Recently, between citizens and security experts, there has been a lot of talk about nuclear weapons, terrorism and peace treaties. At the end of the day, the question remains how do we protect a country and its citizens from attack? If that is really the purpose of the summits, the meetings and Washington, why isn’t cyber security part of the discussion – more importantly the insider threat? They deserve to be.Security experts will agree that nuclear weapons or biological warfare is much more damaging and could cause greater loss of life, but the likelihood of such an attack is low. When it comes to a cyber attack, the impact is high, the likelihood is high and the ease in which the attack can be performed is high. National security experts manage and mitigate risk, and therefore more attention should be given to these cyber weapons of mass destruction. At the top of the agenda should be better protecting critical information from the insider. Why there have been a lot of very technical, sophisticated attacks recently. We sometimes forget that the entry point for most of these attacks is an insider clicking a link or going to a site that they should not have gone to.
When a security expert evaluates a threat there are many aspects (too many to mention in this posting) that need to be evaluated. Some of the primary ones are clearly impact, likelihood and ease of which the attack can be performed. Using this as a basis, things become very interesting. While the impact of a nuclear or biological terrorist attack is clearly very high, the likelihood is more in the medium level and the ease of which it could be performed is medium to low. When it comes to cyber attack, the impact is high, the likelihood is high and the ease is high. Therefore since national security expertsmanage and mitigate risk, shouldn’t more attention be paid to the cyber weapons of mass destruction and controlling access to our critical information?
If we start to peel back the layers, things become even more interesting based on the overall exposure and scope of the problem. Physical weapons have to cross international boundaries and there are checkpointsmanned by security experts that have to be cleared. The three important points to remember are 1) you cannot clearly cross international boundaries with physical weapons without going through physical checkpoints; 2) weapons are illegal in most countries so clear possession of them could get someone in significant trouble; 3) it is relatively difficult to obtain these weapons.
When you start to apply this to cyber and insider threat, things start to fall apart very quickly. On the Internet there are no international boundaries monitored by security experts. An attacker/insider can seamlessly cross boundaries without even knowing they are entering systems located in a different country. Not only are the tools easy (say free) to obtain, but in some countries possessing and use of the tools are not illegal.
There is a lot of legislation being proposed to cover cyber, but are we focusing in on the correct areas. Are we looking at controlling the boundaries and in/out of countries and working on universal laws? Having different laws for different countries makes sense when there are clear boundaries and physical separation, but when connectivity is seamless that model falls apart. While changing laws can take a long time to perform, there are things organizations can do today to help protect the critical infrastructure from the accidental or deliberate insider. First, identify and clearly control and manage ALL boundaries in and out of your organization. For critical information, air gaps or complete separation should be looked at to better control the boundaries. Focusing on wanted trusted insiders have access to the information. Second, focus on critical information. Why would your organization be targeted and what information would cause the greatest impact? Who inside the organizations has access to this information and can be targeted? Third, the entry point for most attacks is the end users. Focus time and energy on protecting and controlling the endpoint, especially untrusted endpoints. Always remember that while it is difficult to stop stupid, with proper controls and focus on the insider, you can limit or minimize the impact of stupid.
We are going to have to deal with this problem one way or another. Option one is to be proactive and fix the problem before it is too late. Option two is to wait for there to be a major problem and fix it in a reactive manner. Personally, I vote for option one.
