In Cyber, Losers Ignore, Survivors React, and Winners Predict
Knowledge of the threat scape is one of the determining factors in an organization’s ability to defend itself. There are three different approaches to cyber security. The first is to ignore the threat. Practically every outbreak of a worm or malicious virus has been preceded by warnings from the security community. The CodeRed worm targeted a vulnerability in Microsoft’s web server software that had been known for months. A patch was even available. Yet, thousands of US Government and other web servers were successfully attacked in 2000. And the follow-on Nimda worm which attacked the same vulnerability (and even a backdoor left behind by CodeRed) was even more successful at spreading and causing harm. TJX Company is the poster child for flying blind. Three years before they were infiltrated by hackers via an unprotected WiFi access point Lowes suffered a similar attack targeting their credit card information. The recovery from the attack against TJX and the loss of over 90 million credit card records cost them more than $200 million.
Which leads us to the next level of preparedness: reaction. Most organizations have begun to be able to react quickly to new threats. They institute patch and configuration management and they have organized Computer Emergency Response (CERT) teams. They pay attention to the news and begin to think about possible courses of action when they see new attack methodologies or even motivations arise. A vocal supporter of SOPA can expect DDoS attacks from Anonymous. A law enforcement agency can expect to be the next target of F**k FBI Friday (#FFF on Twitter). A very few law firms will be scrambling this week to review their security posture after the potentially devastating hack and subsequent leak of emails from Puckett Faraj. (Read The First Thing We Do is Hack All The Lawyers)
Judging by the number of large enterprises that bring me in to speak to their boards and senior execs there is still a problem at the top of many organizations with recognition of the rise of threats. Even though these organizations have their own security experts they feel an outside expert can do a better job of justifying security investments and frankly, frightening their stakeholders into taking security seriously.
The very best organizations are taking measures to predict future threats to their data and operations. Their CERTs are evolving to what I call Cyber Defense Teams. They engage in active research on new threat actors, new methodologies, and new vulnerabilities exposed by the types of targets that are being selected by cyber criminals and state actors. Defense Departments and contractors are recognizing that their defenses are essentially porous to attack. Best practices at banks include concern for their major customers’ data security. A bank that holds the assets of earth resource companies watches the rising threat against that sector and starts to build in the defenses to identify when their accounts are being monitored or attacked.