I'm often surprised at the public's disappointment with the realization that security processes are not directly analogous to the medical notion of immunization. In fact, single-shot protection does exist, and it serves to defuse individual threats with the simple application of patches, firewall filtering or other methods of protecting against individual attacks.
What about millions of monkeys creating infinite malware strains?
The bigger issue is the direct relationship between protecting against an entire universe of threats and the need for security to be applied at various levels, or layers, to anticipate the manifestation of diverse attacks. Why does it have to work that way? Why can't we just deploy a 'suite' of applications to deal with the whole thing? Flip a switch and you're done: it's the 21st century after all!
The answer is simple. Computers, like humans, operate in layers. Beyond general healthy measures and safety best practices, threats to those layers must be addressed individually.
Take for instance the security - or lack thereof - of retail environments. The overwhelming notion has been that Target and other large retailers have been negligent in protecting the security of customer payment data. There is no argument that when a breach exposes a million, ten million or a hundred million financial records it is safe to say that someone dropped the ball somewhere. But it is precisely that somewhere that represents the very definition of negligence in the security space.
Call it the weakest link and you will realize the extent of challenges faced by security professionals every moment of the day. You can protect against 99% of threats, but if that 1% allows attackers to chain together a series of exploits resulting in unauthorized activity, that's called negligence.
Lest I be accused of not adequately illustrating the issue, let's have a look at the basic layers required in the protection of a retail environment's Point-of-Sale activities. Just like a human body's organs, these systems are interrelated and to a large extent, interdependent. Here are the 6 risk areas that need scrutiny and vigilance:
- Legislative: Comply with Canadian privacy law
- Industry standards: Adhere to the PCI-DSS 3.0 standard
- Tech standards: Adopt EMV/Chip-and-PIN payment systems
- IT security: Employ intrusion detection technologies
- Administrative security: Conduct employee background checks
- Physical security: Deploy video surveillance & access control
By looking at it this way, it becomes painfully obvious that organizations whose security mindset is limited to thinking about the problem as purely an IT issue are entirely unprepared for the kinds of breaches we have been seeing and are likely to see in the future.
So when you read about ChewBacca, SpyEye, Zeus, BlackPOS and other emerging threats wreaking havoc on the systems and stock prices of venerable enterprises, ignore the word 'sophisticated'. Regardless of complexity, these are purpose built tools created to take advantage of known weaknesses on different layers. String together enough of these holes, and you can automate the process of exploiting a company's information assets for personal gain.
It's not rocket science, but it clearly illustrates the following: incomplete vigilance is entirely useless and complete vigilance is unrealistic. Systematic vigilance is where it's at. It is only by monitoring a standardized collection of controls at each layer that organizations can not only thwart the majority of attacks before they occur, but also cut off those 'sophisticated' attacks at the knees before they have a chance to do real damage.
How can companies achieve that kind of systematic vigilance?
That part is fairly simple: by properly implementing a proven framework of controls and having those safeguards independently verified. That kind of perspective is called risk maturity and when it comes to protecting valuable intangibles, it is the only thing that comes close to the concept of immunizing information assets against emerging threats.