60 Replies Latest reply on Mar 24, 2016 10:09 AM by network defender

    Winning The Loser's Game of Information Security

    mfmahler

      "In a winner's game, the outcome is determined by the correct actions of the winner. In a loser's game, the outcome is determined by mistakes made by the loser". -- Charles D. Ellis

       

       

      In 2013, New York Times, US Federal Reserve, Facebook, Apple, Twitter, Evernote, Microsoft, NBC, LinkedIn, LivingSocial, Washington State Court Admin Office, Drupal, and Target were among the victims of hacks and data breaches. The list goes on. This is quite discouraging for the information security professionals and prompts me a question:

       

      Is information security a losing battle?

       

      The growing pain point of the information security hits government, businesses, institutions, and individuals. Before I give my answer to the question above, l'd think of a few tactics an organization can adopt to fight the good fight.

       

       

      1. Defense In Depth

       

      Nowadays an organization cannot be protected simply by firewall. Lock down perimeter with multiple layers of security: firewall + IPS/IDS (or so-called Next-Gen Firewall), host-based IPS/IDS on servers, email filtering. Protect users' web activities using web proxy with anti-virus and anti-malware. Harden workstations and servers with anti-virus, HIPS, and patching implementation. Know what's on the network and disallow what should not be with NAC. Secure BYOD with MDM, MAM, MIM. Prevent data leakage using DLP solutions. Monitor and alert any malicious activity with SIEM and network flow solutions. Pen-test DMZ and internal applications.

       

      2. Know Thy Enemy

       

      More and more applications are Internet facing. Send developers to classes of securing applications. Build dedicated Information Security team and train them for hacking, pen-testing, and incident handling.

       

      3. Make Better Users

       

      User (or Layer 0 / Layer 8 as some refer to) is probably the weakest part in the information security. Educate general users on strong password policy, information sharing, phishing attacks, social networking security, and social engineering, etc.

       

       

      Organizations did/will learn from the past information security failure lessons and stand up from where they fell. No, information security is not a losing battle. Not yet! What's your opinion?

        • Re: Winning The Loser's Game of Information Security
          supermon

          I think in many ways it is a losing battle. Now that is not a reason to ignore it, but it may be more a matter of making someone else the easier target than truly stopping an attack. I think public facing applications are probably not possible to be 100% secure if somebody is motivated enough.

            • Re: Winning The Loser's Game of Information Security
              mfmahler

              supermon If this is a losing battle, we would need to pay more attention to the statement of Charles D. Ellis:

               

              "In a loser's game, the outcome is determined by mistakes made by the loser"

               

              Even though Mr. Ellis referred to investing in stock market, with tennis game as illustration, the less mistake we make in information security, the better we protect. How do we make less mistake? We learn from our (or others) failure(s).

            • Re: Winning The Loser's Game of Information Security
              wbrown

              I wouldn't say we're in a losing battle but rather a constantly evolving battle.

              Medical doctors are constantly learning of new diseases, new medicines, new techniques.  Medicine is always described as moving forward.

               

              Airports, government buildings, hydroelectric dams, etc have had to change security policies over the last decade.  Do we call that a losing battle?  Annoying and intrusive: yes.  Losing: I wouldn't say so.

               

              IT technology abilities are constantly changing.  That includes the bad things as well as the good.  Doesn't mean we're losing or moving backward.

              • Re: Winning The Loser's Game of Information Security
                zackm

                Completely agree with wbrown.

                 

                Big picture, this is not a losing battle. If it was, then the 'enemy' wouldn't have to continually make new attacks. Evolving is key.

                • Re: Winning The Loser's Game of Information Security
                  matt.matheus

                  I don't consider it a losing battle at all.

                   

                  To me, it's more like rowing a boat upstream.  It's definitely possible, but it is difficult, and there are times you lose progress and times you gain.  Ideally, an organization could stay 100% on top of all emerging threats and mitigation techniques, but the world is never ideal. 

                   

                  I definitely do agree that users are the weakest link in any security policy.  Between users who just can't/won't learn how to be more secure, to the boss' nephew who thinks he knows more about computers than all of the IT staff combined, an internal threat is always more severe than an external.  We can harden our systems all we like, but when a rogue (or stupid) user causes a breach, all that hardening doesn't really matter.

                   

                  Bottom line is: As information security becomes more and more vital to business survival, user security awareness is going to become a job necessity.  Maybe sometime in the near future (I certainly hope) interviewers might start caring about whether or not the prospect can keep company data secure in addition to performing their normal job roles. 

                   

                  I guess we all can wish, eh?

                    • Re: Winning The Loser's Game of Information Security
                      mfmahler

                      matt.matheus

                       

                      To me, it's more like rowing a boat upstream.  It's definitely possible, but it is difficult, and there are times you lose progress and times you gain.  Ideally, an organization could stay 100% on top of all emerging threats and mitigation techniques, but the world is never ideal.

                      Good analogy!

                       

                      I definitely do agree that users are the weakest link in any security policy.  Between users who just can't/won't learn how to be more secure, to the boss' nephew who thinks he knows more about computers than all of the IT staff combined, an internal threat is always more severe than an external.  We can harden our systems all we like, but when a rogue (or stupid) user causes a breach, all that hardening doesn't really matter.

                      It's mentioned many times in Incident Handling classes that companies today are like steel for outside attacks, but like tofu for internal attacks.

                       

                      Bottom line is: As information security becomes more and more vital to business survival, user security awareness is going to become a job necessity.  Maybe sometime in the near future (I certainly hope) interviewers might start caring about whether or not the prospect can keep company data secure in addition to performing their normal job roles. 

                      Absolutely!

                    • Re: Winning The Loser's Game of Information Security
                      Charles Galler

                      I agree with matt.matheus. It is not a losing battle, but you have to constantly fight against the current. You also have to have all members of the team rowing the boat. Too many people in IT think it's the security teams job or attackers are not interested in the organization that they dont need to worry about security. mfmahler  also made a good point that you need to educate those in IT and users alike.

                      • Re: Winning The Loser's Game of Information Security
                        Radioteacher

                        Looking at 3. Make Better Users

                         

                        We have many types penetration tests every year from different groups/companies.  Years ago we worked to educate our users against social engineering attacks and then added it to some of the penetration test specifications.  Frankly I was surprised how well the education worked.

                         

                        During the first social engineering penetration test most passed with flying colors with only a few exceptions.  The testing group kept a list of all who failed so they could have more training.on the subject.....but they did not keep a running list of all who passed.  Later they made a list of the users they could remember passing. Keeping this data was part of all future tests.

                         

                        We wanted passed list to use during company wide meetings and announcements to publicly praise those that did the right thing and what happened during the engagement.  Doing this reinforced the training they received and made future tests even harder on the tester.

                         

                        RT

                        • Re: Winning The Loser's Game of Information Security
                          Radioteacher

                          1. Defense In Depth


                          USB port, CD/DVD disk and autorun.

                           

                          Also do not forget the old easy stuff.....like software to monitor your USB port and CD/DVD drive access.  It is a nice vector for Data Leakage and Root Access.  Use GPO's to turn off "autorun".

                           

                          RT

                          • Re: Winning The Loser's Game of Information Security
                            deverts

                            I would never suggest security as a losing battle. However, it is certainly the hardest battle for the simple fact that everyone is involved. I can harden my network to mitigate every KNOWN attack out there, but if Sys Admins, App developers, and most importantly Vendors (like Microsoft or Oracle/Java, etc.) don't do the same, my efforts are useless. And now we have mobility apps...do you honestly think a 15 years old has security practices on his/her mind when writing apps? (Another reason I think BYOD is a bad idea).

                             

                            Security is everyone's responsibility, yet we keep developing ways for people to circumvent what's right, and allow them to do whatever they want. How about me stop that practice!

                             

                            D

                            • Re: Winning The Loser's Game of Information Security
                              curtisi

                              I think one of the biggest problems faced by people using the Internet today is that everyone has something to steal.  Everyone has an identity, a credit score, a credit card number...we are all targets.  Corporations are bigger targets, but a lot of the hacks you mentioned (Target, for example) the end result was a lot of compromised individuals.  The honest truth is, most people at home don't take very good precautions to secure the computers and networks they use the most: the ones at home or away from work.  How many open networks has your tablet or laptop connected to?  How many hotels with zero encryption?

                               

                              How many times have you compromised security for convenience?  One challenge I've seen is the balance between convenience and security.  Security measures almost always inconvenience someone: you block USB devices, and it turns out there's a group that gets client data on USB drives all the time, so they're constantly getting exceptions or losing work time waiting for IT to unblock them.  It'd be more convenient to get rid of that, but then you're open to all the risks.  Complex passwords are more secure, but harder to memorize (though I like this XKCD on the topic of passwords).  People fat-finger and forget, and lose time with locked accounts and needing password resets.  I think that's one of the hardest sells to end-users and home-users: all of this is really in your best interests, but yes, it will be a pain sometimes.

                               

                              So I think "Building a Better User" is probably one of the most important steps now, and getting people to understand the why of all the security that matters.

                               

                              I saw this yesterday and it made me sad: https://www.dashlane.com/download/securityroundup_2014_q1/The_Illusion_of_Personal_Data_Security_in_E-Commerce_%28Press%…  I know I have personal information on a lot of these networks, so even if my work network is super-secure, my information isn't.  This is part of why I've stopped storing credit-card info on retailer sites (assuming they allow that) and use LastPass to fill that in for me when I make a purchase.  I enable two-factor authentication on any site that supports it.  A lot of this is applying training from work to personal information.  But I'm sure there's more than a little corporate information sitting on home and personal PCs out there, and how do you make sure that information is secure?

                              • Re: Winning The Loser's Game of Information Security
                                michael stump

                                wbrown is spot on.

                                 

                                I wouldn't say we're in a losing battle but rather a constantly evolving battle.

                                Passwords used to be the only line of defense for networks and applications. When passwords no longer provided sufficient protection, firewalls began popping up on perimeters everywhere. Then internal firewalls. Then firewall sandwiches (delicious, btw). Patch management became a thing. Anti-virus and anti-spam and anti-adware and anti-malware became things. And each thing came into existence to respond to a well-understood and clearly defined threat.

                                 

                                Now we're in a gray area, where the threat isn't easily identified and countered. A friend of mine who works in OffSec told me years ago that "firewalls were dead." After last year's Snowden revelations, I think we'd all agree. So now what? How do we defend intellectual property, personal information, and corporate digital assets when the threat seems to be pervasive, omnipresent, and in some cases extremely well funded?

                                 

                                Defense in depth remains the best strategy to secure your infrastructure. And as we like to say, security has to be "baked in" not "bolted on." Everyone needs basic IT security training, regardless of role. Monitoring is critical, but in my experience, by the time you've detected an intrusion, it's too late. You can learn from the experience, but your customers don't care about that. They've moved on already.

                                 

                                One approach that's picking up some attention is to hire white hats and to ACTUALLY LISTEN TO THEM. Don't just hire some haX0rs who've had a change of heart; hire them and give them the freedom to find the weaknesses in your infrastructure, or more recently your applications. And fix them before the flaws lead to an exploit.

                                 

                                tl;dr - Security is a moving target. Lead your target.

                                  • Re: Winning The Loser's Game of Information Security
                                    mfmahler

                                    _stump You are spot on, too! Big boys like Google, Facebook, Twitter, now provides two-factor authentication to the general public. This is a great move and is vital. But sometimes I think this enhanced security is not emphasized to the general public. Yes, it was announced but not that much. I have a dream that these big boys pay for a Super Bowl 30s commercial to promote and edify general public their two-factor authentication. Oh, it's only a dream.

                                  • Re: Winning The Loser's Game of Information Security
                                    mstraughan

                                    I wouldn't say its a losing battle but its definitely not a winning battle either, and yes I would agree that people are always going to be the weakest link in the security chain. Attackers have to think of/create new attacks because security teams block and patch their previous attacks but then the team just has to patch the next attack; so the security group is just following the attackers and cleaning up new things they're doing, generally one step behind.

                                    • Re: Winning The Loser's Game of Information Security
                                      Jfrazier

                                      It is a evolving battle, kind of like battling the Borg.  There are so many people out there constantly testing the defenses and looking for

                                      holes in existing apps that as fast as we find a patch or work around they are probing another weakness. I agree the general user is the weakest

                                      link but then so are some of the more experienced people.  Especially those that know some of the risks but take on the attitude that it can't happen to us.

                                       

                                      It's not a matter of if you have been "hacked" but rather when. 

                                       

                                      If business could work in a sealed box then we wouldn't have this issue, but these days everything hinges on the got to have it right now attitude and everyone has to be connected with everything.

                                      That just creates more moving parts with gaps between the moving parts for someone to try to get into your network or systems.

                                        • Re: Winning The Loser's Game of Information Security
                                          mfmahler

                                          Jfrazier

                                           

                                          It's not a matter of if you have been "hacked" but rather when. 

                                           

                                          If business could work in a sealed box then we wouldn't have this issue, but these days everything hinges on the got to have it right now attitude and everyone has to be connected with everything.

                                          That just creates more moving parts with gaps between the moving parts for someone to try to get into your network or systems.

                                          Yes, so true. It's only a matter of when. Keep fighting the good fight.

                                        • Re: Winning The Loser's Game of Information Security
                                          byrona

                                          I don't think the battle is lost until we stop fighting.  It's like the following quote says...

                                           

                                          "All that is required for evil to prevail is for good men to do nothing."


                                          We may not win all of the battles but we can't give up on the war.

                                          • Re: Winning The Loser's Game of Information Security
                                            russb

                                            It would seem that I am in agreement with all comments given.  Constant Vigilance and an awareness/training for the users is key.

                                            Weeks like Cyber Security Awareness Week (http://www.staysmartonline.gov.au/awareness_week) are a good start.  But why limit it to a week, make it a year and it may start to work.  I am teaching my children (2 in Junior High and 1 in Primary School) about what makes a good password, why they need to change it regularly, not to give too many personal details on line, not to click on links that seem too good to be true, and the list goes on.  Our users are our weakest links and these need to be strengthened and knowledge is the only way to increase this.

                                              • Re: Winning The Loser's Game of Information Security
                                                curtisi

                                                I remember using the Internet in the days of "everyone is a stalker/murderer" with all the rules you describe about personal information, agreeing to meet on-line people, etc.  Now we have FaceBook and Twitter, and everyone shares everything.  I don't just have your name, I know what your last 11 meals were (with photos, thanks Instagram!), who your friends are, where you work...  How are you planning to balance privacy/security with the overwhelming trend of over-sharing?

                                              • Re: Winning The Loser's Game of Information Security
                                                taylor.whitt

                                                I would say that information security is both a losing battle and winning battle.  You mention that the companies were hacked and information was either lost or stolen.  In the aspect of network defense, it is a losing battle up to the point of an attack.  You need to make the fewest mistakes because security is ever changing.  New programs and protocols are always emerging.  However, what if you identify an intrusion while it was happening?  Then it would be a winning battle.  You would have to think about how to isolate and separate the network from the intruder.  Identify the information that was trying to be accessed and protect it, or shut it off completely.

                                                 

                                                I guess it just depends on how you're looking at the situation.  Most companies and networks can't identify an attack as it is happening, or the attack happens too fast.  So it is primarily a losing battle in my opinion.

                                                • Re: Winning The Loser's Game of Information Security
                                                  syldra

                                                  There's a distinction between a loser's game and a losing battle.

                                                   

                                                  A loser's game, as you said, is when you lose by making mistakes. Your opponent(s) don't win because they are better, they profit from the breaches opened by your mistake. This is what computer security is.

                                                   

                                                  A losing battle is when your opponent is better, faster, stronger than you and however hard you try, there is no way you can win, only prolong the battle until you eventually lose. This is not the case in infosec. Yes they are nimbler, but probably less dedicated than we are, and when the target begins fighting back, they move on and find a weaker one.

                                                   

                                                  So yes, as most said, attack vectors are constantly changing (evolving ?) and we have to adapt, but so is almost everything in IT... and that's what makes it fun !

                                                  • Re: Winning The Loser's Game of Information Security
                                                    802jr

                                                    Winning or losing, as some I am sure have mentioned here. IT is constanly evolving and so are the methods of protecting our presious information, along with the user the need that information. just think about the passwords we use and how they have changed. It started with mycatsname to catsname65 to IHaveACat78 to IArN@Cp!Pd (which could be a parafrase for "I am really not a cat person I prefer dogs"). sure we IT folk are the impementors of securing our environment but as far as I can tell everything is evolving, good or bad. The good just has to try to not make mistakes that will cost us to lose the game.

                                                    • Re: Winning The Loser's Game of Information Security
                                                      Kevin Rak

                                                      I completely agree! Informing users is the most essential piece of the puzzle. The best firewall in the world will not help you if your user has their password taped to their monitor which is visible from the parking lot.

                                                      • Re: Winning The Loser's Game of Information Security
                                                        rpetersen

                                                        It all depends on the your own Enterprise if they care or don't care about security.  Most of the people just don't understand what goes on behind closed doors and need to be educated.  So it just takes a little extra sales pitch to keep it going.

                                                        • Re: Winning The Loser's Game of Information Security
                                                          jswan

                                                          The loser's game is the security practice that's primarily oriented toward telling people what they can't do. If you're primarily a "denier", you're playing the losing game.

                                                           

                                                          Prevention eventually fails. Breaches are inevitable, given persistent and motivated attackers. Defenders need to be focused on:

                                                          1. Time to detection.
                                                          2. Time to containment.
                                                          3. Properly scoped remediation.
                                                          4. Controls that focus on slowing down the attacker's movement to the target, increasing the defender's time to detect attacker activity and orient themselves toward containment and remediation.
                                                          • Re: Winning The Loser's Game of Information Security
                                                            bsciencefiction.tv

                                                            This reminds me of the olden days when I was in telecom.  If you ever need to access a Bellsouth Managed PBX, you simply flipped over the keyboard and there was the user name and password for the PBX.  The same with the fact that if you ever got your hands on a Bellsouth Telecom Key, it probably opened every Bellsouth lock known to man.  Neither of these are true anymore.

                                                             

                                                            I like what wbrown said.  We learn from mistakes and adjust.  In all areas of life, the security of the last few years will not work today.

                                                             

                                                            I think the biggest issue to security is it is often more for show than reality.  So the highly motivated person can still bypass it, the people who really need access get blocked out.  The days of black and white security are over.  We need people who know how to manage the grey.  Or we can do as Commander Adama and just remove everything from the network.

                                                            • Re: Winning The Loser's Game of Information Security
                                                              mikegrocket

                                                              In my business, security is the highest priority. Unfortunately, often we find ourselves at odds with the demands of security and the demands of mission. What we do is extremely important and there can be dire consequences if service is interrupted by other important things, like IPS/IDS. It's a difficult war we wage, but one that is important we win as network defenders.

                                                              • Re: Winning The Loser's Game of Information Security
                                                                reanne

                                                                I don't think it's a losing battle, it's just a constant battle of minds.  Anything that is man-created can be man-solved.  I think it is about a balance of awareness, responsibility, trying to stay a step ahead of the game and having a responsive plan to efficiently counteract any breaches.

                                                                • Re: Winning The Loser's Game of Information Security
                                                                  sevier.toby

                                                                  How many times has antivirus saved the day?  How many times has it provided a valid resource for forensics?  How many times has it operated not like a virus itself on the operating system?  But yet businesses pay for it over and over each year.  Do you think Sochi Russia cares which AV you use?  Or they got all the data but if it wasn't for those Trend Micro users they would have had it all.  Stratfor can't keep their stuff secret.  Solarwinds keeping me out of the points server on this forum is awesome.  I'm happy Edward Snowden did what he did, however, if he worked for me, they dude would have never got that info out.  The wrong people are making decisions about data and the people who should be consulted are being ignored.  So have fun on your facebook and twitter.  Keep vomiting up information so we can have it people.  We live in the past with your telephone poles and me having to turn my knobs and pull my levers to get to the store in my driving machine.  Anyways, put the Solarwinds Underwear back in the store, don't tell me you ran out.

                                                                  • Re: Winning The Loser's Game of Information Security
                                                                    esther

                                                                    Thank you Gideon Tam for this topic on SECURITY ....

                                                                    We should always have alternative to tackle an security threat. ( Plan B)

                                                                    Train all IT staff  and users on security consciousness ... continuously


                                                                    • Re: Winning The Loser's Game of Information Security
                                                                      prowessa

                                                                      mfmahler This has been very informative.

                                                                      I agree with wbrown, we learn from our mistakes. But sometimes they are very costly ones and we regret they ever occured.

                                                                      The users are most times definitely the weakest link, especially when they do not remember what they have been told about securing their passwords. Some of them grumble at the fact that they need to change passwords often.

                                                                      What can we do but help protect the network as best as we can with the different security products we can get.

                                                                      • Re: Winning The Loser's Game of Information Security
                                                                        network defender

                                                                        I think of Network Security as a massive multidimentional chess game.  The battle rages on and the war will never be over.

                                                                        • Re: Winning The Loser's Game of Information Security
                                                                          haroldrelm

                                                                          As a few other eluded to, I think the biggest problem in most organizations is getting the funding for security. Whether that be funding for tools or for the resources to operate and respond to output from the tools, funding is a huge issue for many organizations including my own. Luckily the government has started to invest more in security and that has the trickle down effect so that other private sector organizations are starting to see the value. With the CEO of target losing his job over the breach, I think that too will help drive some more funding for security, but there is still a long ways to go in most organizations. And we are also beginning to see a lack of adequate talent once funding for a position is approved.

                                                                          • Re: Winning The Loser's Game of Information Security
                                                                            jlim13

                                                                            Information Security is not a losing battle! Yes, I definitely agree, not yet, there's still hope and for me the "USERS" are the biggest deciding factor if we still want to wake up every morning knowing that our private information is safe in the hands of our trusted IT professionals. I mean come on, you can put the best defense in terms of firewall, anti-virus, proxy servers, encryption and so on but if the users and when I say users I don't mean just the end users but also employees within an organization (e.g. security guards, janitor, maintenance, etc.) will not follow the simplest security protocol, we will all lose!

                                                                            1 of 1 people found this helpful