I’ve had the pleasure of knowing Ira Winkler and Araceli Treu Gomes for over a decade now. Both are quality and insightful security professionals who raise the bar within our industry. As such, I’ve enjoyed reading their joint commentaries on various security issues and challenges over the past few months.
Winkler and Gomes’ latest contribution to the fight are “The Irari Rules” (named after a combining of their first names). The relevance of the Irari rules re: determining the true technical attack sophistication cannot be overstated; it is easy for business leaders and other technology professionals to talk about a new level of sophistication in attacks when in reality we are seeing increased efficiencies and volume around highly predictable (and preventable) attack vectors. That being said, Winkler and Gomes take a slight – and, in my opinion, erroneous – detour in their conclusions which may obscure some of the important messaging we all need to hear.
Think about what the Irari rules are advocating for a second:
- Use anti-virus or anti-malware software
- Patch your systems
- Use multi-factor authentication
- Change passwords frequently
- Create detailed, realistic, holistic education programs
- Turn on and monitor your alert mechanisms
- Segment your networks
- Aggressively manage user accounts and their privileges
None of this is rocket science -- nor is it anything that we as security professionals haven’t been saying for the better part of two decades, with arguably the same level of mixed (poor?) results. Yet clearly something has changed within the ecosystem given that (a) the number of compromised records per breach has increased exponentially; and (b) concern regarding breaches has entered the mainstream consciousness. So if it’s not the sophistication of the technical attack…what’s going on?
Winkler and Gomes posit that the “new normal” for organizations should be to “expect to be targeted by people with more than a trivial level of skills and the time and resources to search for blatant vulnerabilities.” This would seem to support an argument for the efficacy of a more sophisticated attacker as opposed to a more sophisticated attack – which results in higher levels of risk overall to an organization. Remembering the basic risk multiplicative of (T)hreat x (V)ulnerability x (A)sset-Value, a more sophisticated threat can make better use of existing vulnerabilities than casual aggressor. Continuing the lock analogy used in their article, the issue isn’t whether the door is locked or not as most security is rarely so binary a calculus; rather, it’s the newness and maintenance of the locks in place. While these locks may be sufficient to stop an opportunistic intruder, a focused intruder with moderate skills could defeat these locks (single factor authentication; static passwords; etc.) with relative ease.
There’s another factor in the risk equation that Winkler and Gomes have failed to consider: asset value. While consumers have not yet fully rationalized their willingness to achieve convenience and personalized service via providing personal data with their concerns over its use, the value of data to both individuals and corporations has increased dramatically. As the value and proliferation of data within organizations increases, the security professional must reevaluate whether the locks remain sufficient and are sufficiently maintained to mitigate risks within the environment to an appropriate level.
Winkler and Gomes conclude that “(c)laims of sophisticated attacks deflect blame, obscure the need to make improvements and attempt to shirk responsibility for implementing poor security efforts.” In this I agree…but only to a point. Yes, claims of sophistication can contribute to obscuring the need for improvements, but the argument for improving programs isn’t in the elimination of obscuration but the removal of our profession's own obfuscation of risk issues. Fundamental blocking and tackling within a security program is essential, yes...but even the best managed programs can’t bring risk to zero. As we do the blocking and tackling to eliminate vulnerabilities, it is equally critical to acknowledge attacker (versus attack) sophistication as well as the marked increased in asset value regarding data. In this environment, yesterday’s locks and windows (read: yesterday’s security program implementation) won’t keep the bad guys away.
My two cents…
