Most of us in the security profession don't have James Bond's 007 license (or even a smartwatch) to eliminate threats. Instead, we focus on strategies to reduce risk through formulas such as cyberrisk = threats X vulnerabilities X consequences. That practice that assumes we can create near-perfect security by reducing one of these factors to zero.
In the real world, it’s hard to imagine any CISO worth his or her salt telling the CEO that vulnerabilities have been reduced to zero. A more effective approach might be to focus on consequence management. But to do that, we first need to dispel a few cyber security myths:
MYTH 1: Prevention, detection, and information-sharing are adequate for protecting systems. The CISO truth is twofold: Intrusions are inevitable, no matter what preventive approaches you use, and your public facing hosts are constantly under attack. There are 86,000 new pieces of malware reported each day. Industry stats show that within a few minutes of going online hosts are under attack.
MYTH 2: Once a server comes online, we leave it alone until we need to perform maintenance or patching. We have been using this work/time element of security strategy for 15 years. But the CISO truth is that while keeping systems static is a low-work, low-cost strategy, it also creates an opportunity for the criminal. We know that once criminals get into the system they do damage for days, weeks, months, or even years. Target (more than two weeks), New York Times (four months), and Nortel (10 years) are all examples of persistent compromises.
MYTH 3: All security threats need attention. The CISO truth is that there are ankle biters that are unlikely to cause significant damage, and serious persistent threats to which we must pay attention. The ankle biter causes numerous alarms which overwhelm the security department. The serious persistent threat probably causes one alarm which can be easily missed in the "cacophony of alarms." Turn the alarm “screwdriver” too far to the right and the security team is overloaded. Turn it too far to the left and important alarms are missed. The challenge is to find the alarm level that leads to the persistent threats where serious consequences occur.
MYTH 4: It’s possible to get rid of all vulnerabilities. The CISO truth is that the common vulnerabilities and exposures (CVE) list has more than 50,000 recorded vulnerabilities -- with more added hourly. How are you going to ensure your network (firewalls, IDS, hosts, etc.) can deal with 50,000+ vulnerabilities every day?
MYTH 5: You can win the cyber security lottery with "predictive systems" that will find the next attack. The CISO truth is that it’s probably easier to predict your spouse’s mood after many years of marriage than the next attack launched by a criminal you have never met. You know nothing of the person's skills. He or she intentionally uses deceptive techniques and could be 10,000 miles away.
CISOs need to develop strategies that are independent of the attacker, require no prior knowledge to succeed, are easy-to-implement, and keep our servers as secure as they were before they go online. Perfect security is too expensive and impossible to achieve.
We need to tolerate intrusions by limiting the resulting consequences. Computer cycles are cheap and getting cheaper. We should explore solutions that trade CPU cycles against enhancing security.
CISOs are always reflecting and reexamining security myths, and identifying the products and services that make the organization more secure. The uncertainty in the environment has led to general acceptance of defense in depth, with a variety of solutions being included in the mix. To mitigate cyberrisk, CISOs must include consequence management strategies, principally intrusion tolerance, in the solution mix.