You have heard it over and over from the “offensive” side of information security:
“The defense has to be right 100% of the time, but the offense only needs to be right once”
“The offense always wins and the defense always loses.”
Naturally, you see a lot of really good professionals that focus on defense take offense to that. No one wants to hear absolutes like this and frankly they don’t make sense in the info sec world. These statements are morale killers and really don’t do much more than one group telling another they are better than them. Here are a few thoughts on the winning in info sec.
What are Your Goals?
As a business, inherently making you the defense, you have a goal to protect certain assets. A majority of the time it is sensitive information such as copyrights, intellectual property, customer data, etc. In the process of protecting this data, the company performs many different tasks to keep that data safe. One may implement technical controls, such as firewalls, IDS/IPS, network segmentation and egress filtering. They may also write great information security policies and procedures. There are different levels of security that can be implemented, and are usually aligned with the risk the company is willing to accept. To determine this risk, a company will analyze their sensitive assets and determine what the cost of protection is versus the cost of loss and evaluate which is right for the company.
If your goal as a company is to protect consumer credit card numbers (yes this is very narrow in scope for example purposes) and a breach occurs that steals name and address, but no credit card numbers, did you “lose?” Even if credit card numbers get stolen, is it still a “win or lose” situation?
If you are breached, but stay in business, continuing to provide services to your customers in a positive way, did you “lose?”
What Defines the Game?
If there are winners and losers then there must be a game right? What is the definition of the game to determine when a winner is crowned? Currently, it appears as though the game starts when you create a presence on the Internet. There are only two ways to end the game: Leave the Internet or get breached (the offenses self proclaimed victory). What happens if you get breached and stay on the Internet? I guess a new game starts. At the most, a breach means that the offense has scored, but lets not get ahead of ourselves.
Lets look at some breaches and see if the breach should constitute a win.
- Target, sure they lost a lot of credit card data, yet they are still in business and people still shop there.
- Sony got owned in a major way, but look, still alive and running.
- Staples, JimmyJohns, even Chick-fil-a all were breached yet all still running their day to day business with what would appear to be very little fallout.
- T.J. Maxx was huge in the news a few years ago, still going.
- Many, many more companies just like this and still running strong.
I don’t see any “winning”, by the offense, in the above breaches.. I see scoring. Scoring that usually doesn’t even come close enough to claim a victory.
If we really look at the situation, the defense actually wins 99% of the time. Web applications and networks are under constant attack from the bad guys and we are not seeing every company sitting on a breach list. Yeah, I know that there are probably a lot of companies that are currently breached and just don’t know it. How many attacks are happening that don’t succeed? Unfortunately, we only hear about that one time the attack works and breaches a company. Going back to the Goals idea above, who are you trying to keep out, the script kiddie or the highly skilled, highly paid attacker that is willing to take years learning your company to attack it. I get it, nothing is 100% secure and an attacker with enough motivation can get into anything, but should that thought overpower the so-called game?
Is it a Game?
There is a huge community in security that looks at the Internet as the greatest capture-the-flag (CtF) ever created. With hundreds of millions of connected systems and web sites it is a plethora of fun and probably quite easy to “score.” I liken it to a golf course that has a ridiculous amount of holes for each tee. So much so that hitting the ball with your eyes closes still has a high chance of landing in one of the holes. Although, as in golf, putting the ball into the hole on one green doesn’t constitute a win, it constitutes a score that is later calculated to determine a winner.
We need to get away from the idea that “defense sucks” and “offense is so easy and great.” Sure, some companies are not doing as much on the defensive side as they should, but that doesn’t mean they always lose. Even companies that have great security can fall victim to a breach, but that is usually all it is. I have fallen victim to saying I like the offensive side because it is easier. That I can easily find something to ding you on with your app or network. The reality is that not everything identified as a security flaw or risk is a “win” or even something someone should fix. It goes back to the risk acceptance of the company. I bet I could walk around your house and find problems too, but that doesn’t mean I won.. what would I have even been playing. I would also just be distancing myself from you looking like a jerk. We need to do better at bringing our two sides together, working together to have the information needed to make risk acceptance more accurate.