| Accepting the reality that mistakes will be | | | | |
| made, intrusions will occur and that | | | | Or is it? |
| inoculation and list updates will lag behind | | | | |
| any new attack, will guide corporations in | | | | Much has been written about the motivation |
| the establishment of realistic | | | | behind hackers but to be honest does it |
| countermeasures which will allow them to | | | | really matter? Universally they are persona |
| survive systemic attacks, averting the risk | | | | non grata no matter what intent they have or |
| of corporate-wide compromise. | | | | attack vector they use. What all companies |
| | | | want is for the problem to go away. |
| Safe & Secure - For The Moment: | | | | |
| | | | Certainly as long as computers are in use, |
| After months of reverse engineering, endless | | | | hackers will exist - another undeniable |
| nights and bad Chinese food, the as-of-yet | | | | truth. Companies want to keep them out of |
| unknown hacker group, the Internet Free | | | | their revenues, or more specifically from |
| Radicals, has found their new attack point. | | | | impacting their revenues. Security breaches |
| Using steganography, they have devised a | | | | are production impacting events (PIEs) that |
| method of injecting malicious code into any | | | | can crush revenue generation in numerous |
| image file which will regenerate and | | | | ways: |
| re-inject itself into any network. Using | | | | |
| this algorithm, a time-delayed virus is | | | | • Literal loss of revenue based on |
| attached to several "humorous" videos that | | | | production downtime. |
| have been posted for download on the | | | | |
| immensely popular social website - By 5am | | | | • Loss of customer confidence due to |
| that same morning more than 1,000,000 systems | | | | bad press. |
| are now infected and the virus is just | | | | |
| getting started. The virus, not due to show | | | | • Erosion of competitive advantage due |
| itself for several days, quietly spreads | | | | to compliance failures. |
| undetected. | | | | |
| | | | The real solution lies in the 95%. Security |
| Later that same morning... | | | | executives live in fear of the infamous |
| | | | "Sunday afternoon phone call", where the |
| International Global Finance Corporation | | | | weekend IT staff informs the CSO that over |
| (IGFC) completes updating virus inoculation | | | | half of the corporation's resources are down |
| files on all of their servers and have | | | | due to some previously unknown hack. |
| completely scanned over 20 terabytes of | | | | |
| financial data on their ATM servers. The scan | | | | A far better scenario that every CSO can live |
| has taken four IO intensive hours but finally | | | | with is arriving to work on Monday morning |
| all systems are clean and secure. One minute | | | | only to find a few systems that "need |
| later a third shift operator at IGFC views a | | | | attention". This is 95%. |
| video posted at | | | | |
| | | | The best position companies can hope to |
| The Computer Age: | | | | achieve in future security events is one that |
| | | | minimizes the impact of an attack by making |
| Twenty years after the release of the | | | | it impossible for the mistakes of a few to |
| personal computer, the world is a different | | | | cripple the revenue generating capacity of |
| place. No one needs to point out the | | | | the many. |
| prevalence of computers in daily life or the | | | | |
| inherent risk that comes with using them. | | | | Companies need to embrace the new tact of |
| The problem is simply this: these very | | | | information survivability by minimizing PIE, |
| computing systems that we rely upon were not | | | | production impacting events. |
| designed with security in mind. With the | | | | |
| growth of computing use across every segment | | | | The global business community has to change |
| of business operations, only now are | | | | expectations to match the changes brought |
| corporate information security teams | | | | about by the proliferation and accessibility |
| scrambling to find effective systemic | | | | of computing resources. |
| security solutions. | | | | |
| | | | Public and private sector organizations can |
| Unfortunately there are five words that are | | | | create an environment in which pressure is |
| never spoken but words whose truth is know by | | | | put back on those who would seek to do damage |
| everyone involved in information assurance | | | | by implementing true business continuity |
| circles; | | | | efforts. Nothing is more daunting to an |
| | | | attacker than to see their "prey" bounce |
| There is no 100% solution. | | | | right back after a blow. |
| | | | |
| Every Chief Security Officer knows this to be | | | | Attackers will soon turn to other ventures |
| true and every CEO should hear and completely | | | | once they realize their efforts leave their |
| understand this reality. Ninety-five (95%) | | | | targets unfazed and nonplussed. From the |
| percent is the new one hundred percent in the | | | | view of the attackers, this is the ultimate |
| world of information security. This includes | | | | deterrent. From the view of the corporation |
| all security efforts: trusted computing, data | | | | this drives customer satisfaction and creates |
| integrity, identity theft, and anti-malware | | | | a strengthened work environment. |
| software. To view corporate security in any | | | | |
| other way is to deny reality - the proverbial | | | | The next security event is not an If but a |
| e-ostrich stance. | | | | When. What CEO's and CSO's need to implement |
| | | | are aggressive policy, practice and |
| Three irrefutable facts dictate this reality: | | | | procedural measures coupled with solutions |
| | | | that turn a 5000 system event into a five (5) |
| • Hackers are consumers and purchase | | | | system non-event. |
| every version of software usedin business | | | | |
| today. | | | | The real question that needs to be asked is |
| | | | how a company can become event agnostic not |
| • There is no way to remove human chaos | | | | how it can be 100% secure. |
| from the information securityequation. | | | | |
| | | | We must acknowledge that the enemy will find |
| • Software development companies cannot | | | | a weakness to exploit but also realize that |
| eliminate the flaws in theircode nor create | | | | you can make certain that any intrusion is |
| quality assurance environments that emulate | | | | contained, controlled, and ultimately |
| all ofthe complexities of the global business | | | | crushed. At every level of a company there |
| environment. | | | | must be a new understanding that their will |
| | | | be pot-holes but not sink holes. There is |
| So what can be done? Go on the offensive? | | | | much to be said for the company that weathers |
| Not likely. Today's attackers are well | | | | a storm. |
| trained, agile and virtually invisible making | | | | |
| capture almost impossible. | | | | The good news is that there are many new |
| | | | techniques being made available that will |
| These facts coupled with the obvious one that | | | | help a corporation reach the reality of 95%. |
| corporations are in the business of | | | | |
| conducting business not tracking downwould-be | | | | Great strides are being made in malware |
| malcontents serves to heighten the problem. | | | | spread mitigation, trusted computing, data |
| Should UPS concentrate on getting packages to | | | | portability, and network attached security |
| their destination on time or turn all of | | | | solutions as well as the consolidation of |
| their resources towards tracking down | | | | effective solution sets. These efforts |
| hackers? Don't bother to ask UPS, they know | | | | coupled with proper metrics and procedures |
| their mission statement. It includes boxes | | | | will allow businesses to obtain an enterprise |
| not bits. | | | | wide view of their security efforts thereby |
| | | | allowing them to easily deploy new security |
| That leaves a defensive posture. | | | | techniques and measure their effectiveness. |
| | | | |
| Ask any General how he or she feels about | | | | In the end, corporations seeking to create |
| defensive stances in the theatre of war (and | | | | the Kevlar Company need to focus on |
| yes, information security is a war). The | | | | eliminating production impacting events |
| answer will not be positive or reassuring. | | | | through survivability. Resilience is the |
| Somehow, someway the attacker will find a | | | | ultimate preemptive stance when it comes to |
| means of "getting inside the walls". | | | | information assurance. Only from this 95% |
| Unfortunately for the global business | | | | posture can the goal of 100% assurance ever |
| community this is currently the only stance | | | | be achieved. |
| possible. | | | | |