THINKING ABOUT SYSTEM SECURITY


ONE IN A MILLION
AMES, HANSSEN, MONTES, MANNING, SNOWDEN, TARGET, ANTHEM, OPM, IRS, ETC….

If your security system is stronger than any out there, if it is 99.9999% safe, there is nearly a 100% chance that attackers are already in your information system. If the attacker is only successful in one in a million attempts to get into your system, in all likelihood given the volume of logins you experience, you have been successfully attacked.

Our broad security strategy has not changed in several thousand years. We still employ a fortress mentality. We build walls, locks, employ passwords and secrets… and we fail on a daily basis. We still find ourselves as Greeks accepting gifts from Troy.

Humans have always been able to do harm at a distance. We threw rocks, shot arrows and bullets and developed intercontinental weapons, but it was not until the digital age that we created the ability for anyone to attack anyone else from anywhere and do it instantaneously.

It is time for a radical departure from the strategy of the past. We need to focus not only on the adversary outside our walls, but on the adversary inside our walls. In terms of risk, the single adversary inside our walls poses a greater and more immediate risk than all the adversaries outside our walls. Yet, few, if any have an effective strategy do deal with the true insider threat – particularly the one that is invisible and probably trusted.

We continually seek trusted operating approaches. Yet, the majority of the damage to our systems is caused by those we trusted!

A better view is that trust = complacency = vulnerability.

We build our security around trusted, but untrustworthy credentials and strategies for employing those credentials. Yet, in so many cases the attacker was successful in using a trusted credential to penetrate our best security.

The problem is that digital systems depend on digital information for security and embeds it in credentials. Even the most secure and robust credential carries with it the inherent vulnerability of the digital information it rests on. The problem with digital information is that it cannot be securely and durably attached to a particular individual. Digital information has no loyalty and loyalty cannot be infused into it.

On!Us, Inc. asks and answers the question “What do we do now?” The attackers are inside our walls, our system of credentialing is inherently vulnerable and the attackers are leveraging these circumstances daily to gather even the most protected, valuable and secure information we have! What do we do now?!!!

Instead of an operating premise that we can keep the attackers out of our systems, On!iUs, Inc. starts with the premise that the attacker is already inside and possesses any credential they need to obtain access. We concede to the attacker this starting advantage and take them on from this point forward.

Back to blog listing

 

© 2016 On!iUs Inc., 15250 Heather Mill Lane, Haymarket, Virginia 20169, USA. All Rights Reserved.