The Cyberwar Is Not Lost, But Battles Are

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://channelnomics.com/2014/05/05/cyberwar-lost-battles/#.U2fdI6hX-uY

If you listen to the talk, the cyberwar with hackers, intelligence services
and criminal organizations is over and the black hats won. Or at least
they’re on the verge of victory, leaving the digital economy a desolated
wasteland, unable to operate as user confidence is sapped away.

That’s the view of some, including Alex Thurber, vice president of sales at
WatchGuard Technologies. On Channelnomics last week, Thurber expressed his
view that the security community is falling further behind the hackers, and
could soon destabilize the digital economy.

If nothing is done to tip the scales in favor of the defenders, Thurber
believes the market will lose confidence in online services and resources,
damaging the economy. Evidence of this possibility materialized this
morning with the resignation of Target CEO Gregg Steinhafel, who is
stepping down as a result of the December 2013 breach of the retailer that
exposed more than 40 million credit card numbers.

Target is the latest example of what will happen to companies that fail to
protect their digital assets and customer information. The breach claimed
the job of not just the CEO, but the CIO, and has cost the company $61
million in lawsuit settlements alone. Other companies face similar recovery
costs and lost user confidence following their breaches, showing how
devastating the aftereffects can be.

Statistics are against those declaring that hacking undermines the digital
economy. While companies like Target suffer setbacks and damages because of
security breaches, the use of the Internet as a commerce medium increases
unabated, according to the U.S. Department of Commerce. Growth of the
digital economy has done nothing but climb each quarter for the last 10
years. Individual companies may lose customers and money, but the overall
digital economy remains healthy.

Here’s the problem: The cyberwar — at least in the context of commerce and
economics — is not a war of attrition. It’s an ongoing struggle akin to the
Cold War, in which one side is always trying to top the other in advances.
No sooner do hackers come out with a new weapon, the security community
comes up with a new defense. Many practitioners remember when security
meant little more than firewalls and antivirus; today, it is layers of
defenses build on intrusion prevention, data loss prevention, application
access control, identity management and other technologies.

Losing the cyberwar is a practical impossibility. Hackers, regardless of
their stripes, are parasites. They rely on healthy hosts for sustenance. If
they kill the host, they lose their energy source and, in large respect,
die. Think of it this way, “What would happen if hackers brought down the
Internet? What if they crashed the whole thing?” Well, the hackers would be
in the same position as the victims; locked out and idle. They don’t want
that any more than the targets.

Nevertheless, the security community and their customers — the Targets and
TJXs of the world — will lose battles. They’ll lose many battles. No
security measure or system is 100 percent effective. History is replete
with security measures thought invincible that were brought down by
creative thinking and innovative approaches. The challenge is minimizing
security losses.

The problem isn’t that the good guys don’t have the right security tools,
or that vendors aren’t producing innovative technologies; it’s a failure of
application of sound strategies and management practices.

Take Target: Steinhafel is resigning because the breach could have been
prevented. Like many companies, Target did a cost-benefit analysis in which
it chose not to do something. The same thing happened at TJX in 2007, when
that company decided not to upgrade its wireless encryption. For short-term
costs savings, businesses make decisions that could affect their long-term
security posture.

Security is always about costs. The goal of any good security strategy
isn’t preventing incidents, but making them so expensive to the attackers
that they move on to another, more economical targets. The challenge is not
spending too much on security that the costs to the defender is prohibitive
and erodes other business operations; it’s about risk management, in which
risk equals what could happen times the potential impact of a security
breach times the potential frequency of attacks. Once a company calculates
its risk, it can apply appropriate levels of security.

For solution providers, the risk management equation and the notion of
winning more battles is an opportunity. Businesses don’t have the resources
to understand the threat landscape, calculate risk, or apply appropriate
security measures. They need the help of objective, experienced
professionals and teams that can see the global security picture.

In other words, the security opportunity isn’t just in the sale of more
technology, but the sound application of that technology. In doing so,
security solution providers can help customers not just weather the
cyberwar, but ensure they don’t lose too many battles or suffer deep wounds.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!