Leader of the Pack or Chasing Your Own Tail?
I have been thinking for two weeks about what to cover in this first post of 2015. I have read dozens of other blogs and articles online that talk about the problems organizations have had in 2014, and the revelations regarding what law enforcement and other three letter agencies have been doing to our privacy. There are several about the issues we in computer security can expect to face in the new year. Rather than rehash the problems of the past or attempt to predict future trouble, I prefer to focus on positive changes I hope to see in the sector in the next year.
As we roll into 2015, which by the way is the year that Marty McFly time-traveled to in Back to the Future 2, we may not be dressing in what the 1980s writers and costume designers envisioned: a cross between cyberpunk and raver style. However, one fact is unavoidable: the environment of the cyber security sector has changed as dramatically as those fashions, and we must keep up with the times. It is time for those that work on the defensive side of security to stop thinking like law enforcement and start thinking a little more like the criminals do. We have reached an age in which the layered security that was so important a few years ago is about as effective as a castle moat would have been during the Second World War. Criminals are not concerned with how much money your organization has spent on fancy defenses or how much harm it will do to your organization to be breached. They only care about what they stand to gain from stealing your data.
The best detectives and profilers in law enforcement do not spend their days following regimented procedures. They think outside the box and are not afraid to put themselves inside the minds of the criminals they are looking for. I work in the offensive side of security where it is our job to think like the bad guys, but in big corporations we still find ourselves being stymied by outdated policies and obsolete ways of thinking. I hope that 2015 will be the year that organizations that are serious about their security will be willing to let the security teams do what it takes to stop the bad actors. It is time to stop drawing lines on what we are “allowed” to do and start letting us find the breach points before the bad guys. It is time for us to be ahead of the game instead of spending our days, (and nights) playing catch-up.
In order to promote positive changes to the way cyber security teams function, organizations must be willing to allow a greater freedom for cyber security professionals to determine what tactics are necessary to prevent attacks. These professionals should not be so heavily restricted in their actions that they are prevented from doing their jobs. For example, penetration testers are frequently prevented from performing a DDOS attack. Allowing security professionals to use this DDOS attack has the potential to lead to new methods of prevention or, at the least, will prepare the organization for the possibility of an eventual attack using this technique. Social engineering is an often dismissed tactic, usually avoided because of the likelihood that an organization will fail to pass muster under such scrutiny. This technique is arguably the most common method of entry used in almost every breach by criminals attempting to gain access to an organization’s data. Failure to address this area is a failure to give sufficient weight to the necessity for strong cyber security procedures. Cyber security professionals should be given the freedom to use these and other such techniques to really test the strength of their organization’s security,