You should assume that every server in your company is compromised, then build your security around that.
[...]
Don't assume you're safe. Assume you're not, and figure out now how to react when you are compromised.
The days of the perimeter working as the sole defence mechanism are no longer with us.
[...]
Once hackers defeat the perimeter, they will make stealthy, pinpoint attacks from there.
This isn't an outbreak which shuts all the corporate machines down – it's about probing and searching for valuable data or other vulnerabilities.
Online security is also an example of a public good; costs are borne privately, but benefits are shared. When individuals weigh the cost of investing in antivirus software, they do not take into account the benefits of protecting other users from spam and advanced persistent threat attacks if their computers are infected with malware.
[...]
Innovative multistakeholder collaboration will be required to tip the balance towards investment in creating systemic resilience.
Any device with software-defined behaviour can be tricked into doing things its creators did not intend.
Any device connected to a network of any sort, in any way, can be compromised by an external party. Many such compromises have not yet been detected.
There are no proven secure systems, only systems whose faults have not yet been discovered, so trying to overcome “hackability” may be as hopeless as denying gravity.Src: Global Risks 2012 - Seventh Edition | World Economic Forum
So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. [...] If we discover a risk that a feature could compromise someone’s privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services.
The most sophisticated, adaptive and persistent class of cyber threats is no longer a rare event.The report goes on to say:
In the few short months since this survey was launched on February 10, 2011, for example, leading organizations worldwide have been targeted by Advanced Persistent Threat attacks. These entities include national governments, nuclear laboratories, security firms, military contractors and an international organization that oversees the global financial system.Src: Global state of information security security 2012: PwC
Yet APT isn’t just a threat to the public sector and the defense establishment. It’s an increasingly urgent issue for the private sector as well.
Don't buy expensive boxes just because you think, or have been told, they will make you secure. We’ll either by-pass that box, or own the box. Either way, you’ve prospectively wasted your money and the end result from my perspective is the same. I own you. As has been said before, you could use that money for a corporate Ferrari for team moral instead, better use of the money. Your security is rarely better from these product. Save the money to hire people with skills instead of getting magic boxes that do little or nothing. We find it amusing that in 2011 we can own 90%+ of systems that we approach first time, yet these companies all have packet filtering routers, FWs, IDS/IPS and WAFs. Isn’t that so obvious.
Intelligence about your potential attackers and most valuable assets shows you where to focus your efforts, such as what systems to protect and what users to closely monitor.
For any significantly sized company, information security is a critical business function because information management is a critical business function.
While security is the most important thing to us, in spite of the self-deluding analysis we receive, it truly is not the most important thing to business. The most important thing to business is profits, followed closely by revenue. Dotted lines and potential liabilities are all fine and dandy. But at best organizations put a small (3% to 4%) of their budget into security. If something only is taking 3 to 4 percent of your budget, it probably only gets 3 to 4 percent of your time and attention.
This is the sad truth that a “mature” industry like ours has to realize. Until the problems and threats are felt by the business owners to warrant more than 3 to 4 percent investment, we are not going to see a radical change.
The new fact of life is a 'state' of persistent, dynamic, intelligent threat and disruption, the economic and societal ramifications of which are overwhelming. This doesn't mean that we as a collective of security professionals are powerless against our adversaries – we can and should be able to manage our risk to an acceptable level and change the ongoing and grim trends.
Security is a layer that needs to be there, it needs to be stringent, and it needs to be adhered to, but it cannot be an obstacle in providing information.
Security is not a 6 month or 12 month initiative – it’s part of innovation and the ongoing evolution of commerce. As fast as you invent a lock, there is criminal finding a way to pick it.
Bottom line: Protecting customer data is the right thing to do. It will save you money, it will make you money, and it will engender trust with consumers so that they will want to transact with you more.
The attack surface of a target is not influenced by changes in the operating environment, attack tactics, attacker strategy, or attacker operational capability. These things will change the risk of whether or not something may be attacked and the impact of that attack but the attack surface has been there the whole time as the same thing as always. In our work [OSSTMM], the attack surface is the quantity of points of interactions with a target (or asset). These include interactions necessary for operations. The only means of changing the attack surface is by adding or removing controls over the interactions, changing the quantity of points of interactions, or by changing the scope to include previously unknown targets.
Many things will influence attacker motives, capabilities, and style but that only represents what they do and not the surface of what they can attack. So if you clone a military base it has the same attack surface at home and in a war zone or on the moon and the Earth. What is different is risk and not what can be attacked. The points of interaction remain the same. That's the nice thing about measuring an attack surface- it's pretty static in terms of the things you can't control so it's in your power to address the operations you want and the interactions you don't want. So that means while you can be pretty sure that any change in environment, tactical ability, or motives will bring about changes in risk to the point where it seems to benefit whomever responds to it first (attacker or defender) the attack surface will stay the same.
Not everyone needs to spend to defend against the upper echelon of threat agents. Everyone needs to spend to defend against the lowest echelon.
Adding a CISO after the fact is like hiring a bodyguard after you've been fatally wounded. It creates an impression that there's a lack of accountability.
When deny-by-default is the policy, the response to any request that leads to someone outside of IT using technology to innovate is, "Here's why you can't." In the new IT, the response has to be, "Here's how you can."
The most basic fact of business is that there are only three bottom-line priorities: revenue, cost, and risk. No matter what anyone at your company does, in the end it must tie back to making revenue grow, keeping costs under control, or managing risks more effectively.
You have a lot of folks that…pretty much have the keys to the castle... The enterprise admins have the ability to scour the entire network. That’s a hurdle that everyone has, especially with the move to managed services. You don’t know who the people who are managing your systems are anymore.
The fact is that you can do everything well, and be breached; or you can do nothing and suffer no recognizable breach.
