"In a winner's game, the outcome is determined by the correct actions of the winner. In a loser's game, the outcome is determined by mistakes made by the loser". -- Charles D. Ellis
In 2013, New York Times, US Federal Reserve, Facebook, Apple, Twitter, Evernote, Microsoft, NBC, LinkedIn, LivingSocial, Washington State Court Admin Office, Drupal, and Target were among the victims of hacks and data breaches. The list goes on. This is quite discouraging for the information security professionals and prompts me a question:
Is information security a losing battle?
The growing pain point of the information security hits government, businesses, institutions, and individuals. Before I give my answer to the question above, l'd think of a few tactics an organization can adopt to fight the good fight.
1. Defense In Depth
Nowadays an organization cannot be protected simply by firewall. Lock down perimeter with multiple layers of security: firewall + IPS/IDS (or so-called Next-Gen Firewall), host-based IPS/IDS on servers, email filtering. Protect users' web activities using web proxy with anti-virus and anti-malware. Harden workstations and servers with anti-virus, HIPS, and patching implementation. Know what's on the network and disallow what should not be with NAC. Secure BYOD with MDM, MAM, MIM. Prevent data leakage using DLP solutions. Monitor and alert any malicious activity with SIEM and network flow solutions. Pen-test DMZ and internal applications.
2. Know Thy Enemy
More and more applications are Internet facing. Send developers to classes of securing applications. Build dedicated Information Security team and train them for hacking, pen-testing, and incident handling.
3. Make Better Users
User (or Layer 0 / Layer 8 as some refer to) is probably the weakest part in the information security. Educate general users on strong password policy, information sharing, phishing attacks, social networking security, and social engineering, etc.
Organizations did/will learn from the past information security failure lessons and stand up from where they fell. No, information security is not a losing battle. Not yet! What's your opinion?