Guest Commentary by
Jon Geater, Director of Technical Strategy at Thales
We are all well used to the traditional security metaphor, the chain. Good, sturdy, tangible chunks of steel that keep gates closed and chests locked. And we’re also well used to the traditional insecurity metaphor, the weak link.
But in the modern security climate the metaphor is proving too simple. A weak link is a fixed, identifiable thing with a very specific failing: it’s the link 3rd from the left with the bad weld, or the extension made of an inferior alloy. The weak link in a physical chain doesn’t move around, and new attacks don’t come along very often that turn a seemingly strong link into a weak one overnight. But in IT security neither of those holds true.
And there’s another thing: failure of that one link renders the whole chain useless. This is something that IT security and physical chains may share in common sometimes, but this is the thing that needs to change.
Large scale breaches are happening so often now that they don’t even all make the headlines anymore. RSA, Sony, Stuxnet et al point to a growing prevalence of large-scale cyber attacks but more than that, they confirm a change in the type of attacks that have long been suspected by security professionals. By targeting users and credentials the external threats have found a way to become internal ones.
The growing use of social networking and consumer devices inside organizations, combined with spearphishing, social engineering and more traditional software exploits gives attackers ample chance at gaining a foothold in the organization. How many of those 70 million PSN users were re-using an email and password combination? How many of those passwords were shared with business systems? While security technology strengthens all the time, users and their credentials have become the ultimate weak link.
Attackers are also getting organized. While their motivations are many and diverse the modern attacker has many common traits: intelligent, professional, stealthy, targeted and patient. The adversary knows what they want and they go for it. In today’s information economy your data is currency and they know what’s valuable in your information estate. Gone are the days when the worst you had to fear was obvious drive-by mischief, easily defeated by good backup discipline. By utilizing multiple attack vectors and quietly combining small exploits into a big attack many adversaries are now out there to steal.
This new determination and the ready availability of attack tools (you can even get live CDs with automated network attack tools these days accessible by novice users) has accelerated the traditional arms race, with attackers moving to a new target as old vulnerabilities are fixed. Security technology is improving all the time, but it’s just too easy for a determined attacker to get inside these days. The firewalls, the perimeter, the chain around the front gates are not enough anymore. We need to change the way we think about defense and make defense in depth mean something. Move to specific protection goals and a cohesive approach all the way from the edge of the network to specific pieces of data.
The solution to this needs to be a multi-faceted approach to security. Not a single chain but an array of complementary barriers throughout the IT estate to thwart attacks. The traditional defenses should still stand but they can only do so much. Once the intruder is in, there is a need to protect systems and data from the inside. Critical information assets must be identified, valued and appropriately protected using strong encryption and key management. Credential and identity management is also vital: incidents like Gawker and PSN make this clear enough. And then, finally, a recovery plan has to be put in place for when the next twist comes in the battle against hackers. Don’t be taken by surprise…be prepared!
About the Author
Jon Geater has more than a decade of technical experience as a software architect and chief architect in the information security industry and has defined many real-world security products and systems for a very broad range of customers. As Director of Technical Strategy at Thales, Geater is a technical evangelist for the company’s information technology security activities and for technical developments in the security industry at large. Geater is a keen supporter of standardization and is co-founder of the OASIS KMIP key management group.