Could it be any clearer that information security approaches that focus on defensive tactics just aren’t working? How many times do we need to open the Wall Street Journal and see a headline about how yet another company has had sensitive consumer information stolen? In just the past day, we’ve spoken with several national reporters and many companies who want to know what can be done to control the escalation of major breaches. Our answer is pretty straightforward: proactively test yourself and find the problem before someone else does.
It’s time to go on the offensive with security. With all of the coverage on cyber-attacks affecting major corporations, most recently Citigroup, the question that comes to mind is, “Why are companies so hesitant to perform regular security testing?” By security testing, I mean using safe attacks (the kind that give you access but don’t cause any damage) to proactively see if you can break into your own infrastructure. Basically, you figure out if you have a hole that would allow a bad guy access and fix it before they figure out a way to leverage it.
Here at Core Security Technologies, we have over 1,300 customers who are testing their security in real-time for breaches, but what about the other tens of thousands of companies that aren’t? In today’s marketplace, we could meet 10 companies in the same industry, with the same public profile and virtually the same technology deployed. But only half of them would be willing to engage in testing themselves for exploitable holes. Why? Everyone we speak to says they really like the idea of finding out if someone could break in (think APT) and steal something they care about. Not only is this a well-established security practice, but there are also mature technologies that can completely automate the process for you. So what is the real issue?
I think if you ask many organizations why they aren’t proactively testing their security, the answers would boil down to a few simple issues – most notably, security information can be overwhelming and showing where you have a problem is a scary proposition. A lot of organizations don’t want to admit to themselves (or their management) that they aren’t perfect and/or then have to allocate the resources needed to fix the problems. Plausible deniability is an easy route for too many people. Some organizations are worried that you might leave a service unavailable during this testing, which admittedly is a possibility. However, there are best practices to maximize service uptime, like working with the asset owner before the test, testing in the lab, testing a staging environment, or testing during a maintenance window. Just do it at a time of YOUR choosing.
A good friend and industry analyst said, “The bad guys don’t sign a code of ethics.” Their attacks are coming at the worst possible time and are geared to get as much info as they can. Companies must have the will to find out what paths potential hackers could use to infiltrate their systems and fix them before a breach occurs. Will it be a little bumpy along the way? Yes. But the bottom line is that we can’t solely rely on defensive security products any longer. It’s not working.
- Mike Yaffe, Director of Enterprise Marketing