our local, state, and federal government agencies.

Each of these breaches sends ripples throughout the organization, ruins brand reputation, exposes sensitive information, and (in 2015) resulted in financial losses totaling $400 million. The public sector alone experienced 50,315 incidents, and over 300 confirmed cases of data loss according to the 2015 Verizon Data Breach Investigations Report (DBIR). With more than 70,000 confirmed incidents and over 2,000 confirmed incidents involving data loss our security strategies are not up to par.

The problem lies in how we view the problem and subsequently build our security strategies. Historically, our strategies were technology centric, focused on certification and accreditation of systems, and more recently continuous diagnostics monitoring (CDM). Technology only provides us with a medium to maintain situational awareness within our networks. In most instances, technology is unable to provide us with vital contextual information. Certification and accreditation focuses on meeting certain standards and checking the appropriate boxes.

Each of these approaches is passive. They’re not actively looking for attackers on the inside because (by default) they assume an attacker isn’t already on the inside. Since 2004, the gap between time to compromise (in days or less) and the ability of defenders to discover a breach in the same period remains vast. Specifically, 75 percent of attackers will compromise a target in days or less; while only 25 percent of breaches are discovered in the same amount of time. Cyber miscreants are like roaches; one always turns up despite all of your proactive efforts. As security professionals, we should always operate from the assumption that someone is on the inside.

Trust relationships are the new Trojan horse

Consider for a moment all of the organizations breached in 2014 and 2015. Now, make a list of those organizations that did not have any technical resources at their disposal. I don’t know about you, but I can only think of one organization that might fall into that category. Technology (or the availability of technology) is not our problem. Trust relationships present a significant threat to organizational security.

I bet you’re thinking I just went off the deep end and must be crazy. You might even be thinking “is he writing a romance piece” but stay with me for a second and I will clearly present my case. In 70 percent of cases (where the motive was known) there was also a secondary victim. Additionally, 75 percent of the attacks spread to the secondary victim within a day and 40 percent within one hour. Attackers are using our relationships with partners, customers, friends, and family to compromise our systems.

Defenders (as opposed to attackers) have an enormous responsibility, and the odds are more often than not stacked in the attackers favor. Attackers only need that one break to get inside, but defenders have to “get it right” 24 hours a day 365 days a year. If we have any hope of turning these odds in our favor, we have to change our mindset. Instead of thinking in terms of proactive lists we need to think like attackers and understand relationships.

Within an enterprise architecture, both system relationships and human relationships are based on varying degrees of trust. The Target breach provides us with an excellent example to help illustrate this point. Target partnered with an HVAC vendor whom they trusted with credentials to their network. The vendor was compromised, and its login information was stolen. From there the attacker was able to move throughout Target’s network and eventually access their Point of Sale terminals.

The checklist mentality results in a fire and forgets mindset. It assumes we are not compromised until something or someone tells us otherwise. Thinking in terms of graphs (or relationships) revolutionizes how we view and subsequently defend ourselves. Furthermore, it helps reinforce the core concepts of due diligence and due care. Now we start to realize that we are only as strong as the weakest link in our circle of trust.

What protected us yesterday won’t protect us today

I deployed four times to Iraq and each time the threat had evolved. Not only did the threat change between my deployments it changed almost daily. In 2003, as a young private three months into our deployment, the enemy was evolving. We had to change our tactics, techniques, and procedures if we wanted to protect ourselves and accomplish the mission. The tactics and techniques that had resulted in success in prior years and prior wars were no longer working.

Like the war on terror, cyber warfare is asymmetrical. Anything or anyone is potentially an enemy even though on the outside it, he, or even she may appear harmless. Threat actors are dynamic in terms of their tactics, techniques, and procedures. Likewise, the steps we take to mitigate threats and defend our resources must also change.