IT security in an age of unknown unknowns

Should you expect the worst, and presume that your security has already been breached? Respected IT security journalist Danny Bradbury thinks so. Here's an opinion piece that I think you might find interesting...

"I'm always amused by articles from security consultants listing percentages of companies that have undergone a data breach. It implies that companies have been quizzed about whether they have suffered a security breach, and that some have replied in the negative. My first thought is: how on earth would they know?

"After all, as Donald Rumsfeld famously put it, there are known unknowns, and there are unknown unknowns. A company might think that it remains uncompromised, but the whole point about modern security breaches is that they are designed to be undetected. If they are successful, the target organization will never know that its systems have been hacked.

"That's why I'm so impressed with the US government's National Security Agency (NSA), which reportedly now operates as if it has been compromised. Debora Plunkett, director of the information assurance directorate at the Agency, pointed out that “the most sophisticated adversaries are going to go unnoticed on our networks."

"So, the smartest, most secretive entities already assume that they have been compromised, and that intruders are wandering around, virtually speaking, inside their networks. Shouldn't commercial organizations do the same? To a bank, customer data should be no less important than data held by the NSA.

"What does it mean to operate as though you have already been hacked?The key here is deperimeterization, a concept first advanced by the Jericho Forum, a collection of IT and security experts examining new approaches to information security. Instead of assuming that a single ‘ring of iron’ at the perimeter of your network will be enough to protect it, you instead apply varying levels of protection to the components therein.

"If you assume that someone has already reached your firewall, then the focus shifts to the assets considered most valuable insight the company network. Given that many of these assets will be information, a data-centric approach to security becomes important.

"One option here may be to apply different levels of security to different platforms, based on the applications and data that those platforms are used to process. The NSA, as you might expect, takes things to the next level, by mixing proprietary highly-assured applications with commercial off-the-shelf computing platforms that can provide a more cost-effective but less-secure component where permissible.

"Commercial organisations may not always have the same resources to devote to securing their systems. Nevertheless, there are things that they can do to help make their systems more secure on the inside. These include designing network segments based on the sensitivity of the data residing on them. Properly managing access privileges based on the roles and responsibilities of internal staff is also important; do junior staff really need access to the personal data of senior employees?

"Encrypting certain types of data based on sensitivity is also a useful aspect of deperimeterization. That way, if a malicious party is already inside your network, it may still be difficult for them to get to the data that is most valuable to them (and to you). However, much will depend on how you manage encryption keys.

"These are just some examples of how a smart company will treat its own network as if it is already compromised. Others include the judicious use of intrusion prevention systems. In a world of unknown unknowns, can we really afford to take unnecessary risks? And isn't every sense of security a false one?"

What do you think? Is Danny correct, should we presume that we have already been compromised?