At security trade shows like RSA, we are purposefully given the impression that if we just employ some new defensive technique or purchase some new defensive tool, we will be able to keep intruders out of our systems for good.
How many times have we heard this? And how is this different from remedies that promise to solve other problems like our finances or our physical appearance?
The information security war will never be won.
As long as people, or groups of people, have accumulated wealth of any kind. Other people try to steal it. We can keep ahead of the thieves for a time, as our defenses sometimes prove better than their offensive capabilities. But the wealth is still there, proving to be such a tempting challenge to some that they will use all of their imaginative powers to find a way in.
In our homes, we have better locks, stronger doors, better windows, better alarm systems – for what? It doesn’t seem like the problems of residential burglaries is getting any better, despite these improvements. Thieves simply improve their techniques and find a way around our defenses.
In our information systems, we have better firewalls, application firewalls, intrusion prevention systems, anti-malware, and a host of other defensive (and even some offensive) security controls. But intruders still find a way in.
There are times when it proves very challenging to break directly in to information systems. That is when intruders switch tactics: they target personnel who are employed in the organization that owns the systems, using a variety of techniques to trick users into performing seemingly harmless tasks that give intruders the beachhead they need.
Why do intruders persist? Because of the wealth that lies in the target systems. Whether this is direct monetary wealth, or information that can be traded for monetary wealth, as long as the information is there, and no matter what measures are used to protect the information, intruders will find a way to retrieve it. This is true, even if you have all of the latest defenses, tools, training, and so on. Your defenses will only slow down a determined intruder, and maybe only be a small margin.
- We must protect all systems. An intruder will attack the system of his choosing.
- We must protect from all types of attacks. An intruder will use an attack method of his choosing.
- We must protect our systems at all times. An intruder will attack at a time of his choosing.
- We must teach all personnel to be aware of threats. An intruder will attack the person of his choosing.
- We must obey all laws when defending our systems. An intruder may break any law of his choosing.
- The intruder will always choose the path of least resistance, the weakest link, at our most vulnerable time.
- Intruders are patient and resourceful, and often well-funded, and often more motivated by the prospect of success than we are by the prospect of intrusion.