I was fortunate enough to sit in on Hugh Thompson's keynote session, "Science of security fragility," during the RSA Conference Europe 2011, October 11-13 in London. Thompson is chief security strategist at People Security, which designs security training programs for corporations. (He also serves as program chairman for RSA Conference Europe 2011).
During his speech on October 11, Thompson presented the following five immutable laws of security fragility. Here's our analysis of what these laws indicate for CIOs and other IT leaders.
1. Organizations must recognize that "secure" systems will continue to fail in the face of out-of-context attacks.
This first law is all about being agile. Organizations must think broadly about risk assessment. They must realize that there is a combination of technical and social parties coming together in a very skilled way, introducing an interesting mix of activities that are typically out of context for the organization when viewed from operational and security perspectives. Granted, risk assessment can prove to be extremely difficult given the vulnerability to attacks in these types of environments, and it is even more difficult to measure the value of prevention. This does not remove the need to embrace risk management.
2. Organizations need to expect failure. They must create safety nets. They must adapt to the current reality as it unfolds and morphs each hour of each day.
This indicates that static security programs leave an organization in a visible and well-known state for its attacker to peruse. To counter this vulnerability, organizations need to be agile in their planning and implementations surrounding security management and security response. "Continuous improvement will be the way of the future," said Thompson.
Just as the traditional "waterfall" model for software development lifecycle is no longer a viable model for software development, it no longer works well for security management programs and projects. "The waterfall model would be akin to driving a car and setting it in a straight line, locking the steering wheel in place without any corrections being made to account for the curve ahead," added Thompson. "Without constant correction, one could find themselves over a cliff."
3. An organization's employees, contractors, partners, suppliers, and others connected to the company will make mistakes; it is unavoidable. Organizations must plan for these mistakes.
This third law aims to guide people to optimize for utility not security. With the explosion of personal information exposed through digital means, we find that anyone and everyone can be vulnerable to a smart and determined attacker, namely through Phishing scams and social engineering schemes. Thompson suggests that organizations can lessen the impact of an attack by building a robust security response capability. An additional countermeasure here could be something as simple as employee education.
4. Organizations must assume that the environment is contested and behave accordingly.
This law is a warning to organizations that trot along throughout each day, week, month, and year thinking that everything is OK because their anti-virus product hasn't flagged any malware running rampant. If this is how you operate, you could find yourself in a world of hurt, far beyond the point of resolving the problem without tremendous loss before the breach is detected. Operating blindly and leaving sensitive data open to partially trusted users makes it easier for an attacker to co-opt a well-meaning insider to do bad things on their behalf. We've seen it time and again: It is very easy to trick an employee, regardless of rank, to do bad things, using their credentials provided to them by the organization.
5. Organizations must constantly re-evaluate assumptions; pillars of trust can erode quickly, unexpectedly, and repeatedly.
"Most organizations have depended on attackers going after the data that is the most valuable," said Thompson. "This is referred to as 'reasonable targeting.' " he added.
Thompson described an experiment he performed with some of his students at Columbia University where they created a new phrase -- content reflux -- and then engaged in search engine optimization (SEO) techniques to get this new phrase prevalent throughout the Web, including securing the top search engine results. What they found during this exercise is that they were able to create a presence that captured the top five pages of search results. They were even able to get the auto-predict features of the search engines to populate the phrase in the top spots. The frightening thing here is that the students could have used anything they wanted as the links listed in each of these search results. It goes without question that attackers could take full advantage of this capability, capitalizing on SEO terms in order to lead people to malicious websites.
The final take-away from the session is that organizations must move from a model of lock-down to a model of security agility. "Organizations must embrace failure, create safety nets, and protect their internal and external supply chain dependencies," said Thompson. "Agility will be the key. Accept failure."
About the Author
Sean Martin is a CISSP and the founder of imsmartin consulting. Write him at email@example.com.