Are Less breaches better in IT Security?

Posted on June 18, 2015


The PWC report ‘The Information Security Breaches Survey 2014’, commissioned by the Department for Business, Innovation and Skills (BIS) states their have been fewer security breach’s in 2014.

Good news you would think? Wrong, I would postulate.

Whilst there may be fewer breaches the breaches that have occurred have cost more and demonstrated escalating degrees of fallout from the perspective of the targets/victims. Correspondingly for the perpetrators/hackers there is an increase in successful hits, subsequent scale of return and worryingly persistence.

Welcome to the world of Advanced Persistent Threats, where things are no longer as simple as they once were. The Cyber security landscape of ‘catch a cold’, apply a brand of anti-virus, expel the bug/virus and back to full health is little more than a quaint reflection of a rapidly diminishing past. Today’s environment has evolved exponentially. Colds still abound, but they are avoidable and attract little sympathy if someone cannot be bothered to take the most basic preventative measure by keeping their software patched and running credible Anti-Malware. That goes especially for the Apple Mac OSX users who have been in denial of their exposure for years and now represent the biggest threat to corporate systems in the new BYOD (Bring Your Own Device World).

ALL Apple operating systems are totally compromised to a degree beyond anything that has ever befallen their arch nemesis Windows. That includes the much heralded Apple OS Keychain which has been hacked wide open. Read ‘Apple’s Password Storing Keychain Cracked on iOS & OS X’.

The new world is one of Advanced Persistent Threats (APT). These are like a cancer, and not just a single class. These are no longer a readily identifiable broad-spectrum category of challenges these are often unique and target specific. In the face of a determined and persistent attack there is little defense for most corporate systems, as for consumers, they are like lambs to the slaughter.

Consumers are little more than cannot fodder, the ‘forlorn hope’, that many hackers now harvest at will, corralling them into cloned armies of computing systems that can be used like a collective weapon. The target of many such weaponised computer systems are the Commercial organizations who can do little more than run to keep up with the cyber threats to their systems integrity and coming last in most race.

The core problem is the embedded security culture in corporates today. Cultures that limit agility and prove to be wholly inappropriate in the face of the rise of the Global Economy and its demand for new ways of working. Today the malware of yesterday is but the spring shower to the thunderstorm and lightning strikes of today. A prelude to the act of god class impacts of tomorrow, if we do not get our act together.

Corporate security systems with their ‘defense in depth’ have become like the grit in your shoe, and in some cases like pouring cement into a gearbox. We hear a lot about ‘Defence in Depth’, but in my experience it’s the mantra of Security vendors peddling the viability of their product addressing a niche ‘requirement’ arguing a co-existence alongside other solutions already deployed in an organization. When it comes to IT, apart from the obvious burden of cost to the business, complexity very quickly leads to inefficiency, neglect, conflicts, and ultimately security challenges. This latter point sounds a little counter intuitive in the context of security products working in harmony in a defense in depth model, but its perhaps a cold reality of the nature of getting disparate IT solutions to co-exist harmoniously.

I have come across few such ‘security in depth’ implementations that are backed up with conclusive success results. They largely fail the key security test (holy grail) of a viable balance between security and usability. More hammer meets nut.

For example, one very large Telco I worked with deployed so much security processing on their tele-workers notebooks and PC’s that the systems performance degraded by up to 30%. All in the name of securing the business and on the face of it, yes the security was impressive but at a fundamental productivity and competitive advantage cost:

  • Users demanding memory upgrades to improve the sluggish performance of their systems. This becomes a hidden cost as the default budget is based on the ‘standard build’ of systems, which became quickly non-standard to address performance issues for certain power users.
  • Boot times of systems going from approx. 90/120 seconds to 5 minutes. Multiplied up across a working year come sin at 2 weeks wasted time!
  • Support desk calls escalated due to complexity of systems that inherently incurs additional end user handholding.
  • Users side channeling corporate systems due to performance issues, despite security policy, sometimes the pressure to get the job done over-rides the rule book. Shadow Cloud is the new buzzword.
  • Cost of licensing this arsenal of security tools.
  • Risk of maintaining such a complex blend of ‘security in depth’ tools up to date and functioning harmoniously.
  • Operating System updates and patches getting delayed due to a need to test to ensure there is no conflict with the numerous deployed security tools. Prolonging exposure to known exploits and allowing hackers to wander freely through corporate networks undetected.

And other soft issues that are increasingly becoming important in a world where employee’s spend the majority of their working days on corporate supplied computers. The end user experience is increasingly becoming a critical factor in retaining and attracting good staff.

This HUGE cost is purely voluntary, a business bowing to the dictate of their technology department who armed with a hammer in the form of an arsenal of security tools has started that age old game of ‘whack a mole’ by deploying as much of it as they can. Cornering obscene budgets through scaremongering in the absence of hard risk assessed facts.

The problem is multi faceted but could be addressed with a change of attitude and approach:

  1. Protect the right things = The Data. NOT the environments that the data resides in. Currently most companies invest MILLIONS protecting the wrong things, or to be less disingenuous, endeavoring to protect the right thing in a most convoluted and expensive (time and money) way. The ‘Black Box’ era is over, creating the impervious corporate computing environment (or device) is a fools errand, the surface area to protect is magnifying exponentially and unless you plan to isolate all computers from ANY network connectivity (the North Korea approach!). The most practical avenue is to use the surplus of modern computing horsepower and employ data encryption through a next generation Public Key Infrastructure (PKI).
  2. Societal – New creative ways to engage the end user risk. Embed security awareness and habits in the fabric of society not in the wildly diverging and isolated manner practiced today in corporate silos and schools who’s ICT is often so out of step with modern progress, or practical realities, that it becomes counter productive by creating a culture with a false sense of security and risk mitigation.
  3. Services – In an increasingly service centric world where our private and corporate systems include third party service platforms, a need for greater shared responsibility and accountability. A prime example of this is the recent breach of online Password Management service LastPass. Most users found out that their password wallets had be compromised via the Internet grapevine. Acknowledgment of the need for greater analytical capabilities across leading service vendors (and large enterprises), to increase the visibility of attacks, enabling intelligent preventative and responsive action.
  4. Compliance – Society needs to get a grip of government interference. These issues are NOT going to be solved through the viscous and protracted processes of legislation. Furthermore government paranoia and insistence on being able to monitor and conduct surveillance goes beyond any National Security use case. The current approach is a threat to individual’s liberty through an overt suppression of free will for the individuals to express themselves as much as an invasion of privacy. Not to mention turning economic corporate engines of productivity into uncompetative also rans.

The core issue is that the surface area to be protected across our business and private lives is growing exponentially. When I mean exponential I mean it in numbers that would make today’s world of PC’s look like a backwater. With the prospect of the Internet of Things (IoT) projecting an explosion of connected devices in the Billions it is a cold statistical reality that the compromises will grow accordingly. Anyone who believes that some silver bullet exists that will address this is in denial.

With the IoT and the magnitudes of new devices coming online in new and creative ways we are sowing the most fertile ground for social benefit as much as risk exposure. A rich harvest to feed new generations of young brains wired in new ways, brains that will manifest the unprecedented in both the bright and dark sides of our digital world. It is time the industry started to adapt accordingly.