What do hackers really want?
No question is more important for mounting effective security countermeasures. The management, IT and security practitioners cannot expect to mitigate risk effectively without knowing the objectives and cost of potential attacks on their organization.
We all depend on transaction processing to run our business and make decisions, no matter how big or small we are. We all use business applications (most of them Web-based these days) to buy, sell, pay vendors and collect from customers.
The prevailing security model predicates defense in depth of transaction systems. The most common strategies are to mitigate risk with network and application security products that are reactive countermeasures; blocking network ports and services, detecting known application exploits, or by blocking entry of malicious code to the network.
Are any of these security countermeasures likely to be effective in the long-term? Can attacks on a business be neutralized with defensive means only? In other words, is there a “fire and forget” security solution for the business? The answer is clearly no.
This is for three reasons:
- You must understand the attacker. If you understand what a terrorist wants (suicide bomber in a shopping mall sometime next week), you can save lives with a preemptive attack. In the physical world – we defend the citizens of our country with both defensive and offensive means. Often a political decision that is up for public scrutiny and criticism, nonetheless we do attack our enemies – with military action; commando raids, precision bombing or carpet bombing.
- You must understand yourself. Defensive “fire-and-forget” security countermeasures such as an IPS are not a replacement for understanding of where the threats lie and how much your assets are worth. A Checkpoint SmartDefense firewall can help protect against malformed IMAP commands but it cannot detect extrusion of proprietary company assets in a gmail attachment. An application firewall can help mitigate well-known XSS vulnerabilities but won’t fix bugs in customized application source code or mend system configuration problems.
- You must consider the alternate cost. There is no reason for us to attempt to take rational decisions in the real world but abstain from cost-benefit calculations in the cyberspace. The cost of mounting a cyber attack on a company, bribing/social-engineering an employee to mail a file with all employee details is far less than what the company spends on its information security systems. With inherently asymmetrical costs of cyber defenses versus cyber attacks, it’s high time to change the rules. Robert Bejtlich has a fascinating discussion on his blog – Mutually Assured DDOS. It’s a catchy title with a lot of interesting insights – but personally – I am not sure that projection of power and deterrence and mutually assured destruction is an acceptable corporate or government business objective.