Three Things You Cannot Do In Computer Security

Computer security is one of those fields where “everyone knows” what and how things are supposed to be done. The problem is that no matter how well you follow the best advice, you’re still going to become a victim of someone else’s malice. This isn't because what “everyone knows” about computer security is wrong universally, but because it is not written on stone tablets brought down from on high. The best advice for you might be complete rubbish for me because we’re in different businesses. If there are any constants in computer security they are almost certainly:

  1. You Cannot Stop Attacks. Anti-virus isn't;  intrusion prevention doesn't.  Anything a good guy can buy a bad guy can buy…and then find their way around. Even security products have holes in them. Some of the cleverest bad guys will target your people, who have a tendency to act irrationally and for whom there are no rule sets you can configure. You’re going to get attacked; you probably already have been and you just don’t know it yet. There was never anything you could have done to stop it except get offline, and you cannot do that.
  2. You Cannot Raise Attacker Costs. That is to say, you can’t raise their costs without a corresponding financial escalation on your part.* Did you think people promoting that approach weren't trying to sell you something? You buy hardware and software to help you carry out your business. You buy security appliances and tools and advice because you’re not in the security business. The bad guys break hardware and software for a living: that’s their business. In order for you to raise their costs you would have to get into the security business in one way or another; doing what the bad guys do – or paying someone to do it for you – and fixing what’s broken before someone else finds out about it. “Raising attacker costs” is just another way of saying, “spend more money on security” and tight budgets mean you cannot do that.
  3. You Cannot Break the Mold. If you minimized your investment in traditional security mechanisms – did the bare minimum regulation and good sense required – and spent what you saved in a reward scheme for employees who followed security policy, would you reduce the number of incidents you suffered in a year? If you re-focused your energies towards “preparation” and not “prevention” would incident response still be an expensive catastrophe or just a cheap nuisance? You’re doing what everyone else is doing and everyone is coming up short, yet if you’re not doing what everyone else is doing, “they” tell you you’re doing it wrong. That’s how victims console themselves apparently, but you cannot afford to be a victim anymore.

People say collective defense is not something we’re wired to readily accept, but no one seems to mind that everyone has signed up for collective victim-hood. Even those who would set the standards for security can’t get it right, so why are we not letting people try something novel, without fear of punishment or penalty? If it doesn't work it doesn't work, but that’s no worse than the situation we’re in now. “Everyone knows” thinking says that if you build the wall a little higher, the moat a little wider, and put out more pickets and canaries, that this time everything will be OK. How long have you been doing that? How’s that working out?

* There is a rare exception to this rule and that is if you publicly share IOCs and other data related to efforts made to compromise your systems. The more people in and outside of your industry know what is being used in the wild, the less time those tools and techniques will remain viable (assuming vendors are doing their jobs and responders are collaborating). You don't have to reveal if you've been compromised; you don't have to be associated with the release of information at all. Make it a requirement that your internal response team use a proxy like an ISAC or that your external team publish the information anonymously and immediately so that attackers have to spend more time/energy/money coming up with new approaches more often. THAT is driving up attacker costs, not buying a new magic box.