The fundamental principles of information security are being challenged by recent cyber attacks, says Hugh Thompson, chief security strategist for People Security.
Thompson was speaking at the RSA Conference Europe 2011, at the Hilton London Metropole. He discussed the five fundamental laws of security fragility.
"Fragility is a new model of security that expects failure. In fact, it embraces it," he says. "It asks us to embrace the failure and weave a safety net. This is characterised by five fundamental, immutable laws."
The first law, he says, is that secure systems fail when faced with out-of-context attacks. An in-context attack is when a hacker uses recognised malware that can be detected, arrested and stopped.
"But in the past few months, attacks were out of context." He says we need to be agile. "We need to bring those out-of-context attacks in context."
Risk assessment is difficult for out-of-context threats, he says. "Risk suffers from lack of good metrics. It's difficult to measure the efficacy of a security solution. It's difficult to measure the value of prevention. In the absence of metrics, we make bad risk assessment decisions."
The second law, says Thompson, is "expect failure, create safety nets, and adapt".
The tumultuous environment has shown the need to adopt a more agile approach to security. "We need to be able to look at our situation and change. We need to move from the monolithic to a more dynamic approach."
The third law is that people will make mistakes. He says people make mistakes because they optimise for things like utility instead of security. "We need to expect that people will make bad trust choices."
The fourth law is to assume your environment is contested. "The intranet is not safe anymore. It's not safe because it's easy to co-op a well-meaning insider to do bad things. It's easier than ever to trick someone."
The fifth and final law is to constantly re-evaluate assumptions. The rise of advanced persistent threats and hacktivism has challenged something users have relied upon, he says, which is reasonable targeting. In the past, companies believed people who have less access and less data won't be in danger, but this is no longer the case.
"We need to move from a model of lockdown to a model of agility. It's a fundamental shift. We need to be able to accept failure, because things will fail," he concludes.
Share
