Challenging Conventional Wisdom
August 26, 2014 | Security and Risk | John Worrall
By John Worrall
Every once in a while, people get shaken from their normal routines and have to question if what they’ve been doing is still relevant to their current situation. The raft of password-based cyber thefts for example, has everyone thinking of a better way to manage their credentials.
The truth of conventions and wisdom is that they are fluid and sometimes what was true yesterday may be irrelevant tomorrow. This is where we are today in the security industry and as Gandhi pointed out decades earlier, “It is unwise to be too sure of one’s own wisdom. It is healthy to be reminded that the strongest might weaken and the wisest might err.”
We are fortunate to be living through one of the pivotal moments in the security industry that forces a challenge to conventional wisdom. Here’s my challenge for the industry:
Stop Over-investing in the Perimeter
The perimeter isn’t dead – but it has been proven ineffective at preventing breaches. Organizations need to stop focusing the lion’s share of effort on security tactics that don’t work. The ‘perimeter’ simply doesn’t matter in the world of advanced attacks such as USIS, P.F. Changs, eBay, Heartbleed, Snowden, retail PoS breaches and the list goes on. Countless research points this out, including our own recent research that shows that 52 percent of businesses believe hackers are on their network, or have been within the past year. I argue that the other 48 percent are denying reality.
If the attackers are inside, does it really matter where they came from? Should defense strategies continue to depend on the point of origin? No.
How do attackers live undetected inside a company for a week, month or years? They steal and exploit valid credentials – a default printer password, a hard-coded password, an employee’s or partner’s credentials, an unprotected hash or other privileged account. With these in hand, an attacker is able to spiral through a network, hijacking additional accounts, elevating privileges to gain access to vast stores of information, data and control within an organization’s digital repositories.
This transformation of malicious outsider into a defacto insider enables an attacker to access sensitive assets, install malware and reach the attack goal – all by employing the same permissions and workflows that the organization established for its own, legitimate processes. Prevent this and you take away an attacker’s ability to take control of your very own infrastructure.
The string of recent, high-profile breaches is proof that the bad guys have figured out the perimeter doesn’t matter, so why is it taking so long for the good guys to accept this reality? Resources are already scarce for most organizations so we need to be smarter about how we use them. The first step is to accept tradition isn’t working and agree that it’s time to think unconventionally.