Tag Archives: Physical security

What do hackers want?

What do hackers really want?

No question is more important for mounting  effective security countermeasures. The management, IT and security practitioners cannot expect to mitigate risk effectively without knowing the objectives and cost of potential attacks on their organization.

We all depend on transaction processing to run our business and make decisions, no matter how big or small we are. We all use business applications (most of them Web-based these days) to buy, sell, pay vendors and collect from customers.

The prevailing security model predicates defense in depth of transaction systems. The most common strategies are to mitigate risk with network and application security products that are reactive countermeasures; blocking network ports and services, detecting known application exploits, or by blocking entry of malicious code to the network.

Are any of these security countermeasures likely to be effective in the long-term? Can attacks on a business be neutralized with defensive means only? In other words, is there a “fire and forget” security solution for the business? The answer is clearly no.

This is for three reasons:

  1. You must understand the attacker. If you understand what a terrorist wants (suicide bomber in a shopping mall sometime next week),  you can save lives with a preemptive attack. In the physical world – we defend the citizens of our country with both defensive and offensive means.  Often a political decision that is up for public scrutiny and criticism, nonetheless we do attack our enemies – with military action; commando raids, precision bombing or carpet bombing.
  2. You must understand yourself. Defensive “fire-and-forget” security countermeasures such as an IPS are not a replacement for understanding of where the threats lie and how much your assets are worth. A  Checkpoint SmartDefense firewall can help protect against malformed IMAP commands but  it cannot detect extrusion of proprietary company assets in a gmail attachment. An application firewall can help mitigate well-known XSS vulnerabilities but won’t fix bugs in customized application source code or mend system configuration problems.
  3. You must consider the alternate cost. There is no reason for us to attempt to take rational decisions in the real world but abstain from cost-benefit calculations in the cyberspace.  The cost of mounting a cyber attack on a company, bribing/social-engineering an employee to mail a file with all employee details is far less than what the company spends on its information security systems. With  inherently asymmetrical costs of cyber defenses versus cyber attacks, it’s high time to change the rules. Robert Bejtlich has a fascinating discussion on his blog – Mutually Assured DDOS. It’s a catchy title with a lot of interesting insights – but personally – I am not sure that projection of power and deterrence and mutually assured destruction is an acceptable corporate or government business objective.
Tell your friends and colleagues about us. Thanks!
Share this

Risk management – bringing brick and mortar security to IT

I was talking with a prospect yesterday who is an information security manager; extremely professional and creative at what he does.   In the course of the conversation, I realized that there are fundamental differences in mentality between IT and Security practitioners.

Back when I wrote COBOL/CICS applications for Tadiran Information systems – some of our work looked like what these guys in the picture are doing – standing on a scaffold, patching bricks and praying that in the next rain, the parquet floor won’t get flooded.

Most IT professionals don’t write software anymore – they evaluate, implement, maintain and support packaged applications from vendors. Firms use enterprise systems like Oracle Applications. Oracle buys companies all the time and has a large, complex portfolio of add-on products used to improve functionality of Oracle Applications, stave off the competition and up-sell customers; with products like Oracle BI Applications.

The key phrase for IT professionals is predictable processes – making sure that the evaluation process is adhered too, making sure that the implementation process of a new module or system is executed in a uniform and timely fashion (I learned these buzz words at Intel almost 20 years ago…). The most important thing (and this relates to security as well) is to ensure that the execution of business functions by people using the system also conforms to the company business process.

Security professionals don’t write software either – many do Perl and TCL scripting, and here and there a few write C code to generate custom packets for network hacking etc…Although many infosec people come from a software development background,  most of the work is about specifying,  evaluating and implementing TLA products and services; SIM, DLP, IPS, NAC, ERM, PCI, DRP, SOX.   Based on empirical evidence with clients – the majority of infosec departments are very focussed on compliance and perimeter security and  very technology and product-focussed, not unlike their IT brethren.

The key phrase for security professionals is UNPREDICTABLE EVENTS – responding to internal and external attacks on people (phishing, social engineering and terrorists), systems (hacking) and data (data loss and fraud).

IT Business applications are defined by the business and corporate business objectives.   Security activity is defined by people and organizations who don’t carry a company card and don’t care how much money a company pours into security of people, process and techology.

This is a fundamental mismatch between IT and Security groups.  Since I can’t buy into something I don’t understand – I have difficulty seeing how complex standards like COSO/COBIT help bridge the gap. Politically – the analogy of a hot potato comes to mind.

I would propose that the common ground for IT and Security practioners in a company starts with a very simple idea of brick and mortar security.    If everyone (IT, IT Security, Compliance, Risk managment and Physical Security) start thinking and talking in the same brick and mortar language of attacks, vulnerabilities, assets and countermeasures  we will be able to improve both the process and respond better to the unexpected events.

Tell your friends and colleagues about us. Thanks!
Share this