No matter what we do, no matter what we put in place, we will not be able to prevent every attack. We will not be able to stop this adversary. We are going to get targeted.
Some people don’t want to accept the reality that we are going to get compromised. I was meeting with the CEO of a Fortune 50 company and he said, “We are going to prevent and stop every attack. That is non-negotiable.” I proceed to pack my bag and he asks, “Where are you going?” When I told him that “I’m not taking this contract,” he shockingly said, “I thought you want to work for us.” I replied, “Not under those conditions. You’re setting me up for failure. You’ve got to recognize that you’re going to get compromised.”
Here’s how I convinced him… I said, “Sir you’re 100 percent healthy. Are you going to live forever?” He said, “Of course not.” I said, “Are you going to get sick during your life?” He said, “Of course.” I said, “What if somebody came up to you and said their goal is they will never ever get sick for the rest of their life. What would you do?” He said, “I’d laugh at that. That’s naive.”
Every one of us recognizes that due to the threats of illnesses (& aging), we will all eventually get sick. Our approach to life
Saying you’re never going to get compromised is as naive as saying you’re never going to get sick. It’s going to happen. Your approach needs to be on minimizing the frequency and minimizing the impact in which it occurs. But we do have to recognize that breaches will happen. Therefore we will not be able to prevent all attacks.
During a security presentation, I heard somebody say, “We cannot prevent all attacks. Therefore we shouldn’t even try and we should put all our effort
In cases where we can’t prevent, we want to make sure we can detect in a timely manner. Good security
What is the foundation of the security house? Some major components are asset ID configuration management and change control. If you’re not controlling what assets are plugged into your network you’re not controlling how they’re configured and you’re not managing change you’re going to lose you’re gonna lose every day. Otherwise, what stops somebody from plugging a new device into your network that has major vulnerabilities that
You can’t control it. You can’t manage it. You won’t know about it and you’re going to lose. That is the foundation.
Go back to work and give yourself a report card. For “asset identification,” what grade would you give yourself? An “A” means you’re doing it perfectly. An “F” means not so much. For “configuration management,” for “controlling a magic configuration of devices” – give yourself a grade. For “controlling it as change” – give yourself a grade. Anything below a “B” (in
Once you have the foundation, you have to know what your critical data is and where it’s located. If you don’t know what your critical data is and where it’s located, how can you protect against it? I have never had a customer that when we’ve done “data discovery” gets even in the 90s. When we asked them, “what is your critical data and where is it located,” and then we verify where it is – they are never ever correct… Usually, they’re just partially correct. So our good customers will go and say, “OK our clinical data is on these four servers.” But the truth is that it’s on these four servers PLUS three additional ones. Now here’s the problem. If you believe your data is only on four servers, you are going to put all your energy and effort security on those. If you’re an adversary and you want to steal and compromised that data, you’re going to be focusing on the three that aren’t protected.
You don’t get partial credit and security. If you don’t know all the locations where you’re critical data is and you don’t start to protect it. We’re not going to be able to focus in on the right areas.
For more tips on how to build your security foundation, keep checking out my blogs or follow me on Facebook, Twitter, or Linked In. For your own company’s security assessment or any other questions or concerns, reach out to me at secure-anchor.com/contact.