Wednesday, March 26, 2014

Crime Does Pay

When I was a child, I learned the slogan "crime doesn't pay" in school. This statement was part of a campaign to dissuade children from entering a life of crime. As I've gotten older though, I've realized that this statement is, in fact, wrong. Perhaps a more accurate statement would be "crime does pay, but you have to be prepared for the consequences". In essence, there is a risk/reward ratio at play here. Putting aside morals and ethics for a moment, if an individual is intent on committing a crime and calculates that the reward outweighs the risk, the individual will decide that committing the crime is a good business decision.

In the physical world, the risk/reward ratio is relatively straightforward to understand. For example, if I rob a bank, there is a very good chance I will get caught. If I do get caught, not only will I not get to keep the money I stole, but I will also go to jail for a long time. In that scenario, the risk is high, and while the reward potential is also high, it could very well be zero.

Unfortunately, in the on-line world, the risk/reward ratio breaks down completely, or more accurately, tips very much in favor of the criminal. It is very difficult to catch those who commit on-line crimes, for a variety of reasons. At the same time, it is extremely easy to commit on-line crimes, and the potential for reward is enormous. When people ask why criminal miscreants are so intent on intruding into business networks, they must only look at the calculation from the attacker's perspective to fully understand: High reward and low risk. It's the perfect storm of mathematics that fuels much of the intrusion activity we see today.

Because of this, we now find ourselves accepting the realization that breaches are going to happen routinely and regularly. As a community, we are moving towards devoting more resources to the practice of Continuous Security Monitoring (CSM) because of this realization. The game is less about "how can I stop the next attack" and more about "how can I detect, analyze, and contain the next attack rapidly". Of course, we should still ensure that our organizations are as secure and protected as possible. No matter how thorough we are though, the attackers will still find a way in. It's a question of when, not if.

One of the key priorities inside a security organization should be ensuring that the organization practices CSM and is prepared to perform incident response. Many organizations are making good progress with this, but some still lag behind. If your organization is not yet practicing CSM, now is a great time to start. It's only a matter of time until your organization suffers a breach. That is, of course, if there isn't already a breach inside your organization that we aren't aware of....

No comments:

Post a Comment