Security is a balance between offence and defence.

Summary:

  • How do you know that your defences are good if you don’t test them?
  • What lengths would your adversaries take to compromise your systems?
  • Adopt the same offensive mentality as your adversary in order to test your defences

You have your security strategy, you know (most of*) your threats/vulnerabilities, you implemented a top-down well oiled security program, policies, procedures, processes, technology, etc. You’re now safe…

Really…?

As mentioned in a previous blog, security must be tested either by you or by your threat.

The Mandiant Threat Landscape report shows that intruders can be on your network for 243 days before being detected. (1)

Let’s be ignorant and ask a few questions:

  1. How did they get through our defences?
  2. Why did it take so long for them to be detected?

etc…

Let’s assume that all the policies and technology is capable of keeping the adversary out, how would *you* know? Business is evolving, computational power is getting cheaper, inter connectivity is expanding, attack information is easily accessible and adversaries adapt. With all of that in mind, is your security program evolving?

This gap between the security program and the adversaries’ capabilities is the current risk to the organisation.

From the last blog, an assessment would have been made to find out an organisation’s assets and threats. As part of the threat analysis, some consideration would have been made to examine the likelihood and the capabilities of the threat.

Risk mitigation will consider the threat analysis then apply the appropriate risk treatment.

A lot of threats could be addressed by going through a ‘checklist’, this would be considered to be a ‘baseline’. However to stop a determined adversary, advanced threats, etc some innovation is required. As a penetration tester, you need to be innovative and think outside of the square to find ways to get in, this is where innovation is practised.

Back to answering question 1, To be a good security professional you have to think like *the* threat, adversary, a pen tester in order to minimise the risk of a threat from compromising your organisation.

As for the second question, it is obvious that the adversary was not detected at the time of entry and that raises other questions: how well oiled is your security program? Is it measurable? Were the right vulnerabilities addressed?

To answer this, you need to put your defensive hat on…

1. https://www.mandiant.com/threat-landscape/

Defining Security Scope: Another way of saying ‘know thy enemy’

You cannot protect what you can’t see

Summary:

  • Know your assets and threats based on industry, size, image, political, social factors, etc.
  • Conduct high level identification and assessment of the threats
  • Produce suitable mitigation strategies/countermeasures for the threats until the risk is at an agreed level by the business

Without knowing your assets and understanding the threats against your assets it is extremely  difficult if not impossible to protect your environment.

Identifying your assets will be discussed in a later blog. Let’s quickly discuss threats.

Each industry has its specific threats and they range from amateurish to well-funded nation states.

There are models available to help map out what threats your organisation could potentially face.

The areas to consider are:

  • Industry-Is it a high competition industry
  • Size-How large is the organisation?
  • Image-Does the company have a great dependency on its image/brand, what should happen if it were to be compromised?
  • Political-do political events affect the organisation?
  • Social-Is the organisation operating in an environment where social tensions work against the organisation?

etc..

Each area has a specific threat and depending on the threat, a suitable risk mitigation strategy should/must be considered, reviewed and implemented.

To put it into perspective, your corner store is probably not going to be targeted by a nation state.

However, a large/vocal pro-Western company may be a target of an anti pro-Western organisation, political affiliation, etc.

For each threat there is a countermeasure, mitigate, accept, insure, delegate, etc.

Once all of this has been considered, a scope can be defined to allow for the security team and affiliates to adhere to and follow.

By understanding the scope, it allows for any organisation to help understand and formulate an appropriate strategy to counter the threats.

Naturally, this will need to be reassessed on a regular basis (think diversification, acquisitions, etc) to ensure that the organisation is protected.

The What, When, Where and Hows of security

What is security?

The objective of having security is to stop and/or limit the pain inflicted on the asset/organization.

Would a desperate car thief stop at the garage door to steal a rare car? Would a storm stop because it would cross international boundaries? Why would a determined person with malicious intent stop if they have a set goal in mind?

When do you know if you are secure?

If the asset is worth securing, how much time, effort, cash are you willing to put in to secure it? What are your threats?

You wouldn’t spend $50 to protect a jar of $3 biscuits against a 5 year old cookie monster. However, with a bit of innovation, it is quite possible to spend $1 to protect a jar of $3 biscuits simply by moving it out of sight.

Where is security placed?

Security must be a core part of what ever asset(s) you are protecting. It must be part of any project design/planning process. Security will cross over departments, systems, etc. Security is not down to one individual, it is a shared responsibility.

What would happen should a family member take down the cookie jar and place it in reach of a determined 5 year old cookie monster?

Is my Security implementation effective?

Security will be tested, if not by you it will be by that one determined individual.

Just like any test, you need to know what is it you’re trying to protect, what you need to be able to measure the effectiveness and the duration of the protection required.

Remember: Security HAS an expiry date! A security strategy must adapt and grow in accordance to the asset that it is protecting.

What good is a moat if your adversary has access to planes and helicopters?

How do I be ahead of the security game?

Innovation, before you can be innovative, you must have the appropriate tools at hand. Policies/Procedures/Information/Statistics/Metrics…

With that in mind, this blog will help anyone that is in charge of an asset that is worth protecting implement a well oiled security plan.

What is Well Oiled Security all about?

We’re here to improve your security maturity model, making it a well oiled machine.

Security…

  • is always evolving
  • is a risk minimization exercise
  • is a core part of the business
  • is transparent to business operations
  • is about accountability
  • involves everyone
  • is measurable
  • starts from the top and works its way down