Tuesday, May 27, 2014

Humility in Cyber Security

I'm about to (attempt to) wax eloquent about the philosophy of cyber security, so this post will probably get real existential (and perhaps not terribly applicable). Credit to John Strand for bringing up some of these talks during a recent conference.

A common adage on the elementary school playground is, "There's always someone out there bigger, stronger, and faster than you."

If we swap "bigger" and "stronger" for "more clever" and "better typer" we have an incredibly true point for cyber security. No matter how smart you are, or how good you are at detecting attacks, there is going to be someone in China or Russia who knows more than you do. There will always be a zero day exploit someone can buy that you will never see coming. There will be the script kiddy in his basement who manages to find the one thing you forgot about.

This isn't to say we shouldn't try, quite to the contrary, we should try all the harder. But it should change the way that we think about our perimeter defenses. Your IDS, firewall, and AV aren't get out of jail free cards. You can't just play them like a wild card in uno (the only card game I'm good at).

Rather you should think of them in context. When you're designing your perimeter defenses, you should put effort into doing them correctly.
But then when you move on to designing your client based security (client side AV, client based IDS) you should assume that your adversary has effortlessly bypassed your network based IPS.

Then when you are working on your database security, you should assume your adversary has walked past your perimeter security and your client side security. You should assume that compromised devices are hitting your database server directly and design the security with that in mind.

Cyber Security is a frustrating field because you never know for sure that you have done it well and correctly. You only (sometimes) ever sometimes find out that you have done it completely wrong.

Obviously this could turn into a black hole of time and money. Since you can never say, "We are now secure" you could always spend more money and time making things safer.

That's really why God invented managers and gave them check books. Obviously security professionals have to keep some concept of budget in mind, but while they're focusing primarily on making things more secure, managers are able to provide some perspective on what's reasonable.

So in conclusion, assume everything you're doing doesn't work well. And then keep on doing it better.