22
Apr

Are you one step behind on cyber security?

Recently released global survey by the Economist Intelligence Unit (EIU) showed that on a global level there is a systematic disconnect and misalignment between corporate teams and IT leadership teams on cyber security investment and priorities.

However, there was a common ground, especially in the UK, and which is:
“Reassuringly, business and IT leaders in the UK agree that the top three greatest risks or vulnerabilities of their firms are cloud architectures, employees who are careless or untrained in cyber security, and threats that move faster than their defenses.”

The interesting part on this “threats that move faster than their defenses”. Naturally there could be a semantic debate of what actually is a threat and what isn’t as the word means different things to different people which is one reason of the dissonance between the security and business people, but when looking into it, it is one of the main reasons behind the other two; technology evolves, is taken into use, and largely the response from security is that: a response. Rarely a shape which lessens the need to respond in the first place. Whereas attackers have a revolution of methods, means and ways to run their business and reach their end goals. Yes, it is a business. Cybercrime costs are projected to reach 2.1 trillion USD by 2019 according to Forbes.

What this increased velocity, speed, means, is that simple solutions, either product or acts, which worked individually well at the security theatre in the beginning of 2000s, are outdated for the purpose and/or require high frequency updates in order to keep their effectiveness when surrounding environment has changed into more organic, chaotic system, they (simple solutions) have become mechanic siloed instruments, due their linearity, and becomes more and more complex, e.g. with IoT. This part may sometimes be difficult to notice being ineffective when confusing motion (action) with progress and due not all the entities facing same attacks, especially at the same time. So the advancements are rather doing to quote Henry Ford: faster horses which make the defense the game of cat and mouse. (Or whack-a-mole if you will) with need for increased speed – one has to run even to stand still (Peter Principle of Defense).

Additional challenge to this is that usage of zerodays, 0days, have increased. Those are exploits that do not have patch and vendors are not knowing about. There is slight confusion with patient zero – type of thought about this  that these being the same, but patient zero is first patient with the sickness but zeroday can exist even without using it. So zero day exploit does not mean the same as zero day attack – which indicates that someone found exploit used but the actual vulnerability and exploit thereof was originally found and done by someone else. This means patching is outdated other than long tail to rise costs. According to arstechnica.com, 0day exploits will more than double.

“We’ve been one step behind Silva from the start. It’s time to get out in front, change the game.”
James Bond, Skyfall

Information security, or Cyber security if you will, is an organic, non-linear, chaotic, complex system. Some reasons for that are such as unlike on some of the other IT or technology projects, the control is on attackers side. If doing business, its risks cannot be avoided, but only mitigated. This means that in order to be effective, one needs to employ different thinking –  strategic thinking instead of point solutions and this also means qualitative “how” and not only quantitative “what”. Play the music and not just the instruments (technology, processes). Some may express even more blunt opinions about the current state – but there is a point; if technology, even faster horses as Henry Ford famously said, would be a savior then there would be no successful intrusions. Asset based approach also can be a bit problematic depending on the viewpoint as it is attacker who decides what is beneficial for her; if there is no information available, systems may be more useful to be part of the botnets conducting e.g. DDoS, spamming, attacks to breach other systems etc.

 “If you know the enemy and know yourself, you need not fear the result of a hundred battles” referred Sunzi, but rarely a defender has seen an attacker, which means how attacks are actually done, and attacker’s background, thinking just is different than defenders. However, defender should learn about how to attack systems, otherwise ending up being a system administrator administering a security product. This is also one reason why the information about the attacks, intrusions should be encouraged to share – to make this industry anti-fragile; to benefit for difficulties, but it may take some cultural change due typical blame of the victims – maybe some centralized entity could share this information without revealing the source?

 

The history of the Future

Due the nature of cyber, all the history that has happened needs to still be dragged along. This means history, experience is more than gold of its value since it allows to see what has happened, create expectancies what will happen, and with skills to notice deltas. This means also that the mindset, way of working, thinking, may be more important than technology. People, Ideas and Technology – and in that order said John Boyd (author of OODA-loop) and he was right. Battle hardened people who see the whole picture instead of boxes, can take the approach to a new level. Battle hardened means learning from what has happened – and sometimes with scenario based thinking to what will happen. Security is about trust and trust takes long time to foster, but can be lost immediately. Integrity, experience, knowledge and skills are thus important. One example is situational awareness – if you can see everything, do you actually know anything? A chess board with all the pieces is in front of you but that does not tell anything what the other player may do.      

When utilizing strategic thinking, one does not need to be fast as one controls the time. Strategic thinking is more than a sum of its parts: collaborative thinking, communicative thinking, critical thinking, creative thinking, contextual thinking, conceptual thinking and cultural thinking. Instead of boxes in top of your normal work as a checklist, the approach merges with normal existence, adapts into your environment, instead of names one becomes part.

This ability to control time due experience, knowledge, vision, is well summed up on the quote of Japanese samurai:
“Whatever the Way, the master of strategy does not appear fast….Of course, slowness is bad. Really skillful people never get out of time, and are always deliberate, and never appear busy.”
― Miyamoto Musashi, a Book of Five Rings: The Classic Guide to Strategy

 

Is your time, priorities and cyber budget focused correctly on the flow?

Is your current provider offering you square pegs to a round hole – Would you like to have a dialogue with us about (your) history of the future?