Security strategies today operate on proven assumptions that have been around for decades or even centuries, in some cases. These assumptions include concepts like strong locks can defeat burglars. There is safety behind strong firewalls. Strong passwords and well-enforced identity security policies will keep me safe. Strong encryption will keep my information safe. Multi-factor authentication will defeat attackers. Strong secrets can be maintained. Not only have all of these assumptions become obsolete in the 21st century, they actually enable attackers.

These strategies are effective against the uniformed attacker and mostly against brute force attacks. However, they enable the wily and well-informed attacker. This is precisely why we see so many major data breaches with devastating results. A very large business or government may survive such an attack, but only after suffering devastating damage that would put a smaller, but substantial business out of business. For example, Lockheed Martin survived the theft of the F-35, the US government survived the OPM breach – but USIS did not.

There is a reason that data is such and attractive target and the attacks are so frequently successful. There is a reason social engineering attacks are so frequent and so successful. In both cases the reason is that the operating assumptions upon which our information security rest are obsolete and can be freely exploited by our adversaries.

In order to defeat the attackers we do not need to build stronger systems based on obsolete assumptions. We will not defeat attackers with perfect firewalls, passwords, encryption or perfectly enforced IAM policies. We could spend unlimited funds on perfected technologies in these areas and not improve security a bit. In fact, it is likely that such an effort would only serve to degrade our already vulnerable security. The reason is that the attackers are already inside our organizations due to previous breaches, can access our system through trusted and authorized users, already possess or can easily obtain the strong digital keys to our digital locks!

We must look for, find and deploy a new strategy that overcomes the enabling assumptions of the past with an entirely new set of assumptions that concedes that the attacker is already inside or can easily gain access, and defeats them regardless of their access!

To discuss such a system for your organization contact On!iUs Inc..

Back to blog listing


© 2016 On!iUs Inc., 15250 Heather Mill Lane, Haymarket, Virginia 20169, USA. All Rights Reserved.