What security means in today's businesses
July 21, 2015
Hackers are wreaking havoc on businesses. To understand the potentially staggering financial ramifications of a security breach, look no further than...
Hackers are wreaking havoc on businesses. To understand the potentially staggering financial ramifications of a security breach, look no further than the high-profile attack against retailer Target, where experts estimate that damages could soar as high as $5.3 billion, with costs including a wide range of items such as incident response, litigation, fines, customer exodus, and lost profit. Perhaps most significantly, the Target breach represented the first time that the CEO of a non-tech company was forced to resign due to a security incident. If ever there was a bell toll signifying to corporate executives that security is a business-critical mandate, and not “just an IT problem,” this was it.
Corporate executives and their boards have been scrambling to adapt in the face of this daunting challenge. Businesses today are defending against a newer and more advanced adversary who is motivated to attack for a variety of reasons, ranging from the desire to steal intellectual property or other data assets to causing reputational harm to making a political statement. These modern adversaries have become extremely sophisticated, their attack methods are ever evolving, and traditional defenses alone are no longer effective.
However, enterprises should not lose hope: there are techniques they can adopt to deploy a more effective defensive posture. Here are two examples of the most effective defensive measures:
1. Secure assets, not just perimeters. In today’s highly interconnected environments, third-party solutions are so widely integrated that the distinction between internal and external has become blurred. Modern adversaries often attack a victim’s trusted vendor to ultimately compromise the victim. You can account for these attacks by building layers of defense-in-depth, a paradigm which assumes that the adversary is already in. Start by identifying your most valuable assets, and then build layers of defense emanating outwards from there.
2. Build security in rather than bolting it on. The most effective way to build systems that protect assets is by building security into each stage of the process. As a system or infrastructure is being built, new features and functionality are added which inevitably introduce new attack surfaces. When you build security in, the security of these attack surfaces is considered at each stage of development, and as such, the risk is significantly and consistently reduced throughout the entire development process. By contrast, organizations that only consider security at the end of the development process can’t effectively mitigate risk at the moment new attack surfaces are introduced.
By deploying security strategies that are effective against a highly skilled adversary, businesses today stand a better chance at protecting the valuable digital assets that drive their success.
Ted Harrington drives thought leadership initiatives for Independent Security Evaluators, an organization of security researchers and consultants known for being the first company to hack the iPhone. Harrington is one of the lead organizers of SOHOpelessly Broken, the first ever router hacking contest at esteemed security conference DEF CON, and one of the lead organizers of the popular new hacking event concept IoT Village at DEF CON. He holds a bachelors degree from Georgetown University.