Recently I had an experience at home that reminded me of several hard facts about security in general, and specifically about computer security issues. Several attempts were made to break into my house after Halloween of last year. As each attempt was detected, I took further steps to enhance security as my awareness of the threat developed.
At first, I secured the inner perimeter – I assumed the goal was to get in and steal my stuff. I double checked my locks and installed security devices so that windows would only open 6 inches if the locks failed (the locks are pretty minimalistic on today’s low to medium end vinyl windows).
Now, no one is getting in without breaking a window. Then I discovered that they had come back and stolen some things from the backyard, a pretty worthless bike, but still…
So, I added intrusion prevention in addition to locking down the house, by closing gates and installing a new security light in the backyard. I had hoped this would be enough of a deterrent, but the next incident really got my attention, my neighbors spotted a man peering in my daughters’ windows at 6 am – just the time they are getting ready for the day.
At that point my fatherly instincts were ablaze and I extended my defenses to include an intrusion detection system: motion sensors to alert me to anyone entering my property and secondary sensors to let me know where they are going on the property.
As I reflect on these things in my newly created “zone of security”, I am aware that there are things I could do further to enhance my families safety (motion sensing lawn sprinklers, vicious dogs, etc), but I don’t think most of them warrant the further effort.
I know my sense of security is at best a fallacy, a determined home invader is going to come in regardless of my efforts, but I have raised the bar to keep the average criminal out by making my house less attractive than someone else’s. These things translate to the world of software security directly, there is no absolute security for a functional system, if I wall myself and family in we stop functioning normally which is not a desirable outcome either.
As my awareness of the threat increased, I changed my tactics to protect what I perceived the criminals were after. My mistakes, much like many businesses’, were
- Putting off setting up any security until an event occurred
- Setting up a one layer of defense at a time instead of finding a more complete solution after the first minor incident (not doing an attack surface analysis)
- Reluctance to call for help (excuses like nothing was stolen, no real damage etc.) After the second incident, I felt it was better to inform the police, the mailman, and neighbors, thus increasing the support I had in coping with the problem
- Choosing to do it myself instead of getting advice and help from professionals (and ignoring the police officer’s advice to lock the gate thinking just closing it would be enough)
- Being reactive instead of proactive
As I look around at the corporate landscape today and the news we see and, much like an iceberg, the bigger set of incidents that we don’t know about, I see that many companies are making the same mistakes I made at home, just on a much larger scale with much worse consequences.
Companies that don’t “get it” think they can do it better in-house, don’t see why anyone would want into their systems and make up all other sorts of excuses to justify not expending money on these “theoretical” incidents.
Once a major security incident happens, we see companies wake up quickly and close the barn door after the horse is gone, as it were. I got lucky at home and only lost a worthless bike for my troubles.
I don’t think we can count on the kind of criminals attacking today’s corporations being so easily deterred.
- Board Dynamics: Do BoDs Understand the Impact of Cyber Attacks?
- Whose Responsibility is CEO “Tech Literacy?”
- Communicating Risk More Effectively
- Using the Top 20 Critical Security Controls to Get your CFO’s Attention
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock