Ants, Padlocks, and Cyber Security
If you’ve followed the news recently, I don’t need to tell you that cyber security is a topic of major importance today. It seems that every week there is another revelation of a security breach at an organization thought by many to be a leader in data and network security. The breaches span governmental agencies and virtually every industry. Ironically, even a company that makes its money selling security hacks to governments and other organizations was itself hacked and its secret hacking code made public!
What is leading to this seeming deluge of security breaches? Are the breached organizations simply falling down on the job? I would argue that it isn’t that simple. In fact, there are several factors that make securing networks and data today an incredibly difficult task.
PADLOCKS & LOCK PICKS
Consider for a moment the physical door locks that are employed around the world on every house, building, or car. Over the centuries, increasingly complex locks have been created. Instead of the simple keys from the past, we now have very complex, machine milled keys for our doors. Often, there is an electronic passcode as well. With all the improvement in lock technology over the years, we’ve certainly eliminated all car thefts, home break-ins, and industrial theft, right? Of course not! The fact is that as soon as a new lock is created, the bad guys go to work figuring out how to break into the lock.
You can go on the internet and easily see how to bypass common door locks. You can also purchase skeleton keys that will open a broad array of standard locks. The fact is that your front door is secure against a huge percentage of the population, including most bad guys. However, for those that are sophisticated and really want to get into your house, they can find a way. The same is true in the cyber world. Even with all the safety features placed on networks and data systems today, there are always weaknesses and gaps that someone will find and exploit. Even banks, with all of their sophisticated security protocols, still have branches robbed today.
EVER HAD ANTS GET INTO YOUR HOUSE?
Something I recently discussed with ZDNet is how most homes invariably will have a few ants and assorted other bugs inside. No matter how well we seal our homes and keep them clean, some ants find a way in. This is because an ant only needs an incredibly small crack or hole to make its way into your house. You may find the crack that the ants got in today and seal it. But, another crack will form soon enough. It is a constant battle to keep a home free of ants and bugs because new pathways into the home are constantly appearing as foundations settle, siding ages, and time takes its toll.
Cyber security is a similarly never ending endeavor. Even a network secured to the highest standards available will have cracks appear. These cracks can be an outdated operating system on an employee’s computer, phishing emails that an employee accidentally clicks on, or a malfunctioning router. At any point, another small vulnerability can appear and you can bet there are bad guys looking for those cracks all the time just as ants are constantly probing to find a way into your home. Without a concerted effort to find the cracks before someone else does or, at minimum, seal a crack as soon as someone exploits it, networks cannot be secure.
THE LACK OF LOCALITY
I was recently speaking with Jordan Lynn, an Australian journalist with Insurance Business, on the topic of cyber security and one of the most interesting topics of our conversation dealt with the unique nature of cyber break-ins versus traditional break-ins. Historically, it was necessary to physically show up at a car, house, or building in order to break into it and then physically carry out the loot. This created two extra safety nets compared to cyber security. First, since bad guys had to physically visit a property to attack it, the number of attacks any given person or team could execute was limited. Second, by being physically local to the crime scene, numerous chances to catch the crooks in the act are created and physical evidence can be left behind. There is a lot of risk for a crook during a physical break-in.
Unfortunately, when it comes to cyber security the concept of locality does not apply. A hacker can sit half a world away and attack a system through a path that is well masked and hidden. Even if the authorities can eventually figure out the source of the attack, those involved will be long gone from the scene. Not only do cyber criminals avoid the risks of locality, but they can also perpetrate many attacks simultaneously. This leads to the perfect storm of high volume, hard to trace attacks from a global pool of cyber criminals.
DON’T BE TOO QUICK TO JUDGE
While I do believe that many organizations lack sufficient security around sensitive data, I also believe that many are truly attempting to implement the highest security standards available today. But even the most diligent organizations won’t be able to stop every single breach attempt given the sophistication of the criminals at work today. Does that mean we need to despair and throw our hands up in defeat? No.
What must happen is that organizations must recognize the fluid nature of network and data security gaps and put in place sufficient resources to combat it. This includes becoming proactive in identifying risks and not just reacting to those already identified and/or exploited. It also means compartmentalizing certain sensitive information to the maximum extent possible and to actively monitor any interaction that occurs with that information. This approach would be analogous to adding video monitoring and motion detection to your home in addition to traditional locks. There has even been experimentation with offering cash awards to “good hackers” who identify and reveal new security gaps without exploiting them or passing them on to others.
Make sure that your organization isn’t underestimating the nature of the battle going on with cyber security. At the same time, don’t assume that any organization with a data breach is guilty of being careless and sloppy. The fact is that a battle is continuously raging to defeat network security protocols. You wouldn’t blame your neighbors who padlocked their doors if a criminal found a way to defeat the padlock and gain entry to their home. Similarly, there are cases where organizations did what would be reasonably expected but came up against a criminal with the right tools and enough motivation to gain access anyway.