In many of the conversations I have been having lately with InfoSec managers, some of them seem to have forgotten some of the basics of our relationship with attackers. They seem to have forgotten some of the basic tenents of security and they certainly don’t seem to be aware of Murphy’s Law.
So, let’s review a couple of items – just for refresher.
The first item is that attackers control the pace, not defenders. They are in control of when attacks occur, where they occur and how serious they are. Now we, as defenders, have some capabilities here to try and make sure we have minimized the impact of these incidents – but we have NO CONTROL over the timing, pace or location. Those items belong to the attacker.
Second, attackers will focus on your weaknesses, not your strengths. That is simply what smart attackers do. If you build all of your defenses and post your armies of cyber soldiers to brace for a full frontal assault, it is likely that a smart attacker will flank you. This is elementary in warfare, and it is a real and vital part of InfoSec too. You have to allow for defenses that embrace your assets and not just protect the obvious issues. You have to be ready for defending the subtle assets and locations too. Gone are the days, if they ever really existed, of attackers impaling themselves on your firewall and IDS/IPS in mass. Today, attackers are more subtle, more evasive and target things deeper in your territory. Things like users, client-side vulnerabilities and remote access points are juicy targets for today’s attacker.
As for Murphy, InfoSec managers need to remember, attackers will exploit timing issues without concern. They will leverage the fact that you are down a headcount, that your entire staff is at a week of training, that your budget does not have room for the sudden purchase of a security tool to combat a new threat. Attacks will come at the worst possible moment, so you might as well plan for them. Got a merger coming up, or an important period of business in the run for the end of the year? If so, it would be wise to ensure you preserve some resources for possible incidents and attacks. Murphy says they are just likely to happen when you need them least.
Again, I know these seem pretty basic, but they are truths of security and defense. They are universal, uncaring and painful if you have to learn them the hard way. So, build them into your plans and be ready to explain them to other management. The more you study them up front, the less they can harm you down the road.