If that title doesnít get your attention, I doubt much else will. And yes, of course thereís no such thing.
So rather than inviting the wrath of the cybergods, which will certainly fall heavily upon anyone claiming ďhackerproof,Ē letís talk a little about building a more hacker-resistant enterprise.
I get to see lots of different approaches to the information security problem. Most work a little, some not at all; but a few, just a few, work really well. Iíd like to share what I think makes the difference between going through the motions and actually getting the job done.
First off, the successful enterprises understand that ďsecureĒ isnít a state you can actually get to. In fact, itís a vague concept and arguably more an illusion than anything else. Youíre never actually ďsecure.Ē Sitting where you are right now, any number of bizarre things could happen to you. An airplane could come crashing down on you, a gas main under you could explode, or a heated exchange at the office could trigger that aneurism you didnít know you had. The point is, we are surrounded by risks every day, lots of them, but we canít be aware of them all, let alone manage the lot.
The successful approach is to understand what vulnerabilities exist, what is the likelihood of a threat successfully exploiting a specific vulnerability, and what would be the cost of the resulting consequences. This is the basis of risk management in general, and itís not often demonstrated in day-to-day information security practice.
The second trait I think all the successful programs share is a deep understanding of exactly what is worth protecting, who might want to steal it, and how they might go about getting at it. This requires a practitioner to understand cybercrime statistics and trends as well as the street value of various types of data. (Stolen data ranges from inexpensive email lists up to full credit card swipe data.)
Other more subjective effects include loss of competitive advantage due to intellectual property theft and brand damage caused by publicity surrounding a breach. Once you have a grip on potential costs, itís actually easy to determine how much you should spend and which controls you should implement to protect those assets. Again, it comes down to actually understanding and managing your risk, not just throwing the latest trade show security solution at it.
The third thing Iíve noticed about successful enterprises is that they actually know what traffic is traveling across their networks. Thereís no one best way to do this -- and itís not a technology weíre talking about here. Itís a habit of needing to see and confirm that controls are working.
The bigger your network is, the harder this particular part is to achieve. The good network managers actually see every binary download, every outbound connection reset by the firewall, every login failure, and even every domain name resolution to known bad places on the Internet. A well-set-up network knows whether someone plugged an unknown device into an Ethernet jack or tried to connect it to a WiFi access point.
Without good visibility into network activity, you canít know that your controls are working or, even more importantly, whether theyíve failed. This visibility doesnít necessarily have to be real time; high-frequency batch auditing can be just as effective, especially in a smaller network environment.
The fourth and last trait of successful enterprises is not which technology is used, but how that technology is selected. Itís no accident that technology is the last thing I mention in this post. Thatís because itís absolutely the least significant factor in information security management.
Go ahead read that again, and let the flames fly; but I really donít care what brand of hammer a carpenter uses to build my house. I care how well the house is made. You can have all the best and still have a lousy security posture because you just donít know what you should be protecting, how much itíll cost you to lose, and how itís likely to be stolen.
Iíve seen excellent security programs put together on a low budget and using simple, sometimes even free tools. More often, I see the opposite of that, though. The successful practitioners start from a position of identifying a problem, such as, ďWe need to prevent unpatched and unprotected machines from connecting to our network.Ē Then they find a solution that best meets the need.
This approach is substantially different from seeing the same product at a trade show and then implementing it because it sounds like a good idea. I wish I had a fraction of the security tools Iíve seen purchased and abandoned, and often never even implemented, at organizations with more budget than brains. We have a word for such entities: Theyíre called victims.
— Gideon J. Lenkey, co-founder of Ra Security Systems