• Home
  • Unprotected Sec: Why Information Security is a Lot Like Birth Control

Unprotected Sec: 
Why Information Security is a Lot Like Birth Control

 

By Hans Holmer

 

Practicing effective computer network information security (InfoSec), it would seem, is just as easy as practicing effective birth control.  And the results, unfortunately, speak for themselves.  Less than one quarter of computer intrusions are initially directed at a specific computer.  Likewisestatistics tout that barely half of all pregnancies are planned.  In both cases, perfectly well-reasoned and intelligent people, for whatever excuse, have forgotten, couldn’t be persuaded or bothered to take precautions.  The average computer intrusion tends to take very little time – less than a minute.  (I’ll let you draw your own comparison here).  InfoSec professionals know almost all computer intrusions could have been easily prevented by a few simple steps.  Health care professionals know that it’s the same for pregnancy.  Yet, the majority of computer intrusions and pregnancies come as a surprise and they are typically only discovered weeks or even months later.  Maybe the only difference between most computer intrusions and most pregnancies is  that computer intrusions are typically first discovered by a third partyundefined when they see a bulge of odd code or a change in data or online behaviorundefinedand that pregnancies are usually first verified by a third party.  And in both cases, most of the time it’s people, not equipment or tool failures, that caused the new circumstances.

 

The first step to establishing effective InfoSec is to determine who the responsible parties are.  While we often hear that only one person really has sole responsibility for family planning, in reality there are many (well, at least two) people who are required for success.  As families and communities already know, parents and leaders have to model the appropriate behaviors and teach future generations how to manage and succeed in life.  Similarly, good InfoSec is a shared responsibility between the CEO, the CIO, the head of security, other organizational leaders and all the members of the organization. But if all the Security leaders don’t have a voice in organizational strategy or at least a seat at the corporate table, the right resources won’t be directed at the right places. And most important, all members of the organizational family must realize what is at stake.

 

If your business depends on protecting proprietary or intellectual property, everyone in your organization has to be involved in InfoSec at some level because securing the data on a network requires buy-in. The necessary and appropriate tools have to be purchased and easily accessible and useable before they are needed.  If this is starting to sound familiar, there’s good reason.  While it is possible to recover from an intrusion, it too is usually much more painful and expensive than prevention.  The second step in effective InfoSec, then, is to understand which data are critical to your business and determining what activities are likely to permit illegitimate access and which ones will not.  This type of thorough and thoughtful assessment will help determine which tools and defensive techniques will work for an organization.  A well-conceived network protection model can withstand a lot of probing without failing.  And, of course, monitoring progress from base to base is very informative for the InfoSec coordinator.

 

Once an InfoSec model is in place, ensuring that the organization continuously adheres to the proper behaviors and measures the outcomes is critical. Just like having contraceptives stashed away in an out-of-the-way drawer at home is not an effective way to prevent pregnancy while on vacation, having a plan that nobody is adhering to will not prevent cyber compromise.  In general, the basics of a plan follow the outline of an excellent model by the Australian Defense Signals Directorate calls "Catch, Patch, and Match”.  (This mnemonic seems to work for practicing effective birth control as well.)

 

"Catch" means take stockundefinedidentify, baseline, and inventory all the hardware and software on your network.  It is analogous to identifying everyone who can be affected by a pregnancy in your family.  (Don't forget the pets.) "Patch" means ensuring that all the hardware and software are the most recent version which generally is the one most resistant to intrusions.  Just like ensuring that all of your contraceptive medications and devices haven’t passed their expiration date.  Finally, "Match" means that only authorized users have access to specific resources on the network. Controlling access is important in any relationship.

 

Add "Lather, Rinse and Repeat" to "Catch, Patch and Match" so that these activities are continuously monitored and highly effective and you have a model for successful InfoSec (and family planning).  Now go back and start thinking about other technology systems that you depend on to run your business.  Mobile devices, heating and cooling, elevators and escalators, access control systems and human resource systemsundefinedanything with corporate data needs to be monitored and protected.  Lather, Rinse and Repeat…

 

The Advanced Persistent Threats (APT) are those actors that deliberately probe specific targets for vulnerabilities in order to find the best possible access for the least amount of effort and risk.  Generally, they don’t need to expend much effort to succeed.  The objective of a well-planned defense strategy is to force the attacker to expend so much effort that they give up in favor of easier, less-protected, less-effort targets.  As the old adage goes, when two men face a lion:  “You don’t have to run faster than the lion - just faster than the other guy.”  While the “Catch, Patch and Match-Lather, Rinse, Repeat” guidelines will cover about 80 percent of risk, including  most all APTs , some  state-level cyber actors may pursue more sophisticated means to breach network defenses.  These types of intentional intrusions are defeated by knowing who your most likely adversary would be and which data they are after. Implementing additional tactics like limiting some data to a stand-alone network, or be prohibited from transiting wireless networks or mobile phones will increase the level of protection.

 

Not all businesses or people will need the last 20 percent of increased data protection, but those that do will certainly need professional help.  Social workers, school professionals, clerics and others can help with family planning.  Likewise InfoSec professionals are masters of technical counterintelligence, insider threats, all-source threat analysis, and Information Assurance.  Professionals with years of experience in the field typically blend many different areas of expertise to create tailored solutions for each organization. 

 

Professionals know that the important part is not the plan but the planning.  As families and businesses conduct vulnerability reviews and create plans for defending their assets, awareness grows and risks become more manageable. Just as it is not enough to stop by the drugstore or see a doctor once, it’s not sufficient to buy or download antivirus software once for your computers.  The current annual tally of unintended pregnancies and computer intrusions tell us that is the case. Just as birth control is not just a matter of the mechanics and tools, InfoSec is not just a matter of technology; it takes knowledge, practice, consistency, and above all planning, to be effective.

 

©2013 Hans Holmer

Hans Holmer is a Senior Cyber Strategist.  With over 25 years Government, Human Intelligence, & Private Industry experience, Mr. Holmer is the recipient of a host of awards for his work and contributions, including: CIA Intelligence Star, CIA Career Commendation Medal, 3 CIA Meritorious Unit Awards, 11 CIA Exceptional Performance Awards, Director of National Intelligence Meritorious Unit Award, National Intelligence Certificate, National Intelligence Award, and U.S. Army Commendation Medal.

Hans Holmer brings multi-cultural, multi-lingual IT (particularly cyber security) and human intelligence expertise to the mix of leadership skills that defines aQQolade.  Mr. Holmer is a successful strategist and planner, performing complex analyses and briefing at the highest levels.  An accomplished public speaker, Hans is a leader and developer of multi-disciplinary teams.

Return to the January 2014 Newsletter

Connect with Us:

©2021 ATD of Chattanooga

Chattanooga Area Chapter of ATD
P.O. Box 28214
Chattanooga, TN 37424

In appreciation of our Chapter Sponsors:


Thanks to the generosity of QuestionPro and its Survey Software we are able to track new and exciting data for our stakeholders. QuestionPro's advanced features allow us to collect responses and distribute vital information to participants.
Powered by Wild Apricot Membership Software