Hacking is a booming business. Business has been good for several years now. Data breaches are at all-time highs. Cyber-attacks are skyrocketing, and ransomware is a growing fad. And the best news of all is that the same old tricks (see XSS, SQL Injection, SPAM ….) are still working just as well as they always have.
How is it possible that a business that was estimated to cost the global economy $450 billion dollars is continuing to grow? That is a lot of money diverted to criminals in lieu of legitimate participants in our global economy.
As a wise man once said, the definition of insanity is to do the same thing over and over again while expecting a different result. The same could be said for the two main pillars of most organizations’ security strategies today: a strong perimeter (read firewalls, intrusion detection/prevention, spam filters, VPNs, etc.), and a desktop security suite (anti-virus). Clearly this is not working, so why do we keep doubling down on more and more sophisticated and expensive variations of the same thing?
It is time for a different approach, and a different approach starts with a different set of assumptions. First and foremost, the cyber-crime economy is increasingly trafficking in data, not just havoc. Denial-of-service (DOS/DDOS) attacks are intended to create havoc, and while they have their place, havoc is only a worthwhile endeavor when targeting a select handful of highly visible organizations. Plenty of smart minds are developing solutions to head off DDOS, but what are we doing to stop the more mundane, but booming business of data theft?
Cyber criminals seem to realize that there are many lesser prepared (see Equifax) or smaller organizations which are repositories of highly valuable data. That data can either be sold, like credit card numbers and social security numbers, or used to profit from insider trading (see the attack launched against the SEC).
In my humble opinion, the state of data protection is pathetic, to put it kindly. The fact that any organization housing sensitive data lacks a sensible encryption strategy is a crime all on its own, but that is the state of the world we live in. It is time to tear down our assumptions about security and, in some ways, start over.
I am not the only person to advocate substantive change. The password seems to finally be on the short list of ideas that need to go if we intend to secure our cyber world. Embracing biometric multi-factor authentication is a nice step towards preventing broad password theft, and it makes leveraging a stolen password substantially harder. However, passwords are one small (albeit important) piece of the problem.
In general, organizations have no specific, dedicated strategy for protecting data. Such a strategy starts with a commitment to understanding who owns data, how that data is intended to be used, and how to protect that data end-to-end, through its entire lifecycle. As a simple example, an organization near the leading edge of data protection may keep all of its sensitive documents stored in a document management system that implements pessimistic permissions (i.e., you can’t see the document unless you really need to). But what happens when that document is downloaded and edited on a client device? What happens when that document is shared with a partner, customer, or colleague? Once data leaves this central repository, it is either not protected at all or the person downloading that data is responsible for implementing appropriate protection. Neither situation is a good one.
It is time that we re-think our cyber security strategy from an entirely new angle. For starters, we must assume that client devices (e.g., your Windows machine, your web browser, your mobile device) are vulnerable and will be hacked eventually. These platforms handle volumes of untrusted data (incoming emails and websites mostly), and organizations cannot feasibly prevent users from doing so. How can we protect data regardless of the disposition of the device itself? How can we keep untrusted devices away from sensitive data?
Second, we must commit to protecting data end-to-end. Doing so requires that we not only encrypt data in-transit and at-rest, but that we also ubiquitously and automatically apply information rights management to keep documents encrypted and protected at all times.
To summarize, I am proposing:
- That no client computers should ever be on the same network as a data server. That means no more Windows desktops on the corporate network – at all, ever. Instead the script should be flipped on its head – applications should be individually granted access to specific corporate data sources through a tightly controlled, application-aware proxy into the corporate network. In this model, application providers must demonstrate the ability to protect sensitive data on untrusted devices, and IT can select vendors and applications that demonstrate this capability.
- That all client applications which touch sensitive data must implement an encryption scheme that is, to the utmost degree possible, immune to compromise of the client computer. This must be done at the application layer because the underlying platform cannot be trusted. Hence, full disk encryption is not good enough.
- Third, that all data must be encrypted with information rights management (IRM), all the time. That means that when you download a document to your client computer (whether it comes from an on-premise system or a cloud system), that document must be protected with an IRM license that allows you to use that document. When you want to share it, a new, protected copy of that document must be created that allows those you are sharing with to access that document.
With these principals as a guide, we can start to outline a solution that will, at the very least, create a major disruption to the booming business of cyber theft. This 3-part outline will be the topic of my next few posts.
The current state of cyber security is truly insane. One Equifax should teach us that lesson. Years and years of increasing frequency of large-scale data theft reveal that we should have seen Equifax coming a long time ago. It’s time for a fresh approach to cyber security. As organizations large and small start to demand a new approach, software providers will follow suit. Let’s hope that happens soon. We are already well into 2018, and cyber criminals are draining about 40 billion dollars from the legitimate economy each month. It’s time to disrupt their business.