The highlight of Secure 360 conference for me was when Jay Jacobs dropped this gem of an update of his updated Shannon's maxim. Shannon's maxim "the enemy knows the system" is a guiding precept in security architecture.
Jay updated this for today's "cyber" security environment in a highly accurate way:
The enemy knows the system, and the allies do not.
This distinction is critical, due to complexity, time and skills, organization struggle to build an asset inventory of their systems, much less understand their own components. And what about runtime behaviors when those discrete components are plugged together? This is in the "too hard" pile for most organizations.
The question is, as always, what can we do about it? If you have valuable assets, you are not likely to disincent adversaries to not want to try and learn about your system, if you have stuff worth stealing you should assume the enemy knows the system. Instead you can focus on your assets so that you actually understand them as well or better than you adversaries. Its not a glamour cops and robbers detail, but focusing on core business assets is a better way to prioritize your resources, it should get you out of Jacobs' quandry and at least able to play Shannon's game.
So the threat to deal with is not external, its internal ignorance. Here is what I wrote about proactively dealing with security in light of these "new" threats called APT
If your infosec organization has an alignment to your assets - meaning roughly similar percentages of experts in domains like customers, users, identity, transactions, apps and databases, then you can say you are working on protecting assets. Most companies have a large ERP system like SAP or Peoplesoft, this contains the crown jewels. How many people does your infosec org have dedicated to securing these systems? Does your infosec group align its budget to the assets the business invests in or does it buy the things people talk about at conferences? Here's my advice - find a representative use case or transaction one that keeps your company in business. Trace it from end to end, starting with the customers and ending with your back end systems. Does your infosec org have deep domain expertise in each and every of the major areas that the use case transaction touches? If not, fix this organizational APT first.
Gunnar: "the threat to deal with is not external, its internal ignorance"
Exactly. This problem manifests itself when you take your car to a mechanic, if you know nothing about cars. Usually, you'll get an honest mechanic who'll fix your car. Occasionally, you'll get something expensive replaced. Rarely (but significantly) you'll get a new framisticator for your haydiddlediddle. When talking outsourcing, I hear talk of these things called "service level agreements" but the problem is if you don't know what the service is, how can you verify if it's reaching the appropriate level. And, if you do know, why not do it yourself?
The moral is that you actually have to understand your IT problems at least as well as your outsourcer or cloud provider, in order to reasonably assess whether the service you're getting is worth what you're paying for it.
Posted by: Marcus Ranum | June 06, 2011 at 06:27 PM