Attack Mitigation – Assume the worst

I have recently been catching up on what was happening at the RSA conference from San Francisco this year and what some of the key security trends are.  One thing that has jumped out is the move from ‘we can protect you’ to you are or will be hacked so what can we do to mitigate the damage and catch the malicious individual or group.

This has been coming for a few years with the increasing use of cyber-warfare by governments and the military, and the emergence of APT (Advanced Persistent Threat) where well funded criminal gangs will expend a lot of time, money and skill to gain long term and potentially subtle footholds in company systems.  These factors, along with all the ‘standard’, existing threats and continued successes of social engineering attacks such as Phishing have lead many security leaders to suggest that you have likely already experienced a breach and you will, not may, experience breaches in the future.

This is backed up by research from the Ponemon institute that suggests 70-80% of organisations have experienced a data breach within the last 20 months.

So in addition to the standard perimeter and control type solutions there are now vendors and consultancy firms offering solutions to limit the damage that occurs when these preventative measures fail, and at the same time capture as much information as possible to aid in the tracking down and capture of the attacker(s).

This is an interesting wake up call for both the security industry and all companies – the protective measures we have relied upon for years work, but they are far from infallible and will fail when face with a concerted effort or a duped user who already has system access.

A couple of interesting references covering this in more depth;

Dark Reading –

Bruce Schneier –

The Dark Reading article is particularly interesting, and it’s well worth reading both sections.

Remember – your company’s systems will be breached.. What will you have in place to minimise the damage and assist in preventing the attackers from doing the same to more organisations?


Code war era

I’m sure it is not a new turn of phrase, but I came across the term ‘Code war’ as in code war era in a recent Businessweek article titled ‘Cyber Weapons: The New Arms Race’ that can be found here;

From Google accusing the Chinese government of trying to hack it’s systems and threaten it’s employees to the Stuxnet worm causing massive damage to Iran’s nuclear program cyber warfare is clearly real and here to stay – This is truly the era of the code war..

One of the big differences between cyber warfare and traditional warfare are the levels of secrecy involved.  Traditional weapons such as guns, fighter planes or even nuclear missiles still work both in use and as a deterrent even when many details about how they work.  In the cyber world once an exploit is known about and understood countermeasures can quickly render it useless.

To highlight just how real this threat is, in 2009 the US created the US Cyber Command, and the US military has been given the all clear to us ‘cyber’ weapons.

Various firms, such as Endgame and Appin Technologies that provide various security services including creating exploit code are reporting ever increasing profits due to the demand for this kind of service.  These companies while shrouded in secrecy are the public face of this industry; there are many more ‘black’ companies whose activities and work for governments is considerably more hidden and less visible.

Definitely interesting times in the world of IT security..