Every day there is a story in the news of a security threat causing havoc to even the largest of enterprises. It may be website defacements one day, denial of service the next and credit card data exfiltration the day after.
It would seem that enterprises are struggling in the ongoing cyber wars, but what if there was knowledge you could gain that would let your enterprise even the score a little? I am not saying that enterprises can put a stop to cyber crime, but what I am saying is let’s turn getting decimated into living to tell the tale, albeit it with a battle wound or two. I am not talking about fighting back. I am just talking about getting even in a legal way.
Let’s turn to a scenario that though, initially, a little obtuse, will become self-explanatory by the time you have finished reading this blog post: Imagine you want to cross a busy highway. There are cars moving along at incredibly high speeds and you need to navigate a clear path or end up splattered on the windshields. Whether you live to tell the story depends on the actions of the drivers. They may speed up, or slow down, or change lanes. These are actions over which you have no control.
At the same time, reasons for failing to cross the highway could depend on your actions, which you do have control over. What if you speed up or slow down? What if you miscalculate how fast the cars are travelling? What if you forgot that you have a limp due to a former sporting accident? What if your judgement is impaired because you forgot your contact lenses?
To understand your enterprise’s risk profile, you not only need to know about the enemy; you also need to know yourself. The question becomes: how much do you know your enemy, and how much do you know about your enterprise?
Let’s begin with the easy part – your enterprise. The trouble is, we tend to understand less about ourselves than we think we do. Cyber criminals have the upper hand when your weaknesses are exposed because they use those weaknesses as their strengths. Why wait for cyber criminals to beat you to it? Understand your weaknesses and turn those into your strengths.
To know your enterprise you have to identify all of the assets. Failure to identify all assets means you are leaving your security strategy to chance, and let me ask you, has chance paid you handsome rewards in the past? I should think not. Identifying all of your assets requires you to think laterally.
In the same way the value of a rental property, which is clearly an asset to its owners, depends on its surroundings – land, market demand, infrastructure – information depends on surrounding assets to help increase its value. These assets include digital assets such as applications, physical assets such as network and storage infrastructure, and yes, storage infrastructure can be a broad portfolio ranging from USB drives to a briefcase to a building, and of course human assets. All of these have weaknesses and if we can identify those and turn those into strengths it is possible to stand strong and become a much more resilient in the war against cyber criminals.
The other half of the equation is knowing your enemy. It is important to know their motives and their strengths. They certainly make it their priority to know your weaknesses before they begin to create a weaponised and targeted assault on your assets. But for all their might, stealthy behaviour and technical prowess, remember that cyber criminals are also only human. They make mistakes; they bleed when punched in the nose, not that I am advocating you do that; and suffer human weaknesses. What you probably haven’t considered is what those weaknesses might be.
Here are three weaknesses that you should include in your arsenal against cyber criminals:
(1) Their biggest threat is you. As odd as that may seem, let’s revisit the earlier scenario. If you have cross that exceptionally busy highway, then clearly, speeding drivers are your greatest threat, but have you considered that you crossing the road is actually a threat to drivers? What if they do hit you? That could mean damage to their vehicle, swerving to avoid colliding with you and risking their own death, shock and various other forms of mental trauma, being late for an important appointment, increase in insurance costs, and many other inconveniences. You are as much a threat to drivers, as drivers are to you when crossing a road.
Similarly, cyber criminals see you as a threat because they do not know for certain if you are watching them. You may have watched their every move for months when you decide to pull the plug – for them, that’s four months of time down the drain; for you that’s a momentous occasion.
(2) There is very little love in the criminal underworld. Though we see black markets thrive on selling stolen data and exploitation tools, cyber criminals have to watch one another carefully and be careful what secrets they do disclose to one another. A year of work exercised by one cyber criminal outfit may be thwarted when a less experienced and less stealthy outfit storms in with guns blazing at the last minute. Just as typical enterprises have competitive threats, so do cyber criminals.
(3) Cyber criminals are generally lazy. They may be very well organised, increasingly becoming better funded and have brilliant minds. However, just like typical enterprises, they too will not reinvent the wheel. This means that a lot of the tools that are bought and sold, swapped or bartered in the criminal underworld are based on common exploit code making it simpler to look for known indicators of malicious behaviour in so called zero day exploit tools.
Now you have some intelligence about your enemies weaknesses, it is time to fight back and even up your enterprise’s odds in these times of cyber war.