cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 12

Winning The Loser's Game of Information Security

"In a winner's game, the outcome is determined by the correct actions of the winner. In a loser's game, the outcome is determined by mistakes made by the loser". -- Charles D. Ellis

In 2013, New York Times, US Federal Reserve, Facebook, Apple, Twitter, Evernote, Microsoft, NBC, LinkedIn, LivingSocial, Washington State Court Admin Office, Drupal, and Target were among the victims of hacks and data breaches. The list goes on. This is quite discouraging for the information security professionals and prompts me a question:

Is information security a losing battle?

The growing pain point of the information security hits government, businesses, institutions, and individuals. Before I give my answer to the question above, l'd think of a few tactics an organization can adopt to fight the good fight.

1. Defense In Depth

Nowadays an organization cannot be protected simply by firewall. Lock down perimeter with multiple layers of security: firewall + IPS/IDS (or so-called Next-Gen Firewall), host-based IPS/IDS on servers, email filtering. Protect users' web activities using web proxy with anti-virus and anti-malware. Harden workstations and servers with anti-virus, HIPS, and patching implementation. Know what's on the network and disallow what should not be with NAC. Secure BYOD with MDM, MAM, MIM. Prevent data leakage using DLP solutions. Monitor and alert any malicious activity with SIEM and network flow solutions. Pen-test DMZ and internal applications.

2. Know Thy Enemy

More and more applications are Internet facing. Send developers to classes of securing applications. Build dedicated Information Security team and train them for hacking, pen-testing, and incident handling.

3. Make Better Users

User (or Layer 0 / Layer 8 as some refer to) is probably the weakest part in the information security. Educate general users on strong password policy, information sharing, phishing attacks, social networking security, and social engineering, etc.

Organizations did/will learn from the past information security failure lessons and stand up from where they fell. No, information security is not a losing battle. Not yet! What's your opinion?

60 Replies
Level 10

Information Security is not a losing battle! Yes, I definitely agree, not yet, there's still hope and for me the "USERS" are the biggest deciding factor if we still want to wake up every morning knowing that our private information is safe in the hands of our trusted IT professionals. I mean come on, you can put the best defense in terms of firewall, anti-virus, proxy servers, encryption and so on but if the users and when I say users I don't mean just the end users but also employees within an organization (e.g. security guards, janitor, maintenance, etc.) will not follow the simplest security protocol, we will all lose!

0 Kudos

Not a losing game.  Just a continuous battle of hitting the alligator closest to the boat.  We only lose when we stop fighting the good fight.

Level 9

As a few other eluded to, I think the biggest problem in most organizations is getting the funding for security. Whether that be funding for tools or for the resources to operate and respond to output from the tools, funding is a huge issue for many organizations including my own. Luckily the government has started to invest more in security and that has the trickle down effect so that other private sector organizations are starting to see the value. With the CEO of target losing his job over the breach, I think that too will help drive some more funding for security, but there is still a long ways to go in most organizations. And we are also beginning to see a lack of adequate talent once funding for a position is approved.

0 Kudos

I think of Network Security as a massive multidimentional chess game.  The battle rages on and the war will never be over.

Job Security!

0 Kudos

There is that.

0 Kudos
Level 12

mfmahler This has been very informative.

I agree with wbrown, we learn from our mistakes. But sometimes they are very costly ones and we regret they ever occured.

The users are most times definitely the weakest link, especially when they do not remember what they have been told about securing their passwords. Some of them grumble at the fact that they need to change passwords often.

What can we do but help protect the network as best as we can with the different security products we can get.

Level 12

Thank you Gideon Tam for this topic on SECURITY ....

We should always have alternative to tackle an security threat. ( Plan B)

Train all IT staff  and users on security consciousness ... continuously


Level 10

How many times has antivirus saved the day?  How many times has it provided a valid resource for forensics?  How many times has it operated not like a virus itself on the operating system?  But yet businesses pay for it over and over each year.  Do you think Sochi Russia cares which AV you use?  Or they got all the data but if it wasn't for those Trend Micro users they would have had it all.  Stratfor can't keep their stuff secret.  Solarwinds keeping me out of the points server on this forum is awesome.  I'm happy Edward Snowden did what he did, however, if he worked for me, they dude would have never got that info out.  The wrong people are making decisions about data and the people who should be consulted are being ignored.  So have fun on your facebook and twitter.  Keep vomiting up information so we can have it people.  We live in the past with your telephone poles and me having to turn my knobs and pull my levers to get to the store in my driving machine.  Anyways, put the Solarwinds Underwear back in the store, don't tell me you ran out.

0 Kudos
Level 7

I don't think it's a losing battle, it's just a constant battle of minds.  Anything that is man-created can be man-solved.  I think it is about a balance of awareness, responsibility, trying to stay a step ahead of the game and having a responsive plan to efficiently counteract any breaches.

0 Kudos
Level 10

In my business, security is the highest priority. Unfortunately, often we find ourselves at odds with the demands of security and the demands of mission. What we do is extremely important and there can be dire consequences if service is interrupted by other important things, like IPS/IDS. It's a difficult war we wage, but one that is important we win as network defenders.

0 Kudos

This reminds me of the olden days when I was in telecom.  If you ever need to access a Bellsouth Managed PBX, you simply flipped over the keyboard and there was the user name and password for the PBX.  The same with the fact that if you ever got your hands on a Bellsouth Telecom Key, it probably opened every Bellsouth lock known to man.  Neither of these are true anymore.

I like what wbrown said.  We learn from mistakes and adjust.  In all areas of life, the security of the last few years will not work today.

I think the biggest issue to security is it is often more for show than reality.  So the highly motivated person can still bypass it, the people who really need access get blocked out.  The days of black and white security are over.  We need people who know how to manage the grey.  Or we can do as Commander Adama and just remove everything from the network.

Level 13

The loser's game is the security practice that's primarily oriented toward telling people what they can't do. If you're primarily a "denier", you're playing the losing game.

Prevention eventually fails. Breaches are inevitable, given persistent and motivated attackers. Defenders need to be focused on:

  1. Time to detection.
  2. Time to containment.
  3. Properly scoped remediation.
  4. Controls that focus on slowing down the attacker's movement to the target, increasing the defender's time to detect attacker activity and orient themselves toward containment and remediation.
0 Kudos
Level 8

It all depends on the your own Enterprise if they care or don't care about security.  Most of the people just don't understand what goes on behind closed doors and need to be educated.  So it just takes a little extra sales pitch to keep it going.

0 Kudos

Funny you say this, it just came up in a different but very similar conversation I was having HERE.  Showing or selling the value of SIEM can be incredibly difficult.

0 Kudos
Level 9

I completely agree! Informing users is the most essential piece of the puzzle. The best firewall in the world will not help you if your user has their password taped to their monitor which is visible from the parking lot.

0 Kudos
Level 10

Winning or losing, as some I am sure have mentioned here. IT is constanly evolving and so are the methods of protecting our presious information, along with the user the need that information. just think about the passwords we use and how they have changed. It started with mycatsname to catsname65 to IHaveACat78 to IArN@Cp!Pd (which could be a parafrase for "I am really not a cat person I prefer dogs"). sure we IT folk are the impementors of securing our environment but as far as I can tell everything is evolving, good or bad. The good just has to try to not make mistakes that will cost us to lose the game.

0 Kudos
Level 12

There's a distinction between a loser's game and a losing battle.

A loser's game, as you said, is when you lose by making mistakes. Your opponent(s) don't win because they are better, they profit from the breaches opened by your mistake. This is what computer security is.

A losing battle is when your opponent is better, faster, stronger than you and however hard you try, there is no way you can win, only prolong the battle until you eventually lose. This is not the case in infosec. Yes they are nimbler, but probably less dedicated than we are, and when the target begins fighting back, they move on and find a weaker one.

So yes, as most said, attack vectors are constantly changing (evolving ?) and we have to adapt, but so is almost everything in IT... and that's what makes it fun !

Level 9

I would say that information security is both a losing battle and winning battle.  You mention that the companies were hacked and information was either lost or stolen.  In the aspect of network defense, it is a losing battle up to the point of an attack.  You need to make the fewest mistakes because security is ever changing.  New programs and protocols are always emerging.  However, what if you identify an intrusion while it was happening?  Then it would be a winning battle.  You would have to think about how to isolate and separate the network from the intruder.  Identify the information that was trying to be accessed and protect it, or shut it off completely.

I guess it just depends on how you're looking at the situation.  Most companies and networks can't identify an attack as it is happening, or the attack happens too fast.  So it is primarily a losing battle in my opinion.

0 Kudos
Level 8

It would seem that I am in agreement with all comments given.  Constant Vigilance and an awareness/training for the users is key.

Weeks like Cyber Security Awareness Week (http://www.staysmartonline.gov.au/awareness_week) are a good start.  But why limit it to a week, make it a year and it may start to work.  I am teaching my children (2 in Junior High and 1 in Primary School) about what makes a good password, why they need to change it regularly, not to give too many personal details on line, not to click on links that seem too good to be true, and the list goes on.  Our users are our weakest links and these need to be strengthened and knowledge is the only way to increase this.