I consider myself an expert in IT risk. I think about it often. I think about the complexity that's built into our own computing and the things that hide either just below the surface, or sitting just outside the fence waiting for someone to leave a door open, even a little bit. I used to give a talk.. it was about an hour long and one slide. This one slide talk discusses how in any given environment, if you follow any one of the standards (NIST, SANS Top 20, ISO), there are at least 100 things that you need to do right every minute of every day —and if you miss one? The door's left open and those automated threats are always there; always standing by the ready waiting to pounce.
So let's think about this for a moment… lets frame the scenario. Let's say you're a small business; a 20 person company with public facing internet, an online ordering system, and you produce something that's distributed digitally or in a storefront. Your computing environment might look like this:
- 20 employees, each with two (or more) devices (computer and mobile phone).. 40 devices
- Servers and storage —handling digital data, processing work product, etc… 30 devices
- You probably have some kind of cloud environment.. maybe your hosted in one?
- You'll likely use several Software as a Service providers one or more of your internal needs —Google Corporate Apps, Microsoft Office, or something else.
- VPN access into remote areas for sensitive work
- VPN access into the company for remote workers
- Externally facing operations —public facing web servers, databases, etc.
- Externally facing customer touchpoint —registration pages, shopping carts, etc.
Immediately, you can see, you have 40 user endpoints, plus 30 server/storage endpoints, plus the network infrastructure that connects them…
You've got cloud infrastructure, customer facing infrastructure, email in the cloud. You're probably processing credit cards, and for all of this, you have absolutely no idea how many additional endpoints you've got data passing through or sitting on.
And then, you've decided to implement your security standard… remember that 100 number that I talked about? It's probably conservative, but for even your small company, you only have direct visibility and control over a small portion of your total computing environment!
AND your stuff is probably in a cloud that HOSTS bad stuff —because they all do, but that's a story for another blog!
As well, buy any computer today —Mac or PC, and default storage is in the cloud. Wow! And if you try and turn it off, it gives you a warning that you'll lose access to your stuff!
So, where do we reduce complexity? It seems to me like it's built into the process. It's one of the reasons that I love the intelligence and risk roles so much. I'm like the weather man.. I don't (and won't) be right all of the time, but if I'm right more times than not, it's good. As a defender, you've got to be right every time. And the owner has to be able to pay for it all… and it's not cheap.
I get the question almost every time I speak in public —"What do you guys do?" We are a small company, and as an intelligence company, obviously we're targeted. We've set up controls but we must also stand guard. We trust some things in the cloud but not others. Our sensitive stuff is moated off —sometimes multiple times, and with few exceptions, passwords are dead to us. We require two factor authentication for just about everything. And as important as everything else? We know where the highest priority threats are coming from.
Want to know more? Join us. I'll give you a presentation and show you how we do it!
Reduce complexity? I'm not sure that's even possible anymore, but I am sure that there are ways to offset it.
Intelligence is one of the best value items that money can buy… It shouldn't cost you an arm and a leg. It should save you reading time. It should save you stress. It should tell you what to protect from today, next week, and maybe next year; and you should be able to buy it from someone who doesn't want to sell it to you to get you to buy their box.
Information sharing is the other. The latest buzz phrase seems to be 'trusted circles'. Find a group —Red Sky Alliance, the Financial Services ISAC, the Maritime ISAO, or one of the others that are out there. Asking questions of others in a trusted, non-governmental environment is HUGE. Why non-governmental? Nobody wants to talk about themselves when there's a chance a regulator might be in the room. Use information sharing to learn how to fix your stuff —and then decide how you want to work with the government. Privacy is important.
Climbing off my horse…
Until next time,
Have a great weekend!
Jeff