One of the questions that a Information Security person dreads most is someone from the business asking “Are we secure?”.
You can be torn between the urge to explain in detail why that question can’t be easily answered and the details of the controls in place and residual risks (and sending them to sleep) or a flippant “yes” which may well come back to haunt you…
One of the reasons why the answer could be so long is the obvious question “Secure from what”. A set of controls which may be reasonable tight when faced with a non-targeted threat from malware may be totally inadequate against a motivated knowledgeable insider threat.
So, perhaps one way to help is to break down the “secure” question a bit in to categories of threat.
For example: –
- Non-Targeted Threats
- Internal Targeted Threats
- External Targeted Threats
This way you can classify your controls as to how well they target each threat category, giving a better picture as to what level of risk your organisation is actually running.
First off is probably the easiest one, “Non-Targeted Threats”. This category includes a lot of the “traditional” threats to your security and is also probably the easiest one to mitigate, as the attacker isn’t intelligently looking for a way to attack you they’re just randomly interested in getting access to assets.
Examples of this category of threat are
- Malware – Most malware isn’t targeted and is just looking to compromise a machine (any machine) for the purposes of using its resources or getting access to information held on it or entered into it (eg, users banking credentials).
- Laptop Thefts – The majority of laptop thefts are not targeted, they’re just carried out by someone who sees the laptop as a portable asset that can be easily resold.
- Internet Attacks – A large portion of “script kiddy” style attacks again, aren’t targeted at a particular company, they’re just looking to compromise servers on the Internet for (mis)use.
Looking at these sample threats, we can see that it’s likely that more automated controls will be effective against them. We don’t need to be absolutely flawless in our execution of security to defeat them but we need to be “good enough” that the attack moves on to someone else.
So controls which are likely to be effective in this space could be :-
- A-V/Anti-Spyware – Whilst there’s a diminishing return on these as attackers work harder to bypass them, signature based A-V still adds a lot of value in cutting out the “noise” of malware attacks
- Patching – Again we’re not dealing with attackers who are likely to use a zero-day exploit here, so vendor patching will likely be an effective control to mitigate some of these threats.
- Laptop encryption – Whilst it could be argued that this isn’t a perfect control (with the cold boot http://www.freedom-to-tinker.com/?p=1257 attacks that have emerged), it’s likely to be an effective control for a random laptop theft.
- Network (and Web Application) Firewalls – Until recently you could have argued that non-targeted attacks rarely use application level techniques, the recent mass SQL Injection attack (doubtless the first of many) show that firewalling at the network and application level is necessary to keep you safe(‘ish) on the Internet.
So far, so good. Next up we’ll look at the trickier area of Internal Targeted Threats.