Cyber Security Through the Lens of Belgium

This is by no means an effort to equate terrorism and its horrible aftermath to an intrusion or data breach, merely an attempt to use current events in the physical world – which people tend to understand more readily - to help make sense of computer security – a complicated and multi-faceted problem few understand well.

You can’t stop evil; you can improve your ability to respond to it

You invest a lot of money in defense, but you can’t protect everything, perfectly, forever. If you spent $1m on defensive mechanisms and capabilities, and it only takes a few hours of research and keyboard time for someone to overcome those defenses, the answer is not to spend $2m in more defense (worst. ROI. ever). The better approach is to spend more on your ability to respond to the inevitable.  You can only know how much to spend by implementing a testing regime that provides you with the right data. 200 pages of boilerplate and CVE numbers from your commodity testing service isn’t going to cut it.

You know what the problems are; you need to be willing to act

Reportedly no one involved in the attacks in Belgium was unknown to authorities. Apparently three of them in an airport in full Michael Jackson mode was not enough to go from yellow to red. In defense people have a penchant for discounting warnings because the vast majority of the time such warnings amount to nothing. Every alert is important. Every issue needs to be run to ground. If you only focus on what people tell you is “critical” you are going to miss the chain of “low” problems someone is chaining together in order to pwn you. I get that budgets are not bottomless and everyone is busy, but you need to make regular, if small, progress in this area or everything else is for naught.

Everyone has an agenda and they often conflict

Countering evil of any sort is not a solo endeavor, but because there are multiple aspects to the mission there are multiple agendas and motivations. If your mission is “how big is the threat” (intelligence) and you spend a lot of time and energy trying to determine that, you are naturally disinclined to give that data to, say, the police, whose mission is “stop the threat.” Cyber security will always conflict with other missions, but you must understand and appreciate what the other side is doing and develop a level of trust sufficient for both of you to be able to work together. Decision-makers need a comprehensive answer from their team, they don't want to deal with inter-company squabbles. As a cyber-person you don't want that either because you're always going to lose to the guy who generates revenue.