2. Table of contents
2 Introduction
2 Classic security
2 Modern security
3 Weak points
5 Recommendations
8 Conclusion
8 About the authors
Introduction
The proliferation of intelligent devices is providing ever-increasing entry points for those
looking to exploit the assets of both citizens and government organizations. Increasingly the
physical and virtual worlds are converging, so an integrated response, compliant with local
privacy laws, is required.
This paper highlights how the security battlefield is changing and identifies how the challenge
in remaining secure has grown exponentially.
Most importantly, it provides recommendations as to the actions you can take as a leader to
ensure your organization is prepared both pre and, increasingly, post attack.
Classic security
It wasn’t so long ago that security was a matter for the security specialists, e.g., military,
emergency services, and private sector security players. The threats could be easily identified
by the fact that they looked different to the “good guys,” and they typically had to pass through
physical perimeter to conduct their malicious activity. Thus, vulnerabilities tended to be located
on the physical periphery of the building under attack. This was relatively easy to monitor, and
attacks were usually obvious.
In the bygone era, security tended to have a castle feel to it. Moats, high walls, strong doors, and
boundary patrols were key elements.
Modern security
But the world has moved on. Increased mobility, coupled with the proliferation of smart devices
and sensors, has had the effect of blurring the boundary. Today every device, from a printer to a
phone to a car, is an access point.
Attacks are typically concealed. The enemy may enter your organization via your supply chain,
via a socially off-guard employee, or through poor policy. What is more, increasingly the threat
can operate unhindered for months, if not years, before the breach is identified.
The arrival of the Internet of Things (IoT) adds a whole new dimension to the challenge, as does
the unregulated usage of recording devices, including those mounted on drones.
Unfortunately, the hacker community is highly collaborative and organized. Those that
compromise your organization’s infrastructure may have no interest in their plunder. However,
they know exactly who has and will monetize their efforts via “internal” markets accordingly.
Business white paper Page 2
3. We are also witnessing the emergence of a generation of people who have no problem sharing
their most intimate of details. They do not always make the connection between being burgled
whilst on holiday, and the fact that they promoted their forthcoming holiday on their social
networks with the vigor of a new entrant marketer. Fortunately, to varying extents, those in
charge recognize the importance of privacy. However, privacy’s gain is often security’s loss.
The recent FBI and Apple iPhone® saga highlights this.
It is clear that your organization cannot rely on a castle-based model, given the threats can
emerge from a bewildering array of entry points. Thus, a model more akin to a hotel has to be
considered. One has to operate knowing that people, with good and bad intent, are passing
through your environment on a continual basis. Given the porousness of your infrastructure, it is
perhaps better to start from a position that you have already been compromised. In the digital
economy, threat detection trumps threat prevention.
Weak points
As we have seen, building and maintaining a robust security framework is challenging in the
digital age. Other challenges include:
Weak authentication policy: A poor security culture invariably leads to a lackadaisical
approach to good practice. Passwords of the form “password123” or passwords that could be
retrieved by knowing just a couple of personal facts, e.g., names of children, pets, or favorite
football team, and make life very easy for attackers. As do “passwords for life” and devices with
no “timeout” enforcement.
Lack of leadership in both war and peacetime: Some organizations fail to understand that
security is not a departmental issue, but one that concerns everybody, including the leadership.
During “peacetime,” nobody in the leadership team is governing the security model (usually
“abdicated to the IT function”). During times of war, there needs to be a command system
to ensure that the threat is dealt with as a priority, with no delays in the allocation of the
necessary resources.
Business white paper Page 3
4. The enemy has a sophisticated collaborative ecosystem: This has already been mentioned.
The openness of the “dark side” has cultivated an ecosystem that enables the acquisition of
a small piece of intelligence by an adolescent hacker to be used as the spearhead of a state
sponsored assault.
Humans are too social and trusting: It is in our nature to be trusting, particularly where
the threat has been kind to us (creating the pressure of reciprocity), or simply charms us into
revealing more than is wise.
Poor software release and patch management: The vendor community has no interest
in their offerings being perceived as insecure; however, some will be faster than others in
responding to new threats. But this is of little value if your organization does not install the
associated updates and patches. Just because the users perceive no functional benefit in the
latest upgrades, it is not reason enough to take no action.
Compromised software: Some hackers cleverly find their way into the organization via the
development tools used to build the software used by your people. Thus, the vendor has
inadvertently played an active role in compromising your organization. Such zero-day attacks
are a serious concern because the attacker is likely to have already exploited the vulnerability
before it is discovered.
A shortage of battle-hardened infosecurity experts: The exponential growth in the demand
for security experts is not being met with a similar growth in expertise. Even if the education
system were retuned accordingly, it would still take a number of years before the graduates
gained the real-world experience to be effective security professionals. This is a problem that is
set to become more acute.
IoT: Every device from heart pacemaker to car is a potential entry point or target for hackers.
The thought that your driverless car can be commandeered by anyone from bored kids to
foreign security agencies is unsettling. The growth in wearable devices, for example fitness
wristbands, also adds a new dimension to the security challenge.
Privacy: As mentioned, in addressing increasingly cunning attacks, it would make life easier
for authorities to waive the right to privacy. A balance has to be achieved to avoid the
consequences of a post-privacy society. The extent to which each government adheres to this
will depend on local legislation.
Business white paper Page 4
5. Your supply chain: As mentioned, your supply chain, or even your users or citizens, is potential
entry point for attackers. But the increasing volatility of the market means that supplier
relationships and partnerships will form and dissolve at a greater rate. Your increasingly tactical
relationships have the potential to be the source of great financial or reputational loss.
Your staff: Your staff, through a casual approach to security, might well be the source of
vulnerability. Weak passwords, not closing secure cabinets, and revealing sensitive information
in an unsecure environment, are all ways of inadvertently causing damage. Some staff may have
been planted to exploit your organization from the inside, and are happy to do so. Others may
be under pressure to exploit your organization, despite their otherwise good character, because
they are being pressured by a malevolent third party.
Other governments: Such a third party might well be another government. If it is cheaper
to acquire intellectual property through theft than through costly research and development
efforts, then it makes economic sense to proceed in that fashion. This is only if the state
concerned has a set of values that support such behavior. State sponsored acts are a concern,
not least because of the resources they can draw upon to achieve their goals.
Recommendations
There is a lot to consider when planning and implementing a secure environment. Here are
some steps you can take to strengthen your defenses:
• Appoint a chief security officer (CSO) who in the event of an attack has permission to take
control of the organization until the threat is eliminated. Keep in mind that whilst many
aspects of modern day security are IT related, the responsibility of the CSO needs to extend
across all aspects of your organization’s defenses.
• Run scenario exercises to ensure everyone in the organization understands their role in the
event of a detection. Well-rehearsed procedures will dampen the impact of a breach.
Business white paper Page 5
6. • Audit all actors and assets in your organization and supply chain in respect of their
trustworthiness and “infosecurity robustness,” and engage with them accordingly. In fact, it
would be wise to make these primary criteria in choosing suppliers, staff, and even customers.
• Utilize real-time sensors to discourage threats. Their visibility can serve as a deterrent. Their
functionality provides context and evidence for the purposes of prosecution.
• Develop a security policy and architecture that has a compartmentalizing impact on the
degree to which a threat can propagate around the organization. Again, think hotel rather
than castle model. Even though anybody can enter the lobby, only certain people can enter
the rooms or cupboards.
• Understand the intentions of your HR function, and agree how you address the associated
threat possibilities. The emergence of personally owned devices, including wearables, need
to be factored in to your security policy. Some of these wearables may be driven by your
HR function, in respect of talent engagement.
• Ensure all staff understand their role in respect of maintaining a secure environment. Create
a culture where your people are both careful and vigilant.
• Ensure your public relation function is briefed on how and when they disclose breaches.
Timing is everything. Too early and you might cause the attackers to bring their plans
forward. Too late and you may be accused of negligent behavior.
• Build your security team with genuinely experienced staff, who understand technology,
policy, the mindset of the attackers and human nature. Experienced security specialists can
make a lot more money in the private sector. You might consider keeping a small highly
capable in-house team whose primary role is to coordinate the activities and relationships
with specialist providers. Certain activities, such as setting up secure processes, monitoring
your environment, and being first on the scene when a threat is detected, might best be done
by those who have the appropriate economies of scale. Such organizations regard security
management as their core business.
• Automate intelligence gathering by using the public or open source intelligence. Also,
integrate in the relevant classified sources. This frees up our people so they can focus on
higher value analysis work, rather than labor-intensive data gathering.
Business white paper Page 6
7. • Embrace video analysis tools. Such tools can identify irregular behavior in real time and alert
the appropriate authorities. They can also be used to gather evidence, particularly where
lengthy video content needs to be analyzed. This speeds up evidence gathering, reduces
the associated cost, and again, frees-up your people to focus on higher value activities. The
associated surveillance technology can be deployed at high-risk locations such as airports,
railway stations, and shopping malls. Regulated zones such as the public highway can also be
monitored for both security and safety purposes.
• Reduce staff and citizen inconvenience by using biometric security such as facial or voice
recognition. Citizens thus enjoy an improved experience. You save on costly labor, which when
overworked can be prone to potentially devastating mistakes.
• Assume you have already been compromised and so maintain a threat detection posture at
all times.
• “Deep audit” your processes by engaging specialists to penetrate your defenses and
subsequently advise on how to rectify the detected vulnerabilities.
• Ensure your critical security systems are integrated to provide a holistic view of your
environment and the associated threats. The data needed to trigger critical alerts may well lie
within your systems, but will only if all your systems act as one.
• Keep on top of the latest attack developments, such as product vulnerabilities and social
attacks. Only when staff are aware of, for example, spear phishing, will they be more guarded
when clicking on links within personalized and seemingly harmless messages.
• Enter into a public-private partnership with security specialists to keep abreast of the latest
developments in counter attack technologies.
Business white paper Page 7