I have a friend who owns a hardware store. One morning during the 1980s, he strolled into his back-room office to start his day. He was shocked to discover his safe was missing—along with a lot of cash inside.
The thing is, when he’d arrived a few moments earlier, all the doors had been locked, and their alarms hadn’t been triggered. There was no sign anyone had intruded. So what had happened? Had someone gotten copies of the keys and alarm code?
The thieves had taken a power saw to the thin roof directly above the safe, hoisted the safe out through the hole, and disappeared into the night. My friend realized immediately that an employee, current or past, must have been involved. No one else could have possibly known about the safe’s location, or its existence at all.
This simple tale provides a good lesson by which today’s manufacturers, with all their IT and automated systems, can better secure their valuables. Here, we’ll examine the safe robbery and translate it into a security strategy.
In the successful safe theft story, what did the thieves actually do?
• Learned of a building with a safe inside
• Located that building and the precise placement of the safe
• Avoided the locks and alarms
• Exploited a vulnerability—the roof
• Slipped in, grabbed the safe, and slipped out, all undetected
You’re already seeing the parallels with a modern enterprise: a cyber-attacker, whether nation state or disgruntled employee, learns of a valuable target, skirts your firewall, exploits your vulnerability, and steals your data (or ruins your equipment), all without getting caught.
Here’s what this story teaches us.
Don’t talk about your valuables
The first security failure in this story was the breach of information in which the existence of the safe and its location were disclosed. Although the vulnerability in the roof and the absence of alarm systems in the back office were oversights, the greater one was the owner revealing information about the safe to any of his employees. Security is often as much about controlling information related to assets as it is securing the assets. Information about assets should not be decoupled from the assets themselves in the context of security planning.
In our example, what assets did my friend possess that were worth protecting? Was it the store, the merchandise, the safe, or the cash in the safe? All of the above. His security “strategy,” such as it was, implies he didn’t think beyond the store level. He did little more than protect the perimeter, and even left some of the perimeter vulnerable.
Formulation of a security practice starts with knowing what to protect. Knowing what to protect starts with a comprehensive self-examination of your organization. Some assets, as we’ve just learned, are not as obvious targets as others. In other words, security is not just about protecting your servers, encrypting passwords, or installing the best firewalls; rather, it starts with a true understanding of your assets, their value to you, and their potential value to thieves.
Know thy enemy
The days when random hackers with generalized ill-intent represented a majority of threats are long behind us. Most modern threats represent highly organized, persistent, and well-funded groups that operate as for-profit businesses.
The key question to ask as an organization is, “Who would be motivated enough to try to penetrate my systems?” The answer to this question is different for each company that asks it. This is where threat modeling comes in.
Typical threat models consider employee groups, competitors, organized hackers, state actors, and other classes of potential enemies. However, rather than try and list every possible threat and attempt to explain how each presents its own challenge, consider the list for yourself and then match up each threat group against your current security posture.
For example, is your current organization prepared to withstand a long-term targeted attack by a nation-state? Do your employees know about critical systems and business processes? Do you have intellectual property that might be of interest to your biggest competitor?
Every organization should periodically review its security posture with an outside set of eyes. One way is hiring penetration testers or establishing internal red teams to challenge your security and organizational readiness. Another is establishing bounties for friendly hackers who can discover new vulnerabilities.
The key takeaway is that you should periodically enlist someone capable and motivated (other than a true enemy) in an internal game of Spy vs. Spy. This helps establish a security mindset within your organization, and accustoms staff to the regular self-evaluation necessary to conduct an effective security program.
And you may find some security holes you never thought to look for.
Score the opponent
The next step is assigning a relative motivational score to each threatening actor to determine how much trouble he, she, or it would be willing to endure to access one of your assets. Your attacker’s motivational level will be the strongest variable in your approach to securing any asset and will often determine your level of investment.
That’s why it makes little sense to evaluate IT security technology solutions until you get down to specific attackers. As cryptographer Bruce Schneier famously said, “If you think technology can solve your security problems, then you don’t understand the problems, and you don’t understand the technology.”
Treat security as a practice, not a fence
As our introductory story shows, an effective security posture requires something more than a strong perimeter. Unaddressed vulnerabilities will fester, and evildoers will keep working to find a viable way in. What’s needed is a consistently applied practice of understanding your assets and threats over time.
One way to practice security is to build an internal team around this function. Another is to regularly challenge your plan’s effectiveness by hiring third parties to assail it (see sidebar). Regardless, security must be an ongoing practice that is applied consistently over time. A vigilant rancher never stops scanning the horizon beyond her fence.
Get some perspective
It’s human nature to become blind to our vulnerabilities. It’s no different for IT security leaders. If you’re in the security game, or captaining a company, consider getting some outside perspective.
It’s hard work to view your network and assets through the eyes of a relentless attacker. And optimists tend to think hacks happen to other people. Plus, security can be tedious. In fact, most breaches I’ve seen were an exploit of a well-known vulnerability that just went unaddressed.
Case in point: One of our customers had a complete shutdown of two manufacturing plants for well over a week due to a vulnerability in their network that was more than three years old. Eventually, someone found that vulnerability and exploited it with ransomware. Because the backup systems for the plant were on the exploited network, there were effectively no backup systems.
In the end, your approach to securing your IT infrastructure should be informed by a strong, continuous examination of your assets and potential threats. Obvious technology-centric security solutions (like my friend’s door locks and alarms), while critical, address only the obvious vulnerabilities. Any self-respecting attacker would likely avoid them.
A complete security strategy should incorporate a 30,000-ft approach of controlling information, identifying key assets, knowing who wants your valuables, assigning motivation levels, and developing solutions accordingly.
Because some people are more than happy to come in through the roof.