Hackers don’t give a toss about policy
Quite an attention seeking title I would think. Apart from the obvious read further carrot I think there is a place for commentary on this subject. I am sure many of my industry colleagues will disagree, but have we been lured into a false sense of security relying on policies and accreditation certificates? Now let me say upfront only a fool would suggest that regulatory standards and accreditation are pointless and without purpose. The question here is have we relied on them to solve all our problems? Have organisations moved away from security tools, intelligence gathering and actionable evidence in preference for documentation controls?
I guess we need to go back to when it all started. For those that remember there was a time when the security administrator was also the security manager, security architect and risk manager. Business and technology had not yet collided leaving an amalgam of confusion and opportunity. It was all about providing a simple service and most importantly keeping it up. Adding a few security controls came in handy but formalised processes and procedures were adhoc at best.
Enter the BIG Four. Traditionally rooted in financial services this crew saw an opportunity to clean up the IT Wild West. Bringing policies, procedures and accountability to the IT world introduced a new standard of risk management, project delivery and operational services. This was a good thing. Organisations had something to work with.Something to measure against. The gates opened and soon we had a breadth of industry standards and methodologies. The accountants had brought regulation and accountability to the technicians. Security was now as much about certification as it was about security testing and intelligence gathering.
With the emergence of smart technologies, data analysis and the increasing number of ransomware attacks and zero day exploits the reliance on documented security was starting to show some cracks in the armour?
The growth in government and private sector investment in cyber operation centres is not a coincidence. We are putting troops back on the ground. The emergence of cyber hunting and cyber threat intelligence services is an indication we need more actionable evidence. A search of online job sites will quickly highlight the increased number of postings for penetration testers,ethical hackers and cyber threat analysts. The shift appears to be toward proactive services. The need to find out what may happen before it happens. A proactive cyber response plan in preference to a post attack reactive posture.
As stated in the introduction Hackers don’t give a toss about policy. They understand technology and they understand human behaviour. Additionally, with an increase in attack vectors, the convergence of Information and Operational technologies, hackers do not assess their victims on whether they are currently certified, industry compliant and appropriately governed; it is far simpler than that.Hackers will most likely seek flaws and weaknesses in defence controls; flaws that can hide a zero day attack until it is ready to launch. Some may say the age of the accountant mindset is over and the age of the engineer has begun. It is evident a need for engineering like precision is required to address emerging cyber attacks.
To further make the point. Recent attacks on large organisations have shown that although well certified and compliant many were soft targets to sophisticated attacks. They effectively had “no eyes” when it came to mapping the attack vector. Progressive enterprises and certainly government insiders are aware we need more on the ground to address this wave of cyber disruption.Of course, there will be challenges. Selling the need for cyber threat intelligence services to a broader management base that by and large are more comfortable with policy and standards documentation than cyber attack analysis data will require some work.
As I mentioned earlier only a fool would disregard the place and importance of accredited certification, policies and standards. However, in a smart world these controls on their own simply will not do. To rely on IT policy to stop the cyber criminal is like relying on a law journal to stop crime in our streets. We need the frameworks, the standards and policies to map out the landscape, highlight the blocks and pieces that require control and consideration. This information provides insight into what needs to be defended and why. It should not be considered as an alternative to cyber security controls and threat intelligence services.
After all, when toe to toe, I think most would prefer a cyber warrior equipped with an abundance of cyber bullets than a kit full of instruction manuals.
Author
Alan Mihalic SCCISP CISSP ISSAP ISSMP CISM
Principal Cyber Security Advisor ,Writer, Keynote Speaker, President IoT Security Institute