The best known paradox attributed to Zeno of Elea is that of Achilles and the Tortoise, a thought experiment which argued that no matter how fast Achilles was, he could never quite catch up with the Tortoise.
This was delightfully expounded upon by Lewis Carrol in a lesson on infinite regression, and even more delightfully by Terry Pratchett, who envisioned hordes of philosophers in pursuit of beleaguered tortoises under a Mediterranean sun.
Some years ago I made a hurried napkin sketch of the graph below, to explain the difficulty of attaining perfect IT security. I’m here today to let you in on a dirty little secret: you can never be 100% safe. You can spend and spend and spend, and never quite be absolutely secure.
The good news though is that you can be pretty safe, up to the point where your wallet feels a bit strained.
Now, you should not take this curve literally – in the best tradition of polemicists since time immemorial, you can see I’ve omitted any actual numbers, or for that matter supporting data. Despite that, I think I can show that this is a useful tool for thinking about your security spend. Let’s take the vertical axis, “safety” to go up from 0% to 100% safe, and the horizontal to run from “not spending anything” to “spending eye watering amounts”. The curve just shows something that rises rapidly on the left, and grows asymptotically closer to 100% on the right – but never quite gets there.
Looking at the right hand of the curve, the core problem is this: to be 100% safe, your security measures have to be correct every time. An attacker only has to be right once. To make matters worse, the cost to attackers is virtually zero, while you’re committing to spending huge amounts. If there’s one lesson to be learned from the military adventures of great powers through the last half of the 20th century it is this: you can’t win an asymmetric war against guerrilla forces. Even worse: if a nation state decides it’s going to subvert your security, you can pretty well guarantee that they’ll succeed, no matter what you do.
There is a little subtlety in this side of the curve though. It’s not just that we are spending eye watering sums and still not 100% secure, it’s that large increases in spend will result in only tiny improvements in your security. You can never quite catch up to that tortoise.
There is of course one way to attain 100% security, reportedly: turn your servers off, encase them in concrete, and sink them in the ocean. Oh, and don’t forget to include the backups. And the developer laptops. And… actually, this doesn’t look like it would work either. But it does highlight what economists call an externality: as you make your IT infrastructure more secure, how much hidden cost are you accruing in lost efficiency as your staff struggle to access the information and services they need to do their jobs? At what point does your increased security result in staff seeking work arounds and ways to subvert your safety measures?
Let’s have a look at the other end of the curve then. For what it’s worth, you’re probably living down that end, rather than up in the eye watering end, even if it feels like security is costing you a lot. Don’t worry though – if you’re down that end of the curve, you’ve got the freedom to make big improvements on your safety with not a lot of expenditure, and to be able to make sane decisions about where on the curve you would like to be.
There are a lot of vendors of security products out there, all keen to tell you why you need to be afraid, and why you need to buy their product. Mostly they’re honest, and their products will indeed address whatever scare they talk about. Equally, a lot of products are like custom detailing on a car – do you really need mag wheels and spoilers on the Toyota Corolla you run the kids to school in, when what you rely on are brake lights, seatbelts and airbags?
My advice is to start by looking calmly and rationally at two things: what the real risks are, and what are the most important information assets you need to keep private and safe.
It’s also important to understand the nature of external attackers in 2021: your adversary is not an isolated youth in the basement wearing a black hoodie. Rather, almost all cyber crime is carried out by well organised, well funded gangs. Professional criminals, not elite genius hacker amateurs. Perversely, this is good news – professional criminals don’t like to work hard, and if you make yourself sufficiently safe they will look elsewhere for victims. If you live in London, you know this from securing your bicycle – two decent locks properly attached make it more of a hassle to steal your bike than it’s worth the professional criminal’s time.
If I were to pick a top three things to worry about in 2021 as risks, I’d pick ransomware, insider attacks, and ham fisted blunders. If you want to boil down your risks to fundamentals they would be this – your confidential data is exposed, your critical data or systems are made unusable, or your cold hard cash is stolen. The three I picked exhibit most of those fundamentals, but they also share a common factor – criminals can take advantage of the most hackable part of your environment: people. I’ll talk about each in turn, and try to highlight some reasonably easy, reasonably cheap things you can do to improve your security posture.
So. Ransomware. This is a huge growth industry, and continues to grow. It’s very hard to get a handle on how much this costs companies, but best guesses are that in 2020 ransomware cost something around $USD20 Billion in downtime, damages and direct ransoms. Not only is the potential pot attractive to criminals, the criminals are getting nastier – one of the most horrible cases unfolded in Finland last year where a mental health clinic was targeted, and the criminals began releasing highly confidential patient records into the public domain. All told, more than 40,000 patients were exposed, and the clinic has been bankrupted. The gang in question endeavoured to extort between €8 million and €20 million directly from the patients. A more common modus operandi of ransomware gangs is to lock up internal data on servers and laptops, and demand a ransom for an unlock key. Opinion is divided whether ransoms should be paid or not (another small growth industry has arisen to act as brokers between the gangs and the victims), and there’s no guarantee that paying the ransom will allow your data to be recovered.
Virtually all ransomware is introduced to organisations via email, and almost invariably it relies on hacking the person: a malicious viral payload is embedded in a document or executable, the recipient is tricked into opening it… and the damage is done. This is one of the reasons why ransomware attacks are so profitable for criminals – the cost of emailing is virtually zero, they can send millions of phishing attempts, and only need a handful to succeed.
So what can you do about ransomware? First and foremost, educate your users on how to detect phishing email. There are companies who can help you with this training, and they can also help you test your vulnerability. If you have a culture where users regularly send documents around by email, where they expect that they will get documents by email – kill that dead. You might also look at email filtering solutions, there are a number of good ones on the market that are reasonably priced. Security experts will sometimes talk about “attack surface”, that part of your environment that is attackable. Your email addresses are the biggest and most vulnerable attack surface: anyone in the world can send your staff absolutely anything they want.
Next – backup your data. Back it up regularly, often, and reliably. And for heaven’s sake, test your backup procedures. I’ve lost count of the number of times I’ve seen, and heard of, organisations that spend a fortune on backups only to discover that they cannot recover from them when they needed to.
Finally, treat your laptops and servers as disposable. Which is a very scary statement. For your laptops to be disposable, you need a culture where any important data is not kept on them (which you should have anyway – do you really want someone reading your secrets when Albert leaves his laptop on the Tube?). A laptop gets encrypted by malware? Take it off the network, erase it, and reinstall the software. This holds for servers as well, and is hugely simplified by using cloud servers: if a server is subverted, throw it away and rebuild it. The use of automated deployments, infrastructure-as-code principles and DevOps ideas should mean the time to rebuild is measured in hours, if not minutes. And test your backups.
Very little of what I just outlined involves novel or expensive technologies – it’s all about a cultural shift. Stop worrying about the networks, servers, laptops and software that manage your data and information. Instead, protect the data and information itself. That’s the unique, precious, and possibly priceless part of your IT systems.
Ransomware attacks often share a common feature with insider attacks – your data is copied out of your environment, and off into the ether for gain or amusement. Insider attacks are the most insidious and unnerving risk you face, and it’s (almost) all about people – how can you trust the people you have working with your information and data not to take it elsewhere for their gain? It’s doubly worrying for your system administrators: quis custodiet ipsos custodes? And if that doesn’t worry you, think on this: one of the most likely ways that a serious attacker in a highly secure environment will act is to compel an administrator to divulge confidential information or introduce malware. Criminals are lazy, they don’t like having to be clever or work hard.
First up, you need to monitor your systems, particularly with respect to outgoing information. Unexpected changes to configurations, unexpected data flows, unexpected data access should all trip alarms. Again, there’s a lot of software solutions that can help with various aspects of this, but the most important tool is the four-eyes principle. Who watches the administrators? Other administrators. Important operations and changes (and this counts for your funds transfer operations too!) should require approval. To minimise the evil-administrator risk, once again focusing on automation of operations and the use of infrastructure-as-code principles can help a lot. The other big cultural shift you can make is to adopt the principle of least privilege everywhere, top to bottom in your organisation – information and data should only be made accessible to people who need it to do their job, and they should only have access to enough information to do their job.
Simple ham-fisted error is likely to expose your assets as well. Hanlon’s razor applies: a data leak is much more likely to occur because of an error, than by intent. Fortunately, the same cultural shifts help – automate operations, monitor for configuration changes and data flows, use four-eyes for changes. And stop moving data around so much! Seriously, if you have staff who as part of their regular operations pull data off a server onto their laptop, figure out ways to stop that, otherwise Albert will leave his laptop on the Tube sometime. Don’t email patient records to an outside party, set up a secured web page for them to be downloaded, otherwise Betty will accidentally send that embarrassing medical problem to everyone in her bookclub.
Don’t discount ham-fisted error as a significant risk – the Equifax breach in 2017 (which cost them somewhere well north of $USD650 million in damages) was almost entirely ascribable to a combination of non-existent monitoring and really dumb mis-configuration of vulnerable services.
You can gain considerable safety by instilling a culture where data and information resides in a well secured, well monitored place from which it can be fetched at need, rather than moving all your precious information around via email, FTP transfers, or carrier pigeon.
I’ll leave you with two final cultural changes that can gain you big security bang for modest bucks. First up, instil a culture of password hygiene, along with tooling to help.
The security community is in absolute agreement that passwords are terrible, and usually the easiest way to break into a system. There is a lot of debate about the value of complicated passwords, and about forcing password expiry for most of your staff, but there’s no disagreement that the passwords for administering and accessing services and servers should be managed.
If you’re not using a password management system (e.g. LastPass or 1Password) for your privileged accounts – fix that. Make someone responsible for ensuring that passwords on privileged accounts are regularly changed, and never (ever) reused from one place to another. The big advantage of a password manager is it makes it easy to use long and complex passwords, and to track re-use of passwords. Good password managers also provide audit facilities so you can see who is using what account. Most importantly, it’s the best way to stop Carl from writing his password on a sticky note attached to his screen.
One final note on passwords – if any of the services you are using support two-factor or multi-factor authentication: make using it mandatory. The security gain over just using a name/password pair is huge, and it costs virtually no effort.
Finally, something I’ve mentioned a few times is the need to re-imagine the thing you need to protect as your data and information, rather than the servers, laptops, network and software. This is a surprisingly large mindset shift for a lot of folk in IT. All the expense and effort is around software, laptops, servers and networks – so it must be the important part, right? It’s as though a restaurant focused on plates, lighting, chairs, and mood music instead of putting food in front of a hungry customer, but it’s an understandable misapprehension.
Backup your data, encrypt your data, minimise transfer of your data. Understand minutely where it travels, who can see it and who has seen it. Wrap it in audited and secured access layers like APIs and in general treat it as irreplaceable. But also understand that not all data and information is equally important. You really need to come to grips with what data and information you have, and to rationally decide what is important and what isn’t. Customer payment details? Important. Administration passwords? Important. M&A proposals? Important. The long email thread about a going away present for Denise? Definitely not important. Only you know what is important and what isn’t, but be careful to distinguish what is damaging to the company if it is leaked, and what is merely embarrassing.
Moving to a data-centric culture is tricky, and it’s likely that a lot of your existing IT infrastructure does not fit comfortably in that world. You might like to look toward so called “Zero Trust” solutions from companies like AppGate, Fortinet, Okta or Palo Alto to help here, but be aware that starts to edge you over to the right hand side of the curve.
You can’t keep all of your data and information safe all the time from all possible loss or disclosure. No matter how much you spend, someone is going to get a hold of it if they want it, or it’s going to be accidentally divulged. You can maximise the effectiveness of your spend by instilling important cultural shifts and small technical fixes, and by gaining clarity on what needs to be protected. Pick somewhere in the middle of the curve, and aim for that point where your actual safety is balanced against your wallet.