There has been a dramatic shift away from the traditional cybersecurity ‘fortress’ strategy to a new, modern approach that understands that there is no way to be 100 per cent secure.
Building a fortress has been the typical security model for years, where firewalls are expected to protect assets from outsiders and a limited number of entry points enable the tracking of data flow and access. Once inside, however, users have free access (because, presumably, they’ve been vetted). It essentially relies upon one hardened entry point that, if overcome, leaves everything of value unprotected.
This is no longer safe because criminals have figured out how to get over these walls with social engineering, malware, and other tactics. Plus, humans tend to make mistakes and leave a known or unknown door open by placing data on a public server or failing to patch a technology gap.
Today, it’s clear this fortress approach has become insufficient on almost every front.
The new approach – the airport model
The new approach to cybersecurity is analogous to how an airport approaches security, with many layers of vetting, many different types of security, and many different areas requiring different credentials to access.
In an airport, anyone can walk into the ticketing area. But to get past the first security point, your documents are closely checked, then you and your bags pass through machines that scan for liquids, flammables, and weapons. Then, getting on the airplane requires a barcode scan of your boarding pass, getting on the tarmac requires a badge and a door access code, and so on.
This multi-layered approach to security uses varying safeguards as travellers and workers move between areas requiring more or different security.
For cybersecurity, that’s akin to multiple levels of firewalls and passwords, two-factor authentication, biometrics, logging and surveillance to alert to odd activity, additional focus on critical assets, and more. This strategy, termed “defence in depth”, relies on continuous and ever-more stringent access and technological controls.
Focus on managing probabilistic risk, not eliminating it
There is no way to achieve complete security. With the world becoming more connected and data becoming more centralised, the need for access will only increase. That means, companies need to focus their limited resources based on the highest risk.
Also Read: Thailand’s great cybersecurity push
First, however, security leaders need to understand which risks are greatest and which of those are most likely. Probabilistic risk management or assessment is the process of identifying a specific problem, gauging the possible damage from it, and estimating the likelihood of it happening. From there, they can prioritise where to focus their efforts.
Security from the developer’s point of view
Security cannot happen without the developers being on board. The relationship between the security and development teams is foundational to good security.
It’s important for development teams to understand that the security teams are there to help them find solutions. Security teams aren’t the ‘code cops’ coming to break down their door.
They are not trying to get in the way of delivering functionality. Instead, security leaders are helping them to find solutions to fundamental security problems. They should be working together, with an equal say on both sides, to create solutions that please both sides.
Security from a user’s standpoint
An important piece of a sound security foundation is the viewpoint of the end user. Some products are used by employees, others by paying customers. Both viewpoints are key to a successful security strategy.
Good hackers get familiar with the product and try to put themselves in the role of a user. They try to break the system by doing unexpected things. They ask themselves: “What can a user do to make the system do something it shouldn’t?”
Security leaders should be doing the same. Start by walking through the employee onboarding process from start to finish. Pay attention to the processes used to create accounts, provision hardware, and create passwords. Don’t search for vulnerabilities but pay attention to inefficiencies or glaring problem areas.
After an internal look, walk through a customer’s experience in buying your product. Start with marketing and move through account access, entering the credit card information, or however a particular flow takes an end user from product awareness to paying customer.
Understanding these flows can better inform your company’s strategy moving forward. The security team would be able to view the systems through the eyes of the end user.
Understanding threats against your systems
Threat modelling is the practice of reviewing the design of a system to find threats against that system. These threats are recorded and mitigated to the extent possible.
Threat modelling allows security teams to anticipate problems. Use it to identify threats against your systems and possible weaknesses attackers could exploit. When done early enough in the development life cycle, major problems are fixed before they can be exploited.
The goal now is to manage risk as best as possible, to be transparent on vulnerabilities and collaborate with others on solutions and tactics, and to be open (and thankful) to anyone who points out a potential security gap.
Today, organisations are more open to learning from every security experience, to share with others, and to correlate actions with results. This openness is reflected in the huge number of industry groups and government agencies promoting vulnerability disclosure policies as a best practice.
It’s also apparent in the increasing prevalence of legislation and regulation covering data privacy, access, and disclosure. Setting a secure foundation helps companies remain stable as security teams implement appropriate security strategies.
Miju Han is the Director of Product Management at HackerOne
Image Credit: James Mott Jordan