Thursday, April 7, 2011
Securing Organisations has become extremely difficult amid the impunity of large breaches
There is much news of security breaches that underpin the competency of Whitehats (the good security professionals) and established security organizations. All this holds no good for the state of Internet security in the days to come. Nevertheless they serve to indicate how challenging the role of a security professional has become. There are two specific reasons why.
I am a great fan of the “Lord of the Rings” trilogy. In the second sequel the impregnable fortress of Hornburg in the Rohanian valley of Helms Deep was stormed by dynamiting its only weakness a fortified aqueduct by the Uruk-Hai. The weakness was exposed by a turncoat with specific insider knowledge of the fortress defenses. In today’s world whitehat security professionals face a similar challenge in securing large organizational perimeters against all forms of attack, whereas a blackhat (hacker) needs to exploit a sole vulnerability to gain access. Finding this one vulnerability though challenging against a well secured organization, is not difficult. Technical weaknesses are easy to find; ranging from leaked data by IT staff and vendors, compromise through social engineering, weak controls, or zero day software vulnerabilities. Mitigation in targeted scenarios where zero day vulnerabilities are closely guarded secrets and used in selective attacks is extremely challenging today.
I also love to compare a security role with the game of chess. Black Hats play the white pieces and the White Hats the black. In the opening game, the first move is to white and black has to defend. Guessing what the white move will be is always a challenge for the player who plays black. In a similar vein the white hats have to defend against an unknown black hat move making defense quite complex and challenging. The only defense is to continuously assess risk and build up organization defenses to thwart future attacks with an unrelenting effort to patch vulnerabilities before a black hat can exploit them.