Just as no man is an island, no company can operate without trust. But how do you effectively manage that trust?
There is a photo I’ve seen time and time again at security conferences, of a road with a large barrier in the middle to stop cars from passing. To either side of the barrier is grass with several tyre marks in it where cars have simply chosen to take the path of least resistance and drive around the barrier.
Figure 1: pinterest.com/pin/257971884875014665
What this represents is the difference between the concept of security, where there is a single road protected by a barrier, and the reality of security, where people are free to come and go at their leisure.
Where this analogy falls short is in the lesson that it is used to teach about protecting businesses. It is easy to say that the problem could be fixed by building a fence around the road or building and sealing it off from the world. However, companies do not have such clearly defined boundaries as just a physical building, and the only way to maintain a competitive edge in 2020 is to become more connected, not less.
Further still, I have performed dozens of attack simulations across a wealth of organisations and, even in the most secure locations, a compromise is always attainable through patience and determination. It is a widely accepted adage in the security industry that there is no longer a question of if an organisation will experience a compromise, but when.
So, if you cannot rely on your perimeter defenses to protect you, and sealing yourself off from the world is not an option, then what can you do to abstain from conceding defeat to what might seem like the inevitable?
The first step is in understanding how your business operates. Create a map of what assets are in your organisation and how they interact with each other. Consider the who, what, when, where and why of each of these interactions.
Augment the map with any additional interactions that might be possible. Consider if any of the assets are exposed in ways they don’t need to be and if there is an opportunity for that to be abused. This is known as a threat model and will help make your security more manageable.
The second step is in creating and implementing a defence strategy that closes off any unnecessary exposures and mitigates any risks that cannot be avoided entirely. There will always be limitations and accepted risks, but the objective should be to minimise them where possible.
The next step is to validate your defences. Security is about finding an effective mesh of people, process and technology to thwart attacks and regular security assessments will help inform you of any gaps in the threat model.
Finally, contextualise your new threat model. Testing in isolation will provide you with some assurance but it is not until you look at your business as a whole that you will understand your true security posture. Consider how real-world adversaries would act as you walk through the paths you have created. This process is known as Red Teaming and is your opportunity to understand what your defences mean for your business.
Of course, this approach still has its limitations. The more connected your business, the more interactions you will have with assets outside of your organisation’s control. This is where you should seek out and encourage suppliers to gain accreditations such as Cyber Essentials, which are useful in establishing a base level of confidence in the security of an organisation without anyone marking their own homework.
By Thomas Ballin, Senior Security Consultant, Secarma