Assume that you have been compromised and work on what needs to be done to address it.
For business and government, cyber security is the new arms race. We defend, and the enemy counters. We respond, and so do they. The cycle escalates in perpetuity.
A strong cyber defense is an integral part of good IT operations. Operate and defend are effectively two sides of the same coin and a denial of service (DDoS) attack is still an attack whether it comes from an external source, or as a result of an error from your own IT department. You need to be able to respond to both effectively and have a clear understanding of the routes, or attack vectors, through which the breach occurred. Whether it’s a malicious attack or an error, you’ll need the same business continuity and disaster recovery plans and capabilities in place.
To truly understand the potential attack vectors, you first need to have total visibility of all the assets on your network and their current status. As part of the process, you will need to evaluate the network paths across all systems and telecom carriers. While asset classification and identification are among the less glamorous aspects of information security, they are as essential to it as they are to good IT operations.
The disturbing fact is that very few organizations have such a detailed understanding of their networks. Bad guys get in because they get to know your network a lot better than you do. They discover vulnerabilities and press at those points like a hot knife through butter.
To my mind, the safest approach is to assume that you have been compromised and work on what needs to be done to address this. I call this approach Cyber Defense in Depth.
Cyber Defense in Depth is a proactive posture that uses multiple methods at different layers to protect IT systems against attacks. People tend to think of cyber protection primarily in terms of perimeter protection, such as a firewall, but forget about the other layers, which are equally if not more important. A medieval castle is a helpful metaphor: you can build higher walls, but the risk is that you become complacent and forget that attackers can still tunnel under or poison food and water stores to spread virus and disease.
There is another problem with living in a castle with high walls and closed doors: you have not only made access difficult for your enemies, but for your friends as well.
Perimeter protection has value, but is not the be all and end all. However, the majority of people invest their time in anti-virus and firewalls. Anti-virus software may clear 60 to 70 percent of the junk, but you have to remember that there is a likelihood that there are cracks in the firewall that can be used to get in, unless you cut your network off from the outside world entirely and even then you can’t be sure!
Organizations should operate on the assumption that their firewall has been breached and that there are people already inside the network who should not be there. So, then you must ask, what needs to be true for you to be ‘comfortable’ with uninvited guests inside your network?
Firstly, you need to be able to detect, contain and remove malicious software, or malware, as rapidly as possible. Secondly, if uninvited guests are still inside then you need to ensure that they can’t steal any information or that what they can exfiltrate is worthless, which is where digital rights management has a significant part to play.
When developing a cyber defense strategy, remember the castle metaphor and don’t let high walls lull you into a false sense of security. The most important thing is not whether a network has been breached, it’s whether you can protect what is most important - the organization’s ‘crown jewels’ - its data and information. To be successful, organizations should develop multiple approaches including planning, strengthening internal protections, training employees, as well as guarding the perimeter.
Given that most security breaches are caused by human error or omission, it makes sense to include a robust training program for employees that provides the tools to mitigate security risks. One important technical step is to improve security for devices on your network, known as end-points, as these are often the weakest link in security and are usually operated by employees.
In planning a cyber defense, assume the castle walls will be breached and plan for it.
Mike Stone (mailto:Mike.Stone@kpmg.co.uk) is KPMG’s Global Head of Technology Transformation for Infrastructure, Government and Healthcare. He served as an officer in the British Army for 28 years and has worked as Chief Digital Information Officer for the UK Ministry of Defence as well as President of Service Design and Chief Information Officer for BT Global Services.
This is the first in a series by Mike Stone on cyber defense in depth, with future articles discussing specific areas of work.