For years now, security folks have been shouting to high heaven about the end of the world, cyber-terrorism, cyber-jihad and all of the other creative phrasings for increased levels of risk and attacks.
SANS Institute (SysAdmin, Audit, Network, Security) at least asks for good things, too. It is always, as they point out, so much easier to create a list of threats and attack points than a list of what we have done, and are doing right. It is human nature to focus on the shortcomings.
We have to create rational security. Yes, we have to protect against increases in risk, but we have to realize that we have only so many resources and risk will never approach zero!
We recently worked an incident where a complete network compromise was likely to have occurred. In that event, the advice of another analyst was to completely shut down and destroy the entire network, rebuild each and every device from the ground up and come back online only when a state of security was created. The problem: the business of the organization would have been decimated by such a task. Removing the IT capability of the organization as a whole was simply not tenable.
Additionally, even if all systems were “turned and burned” and the architecture rebuilt from the ground up, security “nirvana” would likely not have been reached anyway. Any misstep, misconfigured system or device or mobile system introduced into the network would immediately raise the level of risk again.
Thus, the decision was made to focus not on mitigation of the risk, but on minimizing it. Steps were taken to replace the known compromised systems. Scans and password changes became the order of the day and entire segments of the network were removed from operation to minimize the risk during a particularly critical 12 hour cycle where critical data was being processed and services performed.
Has there been some downtime? Sure. Has there been some cost? Sure. How about user and business process pain? Of course! But the impact on their organization, business bottom line and reputation has been absolutely minimized than if they had taken the “turn and burn” approach.
Rational response to risk is what we need, not gloom and doom. Finding the holes in security will always be easy, but understanding what holes need to be prevented, wrapped in detection and protected by response is the key. Only when we can clearly communicate to management and consumers alike that we have rational approaches to solving the security problems will they likely start listening again.