Information security techniques certainly are improving. The SANS Top Twenty Critical Controls, for example, are constantly improving and are being adopted by more and more organizations. Also, security hardware devices and software applications are getting better at a steady rate. But the question we have to ask ourselves is: are these improvements outpacing or even keeping up with the competition? I think a strong argument can be made that the answer to that question is NO! Last year there were plenty of high profile data loss incidents such as the Target debacle. Over 800 million records were compromised that we know of, and who knows how many other unreported security breaches of various types occurred?
So how are we going to get on top of this situation? I think the starkly realistic answer to that question is that we aren’t going to get on top it. The problem is the age old dilemma of defense versus attack; attackers will always have the advantage over entrenched defenders. The attackers know where you are, what you have and how you defend it. All they have to do is figure out one way to get over, under or around your defenses and they are successful. We, on the other hand, don’t know who the attackers are, where they’re at or exactly how they will come at us. We have to figure out a way to stop them each and every time – a daunting task to say the least! Sure, we as defenders can turn the tables on the information thieves and go on the attack; that is one way we can actually win the fight. But I don’t think the current ethical and legal environment will allow that strategy to be broadly implemented.
Despite this gloomy prognosis, I don’t think we should just sit on our hands and keep going along as we have been. I think we should start looking at the situation more realistically and shift the focus of our efforts into strategies that have a real chance of improving the situation. And to me those security capabilities that are most likely to bear fruit are incident detection, incident response and user education and awareness; the Big Three. Over the next several months I intend to expand upon these ideas in a series of blog posts that will delve tactics and means, so stay tuned if this piques your interest!
Thanks to John Davis for writing this entry.