On Failing Gracefully...

Wednesday, July 18, 2012

Neira Jones

9f19bdb2d175ba86949c352b0cb85572

Sometimes, despite our best endeavours, things just don't work out the way we planned... 

You know the feeling: You think you have it all under control, you think you've engaged with the right people, you have buy in from those who matter, the right culture is in place, you're not struggling for investment and bang! You get hacked. Overwhelming sense of failure ensues. Where did it all go wrong?...

Chances are that you may not have been able to do anything about it... Assuming you had all the right people, processes and technologies in place to manage your security, a determined and patient attacker will invariably get you, at some point. If you are not so mature in your security posture, then a mildly interested opportunist will get you very quickly, and you probably deserve it...

At the end of the day, whether your security posture is mature or not, the result is the same: it's just a matter of time. So do we just throw the towel and give up, since we're all bound to fail at some point?...

Certainly not. Let's see why...

Data breaches have become a statistical certainty...

After the data breach bumper year that was 2011, one would have hoped that Lessons Were Learned and that 2012 would be The Year Of Making It Better... 

Alas, not so, as evidenced from the excellent datalossdb.org:

(click image to enlarge)

image

July 2012

According to the above figures, we have already experienced 40% more data breaches this year than over the same period in 2011. And of course, these figures only represent what we know about. Add to these all non-reported breaches and we cannot begin to fathom the scale of the problem.

The great stand out from the mediocre not because they fail less but because they rescue more...

In a great article about risk management vs rescue management, Steve Denning makes a great case for good incident response: when things go wrong, the main pitfalls to avoid are choose the wrong plan, have an inadequate plan, or no plan at all. As with most things in information security, great parallels can be drawn from daily life.

It's all a question of mindset: we need to start thinking about managing information security like we would manage a start up. Both share the characteristics of a shark: if it's not moving forward, it dies. (If you'd like to read a very interesting article on startups see here).

I have already discussed in a previous post how CISOs have been faced with the need to evolve from pure technologists to business strategists, but it is not just CISOs that are evolving: criminals are continuously becoming ever more sophisticated in their approaches, whether they are targeting systems or humans.

It is therefore necessary to realise that because a state of perfect security is neither achievable nor desirable, failure is part of life and neither unexpected nor shameful. What is undesirable however is not to recognise the potential failure points and not to be able to manage them when they materialise. This is what good risk management is about.

I don't have to outrun that bear, I only have to outrun you...

I am sure you are all familiar with the joke... If we accept that an organisation can be a target of opportunity or a target of choice (or both...), we must also accept that we need to be fully cognisant of the markets and environments we operate in.

For targets of opportunity, the trick is to Fix The Basics: the security posture should be at least equal to the peer average as criminals will follow the path of least resistance/cost. This is why cooperation and information sharing is important.

For targets of choice, a thorough understanding of the key organisation assets is crucial, and the security posture must be amongst the best in class in the peer group.

To illustrate this, it was interesting to note the following in the Trustwave 2012 Global Security Report:

  • governments and political organisations suffered mostly of Denial of Service attacks,
  • retail, entertainment, technology, media and education suffered most from SQL injections (sigh...)
  • hosting providers and social media businesses suffered mostly from Cross Site Request Forgery
  • finance suffered most from banking trojans.

What can we deduce from above? Attackers know their targets, we therefore have to concentrate on knowing ourselves better so we can better be prepared to respond to attacks.

The art of failing gracefully...

From the Trustwave report mentioned earlier, the statistics show that we still have a long way to go:

  • 84% of organisations were notified of the breaches by external entities. #fail
  • Within those 84%, attackers had 173.5 days in the victim’s environment before detection occurred. #fail
  • The number of self-detected compromises decreased by 4% since 2010. #fail
  • Businesses that self-detected the breaches identified attackers within their systems 43 days on average after the initial compromise. (a quarter of the time of those that didn't self-detect) #turnaround

Everyone remembers the Heartland Payment Systems data breach and those who have been following their evolution will have noticed the following:

(click image to enlarge)

image

Yes, John South was named information security executive of the decade... So we might - just might - be able to turn failure into success very gracefully...

Until next time,

Cross-posted from neirajones

Possibly Related Articles:
9052
Budgets Enterprise Security Policy Security Awareness Security Training
Data Loss breaches Enterprise Security Risk Management Incident Response hackers Mitigation Resilience
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.