Are we surrendering the cyberwar?
I ran across a link sent via a Twitter user the other day, quoting NIST fellow Ron Ross as saying, "The interconnectivity of the Internet of Things (IoT) leaves public and private computer systems essentially indefensible, and no amount of security guidance can provide salvation." I confess that this comment set me off a bit, as it sounds like we are prematurely raising the white flag of surrender in the cyber war.
Even as far back as 2007, experts were warning that the security perimeter was dead, and focusing on data protection was the only approach that would work. An article in Dark Reading basically restated this, saying that "Perimeter security is no longer relevant to enterprises."
Notwithstanding many in my profession, I am unwilling to give up quite so easily. History was my worst subject all through school, and yet I still remember the words of Sir Winston Churchill who said, "A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty." I believe there are still many optimists in the industry that are not ready to cede the perimeter.
One of the aspects of information security this white flag approach overlooks is that while enterprise breaches usually dominate the headlines, smaller businesses statistically are the ones experiencing the bulk of the problems. Fortunately, their exposures are somewhat easier to address, and often involve "old fashioned" perimeter security. Their issue is that they often ignore the fundamentals.
CSID in their report Survey: Small Business Security reported that 31% of small and medium businesses suffered a security breach in 2013, a dramatic increase over prior years, despite their feeling that they are not widely known, and therefore not a big target.
In a recent Security Week article, Rafal Los broke down attacks into three categories:
Generic - Opportunistic, non-targeted threats. These are the drive-bys of the information security world. Hackers are looking to break into something, and happen upon your network.
Targeted - These attacks are aimed directly at you for one reason or another. Hackers want something they think you have, and they are after you to get it.
Invasive - These attacks are the "in-laws" of the hacking world. They come to stay awhile. They want not only what you have today, but what they think you will have next month. The work to hide the footprints indicate their presence.
When the big name attacks such as Target and Sony occurred, the world immediately focused on addressing targeted and invasive attack types, focusing less on generic attacks. I would suggest that while generic attacks are more likely to target small and medium businesses, they are still a significant risk to the enterprise. One of the reasons for this is that an enterprise is more likely to have a static IP address assigned, which makes them easier for the hacking world to pursue, given that they can persist over a period of time.
That brings us back to the fundamentals such as perimeter security and employee awareness, and the fact that most small and medium businesses, and many enterprises, are still ignoring them, putting them at the greatest risk for all types of attacks, particularly generic ones.
Now, I agree that enterprises must address targeted and invasive threats using means beyond the perimeter, such as threat intelligence and detective forensics. That being said, even they derive some benefit from a strong perimeter, and from not assuming that all hackers can get in regardless of what they do.
Bottom line: I don't care whether you have a small medical practice or a Fortune 100 company -- good security starts with a strong perimeter and security fundamentals. The tools available to accomplish this are evolving and improving daily. Sir Winston would be optimistic.